Getting an SSL certificate for your web server has traditionally been a something of an effort. You need to correctly generate a weird thing called a certificate signing request (CSR), submit it to the web page of your chosen Certificate Authority (CA), wait for them to sign and generate a certificate, work out where to put the certificate to configure it for your web server—making sure you also configure any required intermediate CA certificates—and then restart the web server. If you got all that right, you then need to enter a calendar entry so you’ll remember to go through the process again in (say) a year’s time. Even some of the biggest names in IT can mess up this process.
With new CAs like Let’s Encrypt, along with some supporting software, the rigmarole around SSL certificates becomes a thing of the past. The technology behind this revolution is Automatic Certificate Management Environment (ACME), a new IETF standard (RFC 8555) client/server protocol which allows TLS certificates to be automatically obtained, deployed, and renewed. In this protocol, an “agent” running on the server that needs an SSL certificate will talk to to the CA’s ACME server over HTTP.
A popular method for using ACME on your Red Hat Enterprise Linux 7 server is certbot. Certbot is a standalone ACME agent that is configured out-of-the-box to work with Let’s Encrypt and can work with Apache httpd, Nginx, and a wide variety of other web (and non-web!) servers. The certbot authors have an excellent guide describing how to set up certbot with httpd on RHEL7.
In this tutorial, I’ll show an alternative method—the mod_md module—which is an ACME agent implemented as a module for Apache httpd, tightly integrated with mod_ssl, and is supported today in Red Hat Enterprise Linux 7. The mod_md module was implemented by Stefan Eissing—a prolific developer who also added HTTP/2 support to httpd—and contributed to the Apache Software Foundation, becoming a standard part of any new installation since httpd version 2.4.30.
Continue reading “Using Let’s Encrypt with Apache httpd on Red Hat Enterprise Linux 7”
In an effort to improve security, browsers have become stricter in warning users about sites that aren’t properly secured with SSL/TLS. ASP.NET Core 2.1 has improved support for HTTPS. You can read more about these enhancements in Improvements to using HTTPS. In this blog post, we’ll look at how you can add HTTPS to your ASP.NET Core applications deployed on Red Hat OpenShift.
Before we get down to business, let’s recap some OpenShift vocabulary and HTTPS fundamentals. If you are familiar, you can skip over these sections.
OpenShift, pods, services, routes, and S2I
OpenShift is a Kubernetes-based open-source container application platform. A Kubernetes pod is a set of containers that must be deployed on the same host. In most cases, a pod consists of a single container. When we run the same application in several pods, a service does the load balancing across those pods. A route makes a service accessible externally via a hostname.
Continue reading “Securing .NET Core on OpenShift using HTTPS”
Previously I did a post on Securing AMQ7 Routers with SSL. This post will expand upon that and explain how to secure JBoss AMQ7 Brokers with SSL and how to connect the routers and brokers with SSL as well.
Continue reading “Securing AMQ7 Brokers with SSL (part 2)”
AMQ7 is full of new and exciting technology and capabilities. However, with both routers and brokers now securing your topology can get confusing. Particularly securing the routers and learning how to use clients with them, using AMQP can be challenging for those of us used to using jks files and pure jms.
Continue reading “Securing AMQ7 Routers with SSL”
With a simple annotation to a service, you can dynamically create certificates in OpenShift.
Certificates created this way are in PEM (base64-encoded certificates) format and cannot be directly consumed by Java applications, which need certificates to be stored in Java KeyStores.
In this post, we are going to show a simple approach to enable Java applications to benefit from certificates dynamically created by OpenShift.
Continue reading “Dynamically Creating Java Keystores in OpenShift”
If you have a large number of servers, which are configured with SSL/TLS and you are out of track on their certificate validity, now all of sudden you are worried if some of the certificates are expired.
Or if I think in some other scenario where you are required to understand underlying SSL/TLS configuration of your servers e.g. CipherSuits, Protocols, etc.
Yes, in the traditional way, you can get all the information of your SSL/TLS configuration by login into an individual server and check the certificates but it is very difficult if your environment size is very high.
To overcome this problem, I have to build a tool, which will give you all required details.
Continue reading “SSL Testing Tool”
Enabling SSL/TLS in a Fabric is slightly more complex than securing a jetty in a standalone Karaf container. In the following article, we are providing feedback on the overall process. For clarity and simplification, the article will be divided into two parts.
Part1: The Management Console
Part2: Securing Web Service:including gateway-http
For the purpose of this PoC, the following environment will be used.
Continue reading “Securing Fuse 6.3 Fabric Cluster Management Console with SSL/TLS”