As part of my job responsibilities, I am responsible to create key, csr file and order certificate from CA. There is not lot of information on how to securely deploy key, certificate on web server for https protocol use.
One thing you really have to make sure about key and certificate is that they are owned by root user only and they are read only. I will make sure group ownership is right too. I even prefer to restrict directory permission too where cert and key are stored.
If you are person responsible for deploying key, certificate on web server especially on production environment server then I will definitely recommend to read this pdf doc on how to deploy key, certificate.
You can test your web server https configuration rating usingI do use https://www.ssllabs.com/ssltest to test my web server https configuration rating.
Above test output provides all details information about browsers support too.
https://www.ssllabs.com is great site to be up to date with all SSL/TLS information, vulnerability etc.
It's on my weekly reading list.
Friday, October 17, 2014
Wednesday, October 15, 2014
Running Private Cloud on Cloud
I started working on Cloud almost one and half years ago. Cloud has been a roller coaster ride for me. First I started with moving on-premise data center web application to AWS cloud. It has been a great experience. I have to admit that AWS is awesome.
Once done with moving on-premise web application to cloud, I have been working on setup, configuration and automation of Private Cloud for our company as well as clients on Cloud for the last 4-5 months. I would like to share my experience and work through this blog. Suggestions and feedback would be appreciated.
Basically private cloud web applications needs Apache, Tomcat, Database and storage to run.
I have created an AMI template that has Apache, Tomcat, Database (mysql) service installed as well as created, attached and configured EBS volume needed for apache, tomcat database and storage.
AWS ephemeral storage are free and great for use for temporary storage, so I use ephemeral storage for /tmp. Ephemeral, by default only supports ext3 filesystem and /tmp need to have permission of 1777 for my private cloud web application use. I am mounting ephemeral as /tmp directory as boot time using fstab. I am also using boot service to set /tmp permission to 1777.
This is a Base AMI for Private Cloud. I am using Vagrant to fire up new instance from AMI template. I am also using shell and puppet to provision instance to make it ready for web application.
I am using shell provision to update OS, install necessary repository and of course puppet repo and package for instance provisioning.
I am doing all apache, tomcat, database, storage configuration using puppet. I am also doing all the necessary setup and configuration for web application using puppet like creating all directory, rsync configuration, database optimization, apache VH configuration, tuning, setting database root password, creating database. creating users and permissions.
I am using flywaydb for web application's database version control. So once instance is provisioned and up and running, I do initialize database with flywaydb and run database migration which will migrate all tables and data needed for web application to run.
When migration is done, I deploy web application and restart tomcat. Once tomcat restart is done, private cloud is ready for use.
I still have lots of things to get done in terms of automation and cloud.
I use Packer to convert AMI template to different format so that it can be used for KVM, VMware, Oracle Box, Docker etc.
Subscribe to:
Posts (Atom)