Deployment Guide

TABLE OF CONTENTS

Overview
Getting Started
Launch an Aventra IRON enabled AMI with 1-Click Launch
Launch an Aventra IRON enabled AMI with Manual Launch
Deploying Your EC2 Workloads
Use-Cases & Best Practices

---

Overview of Aventra IRON on Amazon Web Services

Aventra IRON enabled AMIs (Amazon Machine Images) operate in-memory with disk-based persistence for specific Amazon Web Services, Elastic Compute Cloud (AWS-EC2) instance types. Amazon’s EC2 instances provide resizable compute capacity in Amazon’s cloud. They reduce the time required to obtain and provision new server instances to just minutes. Amazon EC2 is designed to make it easier for developers and system administrators to deploy and scale cloud computing resources, enabling them to adapt capacity, both up and down, as their organizations’ computing requirements change.

Aventra IRON enabled AMIs “optimize” the storage I/O of EC2 instance types, delivering 3x to 30x increases in IOPs performance of those instances. The in-memory caching, disk-based persistence of Aventra IRON enabled AMIs can be used to vastly improve latency and throughput of many read-heavy, compute-intensive, and high-concurrency EC2 workloads. They ensure your EC2 provisioned applications and services are processed as close to the compute power of the selected EC2 instance type as is possible, yet remain safe from any disruptions in RAM. With Aventra IRON enabled AMIs, you harness the power and IOPs performance of larger EC2 instance types from smaller EC2 instance types, which saves you money.

All Aventra IRON enabled AMIs are completely self-contained. You do not need to install any other software to make Aventra enabled AMI’s boost the compute, memory and storage workload performance of your EC2 enabled applications and services. This Aventra IRON, AWS Deployment Guide walks through the steps of implementing Aventra IRON enabled AMIs for your EC2 workloads so you can start realizing cost-effective, performance improvements quickly. Should questions arise or additional assistance be needed, review answers for frequently asked Aventra IRON questions or contact Aventra Support at support@cleardb.com, or submit your question or support request here.

Getting Started

You can access Aventra IRON enabled AMIs though Amazon’s Web Services (AWS) Marketplace. Search for Aventra in the AWS-Marketplace to review the various Aventra IRON enabled AMIs available. Contact Aventra Support at the email address above if you don’t see an Aventra IRON enabled AMI for an EC2 instance type you need.

When you find an Aventra IRON enabled AMI that fits your requirements, log into your AWS account. You can register for Amazon Web Services here and access the AWS Marketplace if you do not already have an AWS account.

The AWS-Marketplace provides two options for setting up and launching Aventra IRON enabled AMIs from your AWS account; “1-Click Launch” and “Manual Launch.” All components for Aventra IRON enabled AMIs are installed, configured, and are ready for you to provision your applications and services under either option. So, select the option that best fits your needs based on the following:

• 1-Click Launch – immediately provisions and launches the Aventra IRON enabled AMI upon your acceptance of its end-user license agreement and the terms and usage charges of AWS. Please note, billing for your selected Aventra IRON enabled AMI commences after its trial period concludes. However, billing for the AWS-EC2 instance starts immediately. Both charges continue until you terminate the use of your selected Aventra IRON enabled AMI(s).
• Manual Launch – lets you control when your selected Aventra IRON enabled AMI(s) is deployed upon your acceptance of its end-user license agreement and the terms and usage charges of AWS. Please note, billing for your selected Aventra IRON enabled AMI commences after its trial period concludes. However, billing for the AWS-EC2 instance starts immediately upon the deployment of your selected Aventra IRON enabled AMI. Both charges continue until you terminate the use of your selected Aventra IRON enabled AMI(s).

Launch an Aventra IRON enabled AMI with “1-Click Launch”

After you have selected the Aventra IRON enabled AMI you need, the AWS Management Console appears with the 1-Click Launch tab opened by default. As noted, 1-Click Launch immediately provisions your selected Aventra IRON enabled AMI and its already assigned AWS-EC2 instance type upon your acceptance of Aventra IRON end-user license agreement and the terms and usage charges of AWS.

From the drop down menus on the AWS Management Console 1-Click Launch tab, do the following:

1. REGION: Select a region from the Region drop-down list where you would like to provision your Aventra IRON enabled AMI.
2. EC2 INSTANCE TYPE: You do not have to select an EC2 instance. All Aventra IRON enabled AMIs are specifically configured to an EC2 instance type.
3. VPC SETTINGS: Optimally if you have established your own ASW Virtual Private Cloud (VPC) for your AWS Account, you can select its settings here. For more information about ASW-VPC see: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
4. SECURITY GROUP: Select a security group from the drop-down list or use the default. You can – and it is recommended that you do – use your own Security Group. To establish Security Groups, see: http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/getting-started-create-security-group.html
5. KEY PAIR: Select a Key Pair from the drop-down list. You can use one Key Pair for an unlimited number of Aventra IRON enabled AMIs should you need to clone such instances. If you do not already have a Key Pair and would like to establish one, see the AWS User Guide about Key Pairs: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
6. CLICK LAUNCH: This action opens the launch status page.
7. CLICK THE “Manage in AWS Console” LINK: This action opens the EC2 Management Console which enables you to administer your new Aventra IRON enabled AMI.
8. STATUS CHECK: Within the EC2 Management Console, wait for the Status Check column to display, “2/2 checks passed.” Then, select the Aventra IRON enabled EC2 instance and review its status, description, monitoring, and tags. Make note of the public DNS for the Aventra IRON enabled AMI.
9. CONNECT TO YOUR NEW AVENTRA IRON enabled AMI: All Aventra IRON enabled AMIs use Linux-based, EC2 instance types. You can connect to these instances using Windows and Linux/Unix clients. Amazon has good instructions for setting up these connections. See the AWS Instance Access Guide here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html

Once you are connected to your Aventra IRON enabled AMI, you can implement your EC2 workloads and begin realizing cost-effective, performance improvement. See the Deploying Your EC2 Workloads and the Use-Case & Best Practices sections in this guide for those instructions.

Launch an Aventra IRON enabled AMI with “Manual Launch”

After you have selected the Aventra IRON enabled AMI you need, the AWS Management Console appears with the 1-Click Launch tab opened by default. Click the Manual Launch tab. As noted, Manual Launch lets you control when your selected Aventra IRON enabled AMI(s) is deployed upon your acceptance of Aventra IRON’s end-user license agreement and the terms and usage charges of AWS

From the drop down menus on the AWS Management Console, Manual Launch tab, do the following:

1. REGION: Adjacent to the ID column for the region of your choice, click “Launch with EC2 Console.” Optionally, if you are already in the EC2 Console, select an Aventra IRON enabled AMI and choose Public Images from the filter. Now right-click on the Aventra IRON enabled AMI and choose “Launch” from the context menu, and click “Next.” (NOTE: you can search for AMIs in the EC2 Console by typing their ID in the Search Box)
2. CONFIGURE INSTANCE DETAILS: Do the following on this page:
   • Enter the number of IRON enabled AMIs to launch. Remember, each instance is billable. You can choose “Launch into Auto Scaling Group” to create a launch configuration and an Auto Scaling group. Auto Scaling, scales the number of instances in the group according to your specifications. For additional information, see Amazon’s Auto Scaling User Guide at: http://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html
   • Select the Network. Two options may be available to your AWS account depending upon when you created your account and which regions you use, “EC2-Classic” and “VPC.”

     To launch into EC2-Classic, select “Launch into EC2-Classic”
     – Select the Availability Zone to use, or
     – To let AWS choose an Availability Zone for you, select “No Preference”

     To launch into a Virtual Private Cloud (VPC), select the VPC you have previously set up.
     Create a new VPC: Choose “Create new VPC” to go Amazon’s VPC console. When finished, return to this wizard and choose Refresh to load your VPC in the list.

     Subnet: Select the subnet into which to launch your instance. If your account is EC2-VPC only, select “No Preference” to let AWS choose a default subnet in any Availability Zone. To create a new subnet, choose “Create New Subnet” to go to the Amazon VPC console. When finished, return to this wizard and choose Refresh to load your subnet in the list.

     Auto-assign Public IP: Specify whether your Aventra IRON enabled AMI will use a public IP address. By default, your AMIs in a default subnet receive a public IP address and AMIs in a non-default subnet do not. You can select “Enable” or “Disable” to override the subnet’s default setting. For more information, see Public IP Addresses & External DNS Hostnames at:
     http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses.

   • Select an IAM (Identity and Access Management) role for the AMIs. The permission Aventra Optimizer AMIs requires is “aws-marketplace:MeterUsage.” A simple way to assign this is to attach the AWS managed policy “AWSMarketplaceMeteringFullAccess” to the role. For information about IAM roles and permissions see:
     http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#create-iam-role-console
   • Optionally, enable Amazon CloudWatch Monitoring. Additional charges may apply.
3. ADVANCE INSTANCE OPTIONS: Optionally you can configure the following from this page:
   • Select the default Kernel ID. This is not a valid option for Aventra IRON enabled AMI’s as it is only available for para-virtual (PV) AMIs. Accordingly, select “Use Default.”
   • Select the default RAM Disk ID. This is not a valid option for Aventra IRON enabled AMI’s as it is only available for para-virtual (PV) AMIs. Accordingly, select “Use Default.”
   • Optionally, you can copy a Shell-Script to the User Data field. The Shell-Script runs when the Aventra IRON enabled AMI launches.
4. ADD STORAGE: Aventra IRON enabled AMI comes pre-configured with the storage that it needs in order to operate. Should you need additional storage, you can add it in this section of the launch wizard. Do NOT resize or remove the pre-configured storage for Aventra IRON enabled instances. Doing so will prevent Aventra IRON from functioning properly.
5. ADD TAGS: Aventra IRON enabled AMIs do not require tags. However, you may want to add tags to identify these instances in your AWS Management Console.
6. CONFIGURE SECURITY GROUP: Do one of the following to select a Key Pair for your Security Group.
   • If you have already created a Security Group, click “Select An Existing Security Group” and choose a Key Pair from the list. One Key Pair can be used for an unlimited number of Aventra IRON enabled AMIs should you need to clone such instances.
   • If you do not already have a Security Group, click “Create a New Security Group” and enter a name and description for your new Security Group. For more information see: http://docs.aws.amazon.com/AmazonVPC/latest/GettingStartedGuide/getting-started-create-security-group.html and for information about Key Pairs, see:
     http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
   • Now add how clients will connect to the Aventra IRON enabled AMI, either SSH or HTTP, and click “Add Rule” to define these parameters.
7. LAUNCH YOUR NEW AVENTRA IRON enabled AMI: Review the setting information for this instance. Click “Launch” when you are satisfied with its settings. (NOTE: your Aventra IRON enabled AMIs may take a few minutes to launch) Click “View Your Instances” on the instance page to go to the AWS Management Console.
8. CONNECT TO YOUR NEW AVENTRA OPTIMIZER AMI: All Aventra IRON enabled AMIs use Linux-based, EC2 instance types. You can connect to these instances using Windows and Linux/Unix clients. Amazon has good instructions for setting up these connections. See the AWS Instance Access Guide here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstances.html

Once you are connected to your Aventra IRON enabled AMI, you can implement your EC2 workloads and begin realizing cost-effective, performance improvement. See the Deploying Your EC2 Workloads and the Use-Cases & Best Practices sections in this guide for those instructions.

Deploying Your EC2 Workloads

Aventra IRON instances use Amazon Elastic Block Store (EBS). They are designed to improve the IOPS performance that typically serves as the most visible performance bottleneck on cloud based virtual machines. With that in mind, Aventra IRON is exposed to you as a storage device. The Aventra IROn storage device is already pre-configured and pre-mounted on startup. The directory available for use with the Aventra IRON is “/data”. Anything that reads to and/or writes from this mounted directory is I/O optimized automatically, and anything you store under “/data” will persist beyond the life of the Aventra IRON enabled AMI, including snapshots of it for backup or replication. All you have to do is point/configure your workloads to use the Aventra IRON pre-mounted storage device. Do NOT change any of the mount Aventra IRON mount points, i.e. “/data” and/or “/halo”. Doing so will prevent the Aventra IRON from functioning properly.

Use-Cases & Best Practices

(NOTE: The following instructions are specific to Amazon Linux as Aventra IRON enabled AMI’s use this OS.)

Installing and Configuring a MySQL database server on an Aventra IRON enabled AMI

Prerequisites: These instructions assume you have launched your Aventra IRON instance with a public DNS name that is reachable from the Internet. You also must have configured your security group to permit SSH-(port 22), HTTP-(port 80), and HTTPS-(port 443) connections. See the above instructions for launching your Aventra IRON enabled AMI. For information about launching and providing security settings, see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance_linux

Recall, Aventra IRON instances use Amazon Elastic Block Store (EBS). They are designed to improve the IOPS performance that typically serves as the most visible performance bottleneck on cloud based virtual machines. With that in mind, Aventra Optimizer is exposed to you as a storage device, and its storage device is already pre-configured and pre-mounted on startup. The directory available for use with Aventra IRON is “/data”. Anything that reads to and/or writes from this mounted directory is I/O optimized automatically. For databases that need maximum concurrency performance and data throughput, all you have to do is point/configure your workloads to use the Aventra IRON pre-mounted storage device. Do NOT change any of the mount Aventra Optimizer mount points, i.e. “/data” and/or “/halo”. Doing so will prevent Aventra IRON from functioning properly.

The following outlines how this is done for a MySQL database server for your Aventra IRON enabled AMIs.

1. Connect to your Aventra IRON enabled AMI per instructions above. For more about connections, see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-connect-to-instance-linux
2. Do a quick software update on your Aventra IRON enabled AMI if necessary to ensure it is up to date. This process may take a few minutes, but it is important to make sure you have the latest bug fixes and security updates. [ec2-user ~]$ sudo yum update –y …NOTE… the –y option installs the updates without asking for confirmation. You can omit this option if you would like to examine the updates before installing.
3. You can install the MySQL database server now that your Aventra IRON enabled AMI is up to date. [ec2-user ~]$ sudo yum install –y mysql##-server (NOTE: replace the ## with the numbered MySQL version you are installing)
4. The default installation of MySQL has a few features that are good for testing and development, but they should be disabled or removed for production servers. Now that your MySQL server is installed, you can use the “mysql_secure_installation” command to set a root password and remove these features if you would like, which will make your MySQL server more secure.
   • Start your MySQL server. [ec2-user ~]$ sudo service mysqld start
   • Run “mysql_secure_installation” when MySQL has started. [ec2-user ~]$ sudo mysql_secure_installation
     1. Enter a password for the root account when prompted. The root account does not have a password already set by default, so just press “Enter.”
     2. Type “Y” to establish the root password. Don’t forget this password. (NOTE: The MySQL root password is just a basic security measure for your database. Typically, it is a good practice to avoid using the root account for anything but administration. Consequently, you should create a database “service user” for database applications you build or install on your new Aventra IRON MySQL instance.)
     3. Now type “Y” to remove anonymous user accounts.
     4. Type “Y” to disable remote root login.
     5. Type “Y” to remove the test database.
     6. Type “Y” to reload the privilege tables and to save your changes.
5. Optionally if you would like to start MySQL upon boot startup, enter the following: [ec2-user ~]$ sudo chkconfig mysqld on
6. To stop your MySQL server enter: [ec2-user ~]$ sudo service mysqld stop
7. Now you are ready to point/configure your MySQL server to Aventra IRON’s pre-mounted, I/O optimized storage device. The directory available for this is “/data”.
   • Before making any changes, first stop your MySQL server with the command above.
   • Copy the default MySQL data directory /var/lib/mysql to /data/mysql.
     [ec2-user ~]$ sudo cp –Rap /var/lib/mysql /data/mysql
     [ec2-user ~]$ sudo chown mysql.mysql /data/mysql
   • Now using a text editor, edit and save MySQL’s configuration file /etc/my.cnf to set its default data directory and socket variables to Aventra IRON’s “/data” directory.
     Change From: datadir = /var/lib/mysql and socket = /var/lib/mysql/mysql.sock
     Change To: datadir = /data/mysql and socket = /data/mysql/mysql.sock
   • Restart your MySQL once the changes are saved. [ec2-user ~]$ sudo service mysqld start

Installing and Configuring an Apache Web Server with SSL/TLS on an Aventra IRON enabled AMI

Prerequisites: These instructions assume you have launched your Aventra IRON instance with a public DNS name that is reachable from the Internet. You also must have configured your security group to permit SSH-(port 22), HTTP-(port 80), and HTTPS-(port 443) connections. See the above instructions for launching your Aventra IRON enabled AMI. For information about launching and providing security settings, see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance_linux

1. Connect to your Aventra IRON enabled AMI per instructions above. For more about connections, see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-connect-to-instance-linux
2. Do a quick software update on your Aventra IRON enabled AMI if necessary to ensure it is up to date. This process may take a few minutes, but it is important to make sure you have the latest bug fixes and security updates. [ec2-user ~]$ sudo yum update –y (NOTE: the –y option installs the updates without asking for confirmation. You can omit this option if you would like to examine the updates before installing.)
3. You can install the Apache web server now that your Aventra IRON enabled AMI is up to date. [ec2-user ~]$ sudo yum install –y httpd24
4. Start the Apache web server. [ec2-user ~]$ sudo service httpd start which will show “Starting httpd:”
5. Use the “chkconfig” command to start the Apache web server at each system boot. [ec2-user ~]$ sudo chkconfig httpd on (NOTE: the “chkconfig” command does not provide any message when successfully enabling a service.) You can verify that “httpd” is on by running the following command: [ec2-user ~]$ chkconfig –list httpd This command will show that “httpd” is on in runlevels 2, 3, 4, and 5, which is what you want to see.
6. Now test you web server by entering the public DNS address (or the public IP address) of your instance. You can get the public DNS for your instance using the Amazon EC2 Console (Check the Public DNS column. If this column is hidden, choose Show/Hide and select Public DNS). You should see the Apache Test Page if there is no content in /var/www/html. (NOTE: Apache “httpd” serves up files that are kept in a directory called the “Apache Document Root.”) The Amazon Linux Apache Document Root is: /var/www/html, and is owned by root by default, which you can change (see instruction 7). When content is added to “document root,” the content appears at the public DNS address of the instance instead of the Apache test page.
   • Security Group: If the Apache Test Page doesn’t appear and there is no content in your Apache Document Root, then ensure the security group you are using contains a rule to allow HTTP-(port 80) traffic. (see above “Prerequisites” for more information)
7. You will need to modify the ownership and permissions of the Apache Document Root directory to allow “ec2-user” to manipulate files in this directory. There are several ways to accomplish this. Here we explain how to add a “www group” to your new IRON enabled web server instance, and give this instance ownership of the /var/www directory, along with write permissions for the “www group.” Once complete, any member of new group will be able to add, delete, and modify files for your Aventra IRON Apache web server.
   • Add the “www group” [ec2-user ~]$ sudo groupadd www
   • Add the user “ec2-user” to the new “www group” [ec2-user ~]$ sudo usermod –a –G www ec2-user
   • Log out and then log back in to verify your membership in the new “www group.” [ec2-user ~]$ exit
   • Reconnect to your Aventra IRON enabled AMI and run the following command to verify the membership. [ec2-user ~]$ groups You should see: ec2-user wheel www
   • Now change the group ownership of /var/www and its contents to the “www group.” [ec2-user ~]$ sudo chown –R root:www /var/www
   • Now change the directory permissions of /var/www and its subdirectories to add group write permissions and to set the group ID on future subdirectories. [ec2-user ~]$ sudo chmod 2775 /var/www Next, execute the following command. [ec2-user ~]$ find /var/www –type d –exec sudo chmod 2775 {} \;
   • Recursively change the file permissions of /var/www and its subdirectories to add group write permissions. [ec2-user ~]$ find /var/www –type f –exec sudo chmod 0664 {} \;

   After executing the above commands, the ec2-users, and future members of the “www group,” will be able to add, delete, and edit files in the Apache Document Root.

8. You are now ready to add content, such as a static website or a PHP application to your new Aventra IRON Apache web server. Recall, Aventra IRON enabled instances use Amazon Elastic Block Store (EBS). They are designed to improve the IOPS performance that typically serves as the most visible performance bottleneck on cloud based virtual machines. With that in mind, Aventra IRON is exposed to you as a storage device, and its storage device is already pre-configured and pre-mounted on startup. The directory available for use with Aventra IRON is “/data”. Anything that reads to and/or writes from this mounted directory is I/O optimized automatically. For web sites that need maximum concurrency and data throughput, all you have to do is point/configure your workloads to use the Aventra IRON pre-mounted storage device. Do NOT change any of the Aventra IRON mount points, i.e. “/data” and/or “/halo”. Doing so will prevent Aventra IRON from functioning properly.
9. Although optional, you should secure your Aventra IRON Apache web server as web servers running the HTTP protocol do not provide, by default, transport security for the data they send or receive. For instance, when you connect to an HTTP server using a web browser, the URLs you enter, the content of web pages you receive, and the contents (including passwords) of any HTML form you submit are all visible to eavesdroppers anywhere along the network pathway. Therefore, the best practice for securing your web server is to install support for HTTPS, “HTTP Secure,” which protects you data with SSL/TLS encryption. Secure Socket Layer/Transport Layer Security, “SSL/TLS” creates an encrypted channel between a web server and web client that protects data in transit from being eavesdropped on. The following explains how to add SSL/TLS for your new Aventra IRON Apache web server. (NOTE: web encryption is often referred to as simply “SSL” for historic reasons even though the TLS protocol is newer and considered less vulnerable to attack.)
   • The SSL/TLS public key infrastructure (PKI) relies on the Domain Name System (DNS) to identify and authenticate web sites. You need to register a domain name for your web server on your Aventra IRON enabled AMI host, or transfer an existing domain name to this Aventra IRON Apache web server, if you plan to use it to host a public web site.
   • Assuming your Aventra IRON Apache web server is running and you are connected to it, you can add SSL/TLS support by installing the Apache module “mod_ssl.” [ec2-user ~]$ sudo yum install –y mod24_ssl This will install three (3) important files, one or more of which you will work with later in section “d” to follow. (NOTE: the .key file and .crt file below are both in PEM format, consisting of Base64-encoded ASCII characters framed by “BEGIN” and “END” lines. The file names and their extensions are for convenience, and have no effect on their functionality. Accordingly, you can call a certificate either “cert.crt” or “cert.pem” or “certificate.pem” so long as their related directive in the “ssl.conf” files uses the same name and are in the PEM format.)
     1. /etc/httpd/conf.d/ssl.conf – This is the conf-file for the mod_ssl that contains “directives” that tells Apache where to find encryption keys and certificates, what encryption algorithms to use, and which SSL/TLS protocols to allow.
     2. /etc/pki/tls/private/localhost.key – This is an automatically generated, 2048-bit RSA private key file for your Aventra IRON enabled AMI host. OpenSSL used this key to generate a self-signed host certificate during installation. You can also use it later to generate a certificate signing request (CSR) to submit to a certificate authority (CA).
     3. /etc/pki/tsl/certs/localhost.crt – This is an automatically generated, self-signed X.509 certificate file for your Aventra IRON enabled AMI host. This certificate is useful for testing that Apache is properly set up to use SSL/TLS.
   • Now, restart Apache. [ec2-user ~]$ sudo service httpd restart Your Aventra IRON Apache web server will now support HTTPS over port 443. Test it by using its IP address or fully qualified domain name in a browser URL bar with the prefix – https:// Because you are connecting to a site with a self-signed, untrusted certificate, your browser may display a series of warnings.** Override these and proceed to your site. If the Apache welcome page opens, you have successfully configured SSL/TLS for your web server. All data passing between the browser and server is now safely encrypted as shown by the lock icon in the browser’s URL bar.
   • ** You will need to obtain a certificate that not only encrypts, but also authenticates you publically as the owner of the site to prevent site visitors from encountering these warnings. Accordingly, there is a process for; 1.) generating a Certificate Signing Request (CSR) from a private key, 2.) submitting this CSR to a Certificate Authority (CA), 3.) obtaining the signed certificate, and then 4.) configuring Apache to use it. To simply this process, your Aventra IRON Apache web server automatically generated a private key that you can use in a CSR to be submitted to a CA. This section describes the process of generating your CSR with the automatically generated private key and using the new host certificate signed by a CA for your Aventra IRON Apache web server. If you like additional information about SSL/TLS, or should you like to generate your own private key, see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html
     1. First, navigate to your automatically generated, private key: /etc/pki/tls/private. The file “localhost.key” will contains this key.
     2. Now create a CSR using this key: [ec2-user ~]$ sudo openssl req –new –key localhost.key -out csr.pem The “openssl” command opens a dialog, prompting you for information. All fields in the prompt are optional for a basic, domain-validated certificate except for “Common Name,” which is required. The “Common Name” value must exactly match the web address that you expect users to type into their browsers. Usually, this means a domain name with a prefixed host name or alias. Finally, OpenSSL prompts you for an optional challenge password. This password only apples to the CSR and the transaction between you and your CA. Follow your CA’s recommendations about this password and other optional fields in the CSR.
     3. For a list of well-known Certificate Authorities (CA’s), check out Dmoz.org at: http://www.dmoz.org/Computers/Security/Public_Key_Infrastructure/PKIX/Tools_and_Services/Third_Party_Certificate_Authorities/
     4. Submit your CSR to your CA. This usually consists of opening your CSR file in a text editor and copying its contents into a web form. After your CSR has been approved, you will receive a new host certificate signed by the CA. Download this new host certificate. (NOTE: You may be instructed to download an intermediate certificate file that contains additional certificates needed to complete the CA’s chain of trust.)
     5. Now remove the self-signed, host certificate from the /etc/pki/tls/certs directory and put the signed CA certificate there along with any intermediate certificates. The file with your self-signed, host certificate you are replacing in the /etc/pki/tls/certs directory is: “localhost.crt.” (NOTE: The easiest way to upload the new certificate to your Aventra IRON enabled Apache server is to open a text editor on both your local computer and your Aventra IRON enabled AMI, then copy and paste the file contents between them. Be careful not to add any additional lines while copying the content, or to change the content in any way.)
     6. From inside the /etc/pki/tls/certs directory, check that the file ownership, group, and permissions settings match the highly restrictive, Amazon Linux defaults (owner root, group root, read/write for owner only). You should see the following after you execute these three (3) commands: – rw- – – – – – – root root custom.crt
        • [ec2-user certs]$ sudo chown root.root custom.crt
        • [ec2-user certs]$ sudo chmod 600 custom.crt
        • [ec2-user certs]$ ls –al custom.crt
     7. The permissions for the intermediate certificate file are less stringent (owner root, group root, owner can write, world can read). From inside the same directory, you should see the following after you execute these three (3) commands: – rw – r – – r – – root root intermediate.crt
        • [ec2-user certs]$ sudo chown root.root intermediate.crt
        • [ec2-user certs]$ sudo chmod 644 intermediate.crt
        • [ec2-user certs]$ ls –al intermediate.crt
     8. Now using a text editor, edit and save the ssl.conf file in the /etc/httpd/conf.d/ directory with Apache’s SSL Certificate File Directive so it is pointing to the correct paths for the signed CA certificate (in the above example, it is “custom.crt”) and the intermediate certificate (in the above example, it is “intermediate.crt”):

        • SSLCertificateFile /etc/pki/tls/certs/custom.crt
        • SSLCertificateFile /etc/pki/tls/certs/intermediate.crt
        • Save the ssl.conf file in the /etc/httpd/conf.d/ directory and restart Apache. [ec2-user ~]$ sudo service httpd restart

     9. Finally, test and harden the security configuration. You should test how securer your site really is after you SSL/TLS is operational and exposed to the public. This is easy using online services such as Qualys SSL labs which you can find here: https://www.ssllabs.com/ssltest/analyze.html You may decide to harden the default security configuration by controlling which protocols to accept, which cipher to prefer, and which to exclude. Amazon Web Services has excellent user guides for explaining and helping you through this this process. See step #3 at: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html
   • If your Aventra IRON Apache web server won’t start unless you supply a password and you would like to change this behavior, you can. You will be asked for a password if you installed an encrypted, password-protected, private server key. To stripe the key of its encryption and password, run the following commands on your Aventra Optimizer Apache web server to generate an unencrypted version of this key:

     These commands use “custom.key” in the default directory, and the passphrase “abcde12345.” Your key file and passphrase will likely be different, so replace in these commands accordingly.

     • [ec2-user ~]$ cd /etc/pki/tsl/private/
     • [ec2-user private]$ sudo cp custom.key custom.key.bak
     • [ec2-user private]$ sudo openssl rsa –in custom.key –passin pass:abcde12345 –out custom.key.nocrypt
     • [ec2-user private]$ sudo mv custom.key.nocrypt custom.key
     • [ec2-user private]$ sudo chown root.root custom.key
     • [ec2-user private]$ sudo chmod 600 custom.key
     • [ec2-user private]$ sudo service httpd restart

     Your Aventra IRON Apache web server should now start without prompting you for a password.