This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Preparing the Environment

Preparing the environment for deploying the protector.

This section provides an overview of the steps required to prepare the environment for deploying the Protegrity AWS EC2 Protector product.

1 - Initializing the Jump Box

Initialize the Linux instance.

The Linux instance should be connected to the AWS EC2 cluster. The following is the minimum system requirements to be configured for a Linux instance.

Software and Files Required for the Linux instancePurposeLink
AWS CLIManage AWS servicesAWS Command Line Interface

2 - Extracting the Installation Package

Extract the Linux installation package.

This section describes the steps to download and extract the installation package for the Protegrity AWS EC2 Protector.

To download the installation package:

  1. Download the ApplicationProtector_Linux-64_x86-64_AWS.EC2.JRE-<JRE_Version>_<Version>.tgz file on the Linux instance.

  2. Run the following command to extract the files from the ApplicationProtector_Linux-64_x86-64_AWS.EC2.JRE-<JRE_Version>_<Version>.tgz file.

    tar -xvf ApplicationProtector_Linux-64_x86-64_AWS.EC2.JRE-<JRE_Version>_<Version>.tgz

    The following files are extracted:

    • ASG-APJAVA-RPSYNC-EC2-CFT_AWS_<Build_version>.json: AWS CloudFormation template used to launch an EC2 instance. This instance is used to run the script for fetching the ESA policy.
    • ApplicationProtector-SAMPLE-APP_SRC_<Build_version>.tgz: Package containing the sample application that should be deployed on the AWS EC2 instance.
    • APJAVA-RPSYNC-USERDATA-SCRIPTS_EC2_AWS_<Build_version>.tgz: Sample user data script that you can specify in the UserData property of the CloudFormation template. This script contains the bash commands to launch an EC2 instance.
    • RPSyncConfig_Linux-ALL-64_x86-64_JRE-_<Build_version>.tgz: Contains the RPSync configuration file and the script for setting up the certificates between the protector and the ESA.
    • ApplicationProtector_Linux-ALL-64_x86-64_JRE-_<Build_version>.tgz: AP Java installation package.

3 - Creating a JAR for the Sample Application

Create JAR file for the Sample Application.

This section describes the typical steps required to create a JAR file for the Sample Application.

Ensure that Maven 3.6 or later and Open JDK 1.8 are installed on the machine on which you are creating the JAR file.

To create a JAR file for the Sample Application:

  1. Extract the installation package.

    For more information about extract the installation package, refer to the section Extracting the Linux Installation Package.

  2. Run the following command to extract the files from the ApplicationProtector-SAMPLE-APP_SRC_<Build_version>.tgz file to a directory.

    tar -xvf ApplicationProtector-SAMPLE-APP\_SRC\_&lt;Build\_version&gt;.tgz -C <dir>

  3. Switch to the directory where you have extracted the ApplicationProtector-SAMPLE-APP_SRC_<Build_version>.tgz package.

  4. Execute the following command in the directory.

    mvn clean install

    The apjava-springboot-0.1.0.jar file appears in the ./target directory.

    You need to copy the apjava-springboot-0.1.0.jar file to the /opt/protegrity directory in step 7 of the section Creating a Linux AMI for the Sample Application.

4 - Creating a Linux AMI for the Sample Application

Create a Linux AMI for the Sample Application.

This section describes the typical steps required to create a Linux AMI for the Sample Application. This AMI is then used to deploy the Sample Application on the EC2 Auto Scaling Group.

Important: The Sample Application is used for demonstrating how the Application Protector Java can be set up with an application, which in this case is a Spring Boot application. You can choose to create a custom AMI by integrating your custom application with the Application Protector Java libraries.

Important: Red Hat Linux and Amazon Linux instances are supported, because the user data scripts in the CloudFormation template use yum as the package manager. If you want to use a different distribution of Linux, then ensure that you modify the UserData section in the CloudFormation template to use another package manager that is compatible with the specific distribution.

To create a Linux AMI:

  1. Create an EC2 Linux instance and ensure that you have installed the latest version of Java on the Linux instance.

    Ensure that yum is the default package manager for the EC2 instance.

    For more information about how to create an EC2 Linux instance on AWS, refer to the section Getting Started with Amazon EC2 Linux Instances.

  2. Connect to your EC2 Linux instance using SSH.

    For more information about how to connect to an EC2 Linux instance using SSH, refer to the section Connecting to Your Linux Instance Using SSH.

  3. Switch to the root user using the following command.

    sudo su

  4. Run the following command to create the directory structure.

    mkdir -p /opt/protegrity/app

  5. Run the following command to add a new user.

    useradd -ms /bin/bash ptyitusr

  6. Navigate to the protegrity directory by running the following command.

    cd /opt/protegrity

  7. Copy the apjava-springboot-0.1.0.jar file from step 4 of the section Creating a JAR File for the Sample Application to the /opt/protegrity directory.

  8. Copy the ApplicationProtector_Linux-ALL-64_x86-64_JRE-_<Build_version>.tgz file from step 2 of the section Extracting the Linux Installation Package to the /opt/protegrity directory.

  9. Run the following command to setup and install the Sample Application.

    # Install the Sample Application
cp apjava-springboot-0.1.0.jar app.jar
jar -xf app.jar && \
mv BOOT-INF/lib app/lib && \
mv META-INF app/META-INF && \
mv BOOT-INF/classes/* app && \
rm -rf app/lib/ApplicationProtectorJava.jar app/lib/jna*4.1.0.jar app/ApplicationProtectorJava.properties BOOT-INF app.jar org

  10. Run the following command to change the owner of the the /opt/protegrity directory to the ptyitusr user.

    chown -R ptyitusr:ptyitusr /opt/protegrity

  11. Perform the following steps to create an AMI from the running EC2 instance.

    1. Navigate to the Instances screen in the AWS Management Console.

    2. Right-click your running EC2 instance, and then click Image > Create Image.

      The Create Image screen appears.

    3. Enter the required details in the Create Image screen.

    4. Click Create Image.

    For more information about creating an AMI from a running EC2 instance, refer to the section Create an AMI from an Amazon EC2 Instance.

5 - Creating Certificates and Keys for TLS Authentication

Create certificates and keys for establishing a secure communication between the client and the load balancer.

If you already have a server certificate that has been signed by a trusted third-party Certificate Authority (CA), then you do not need create a self-signed server and client certificate.

Ensure that OpenSSL is installed on the Linux instance to create the required certificates.

To create the certificates and keys:

  1. On the Linux instance, run the following command to create a CA certificate and a private key for the certificate.

    openssl req -x509 -sha256 -newkey rsa:2048 -keyout iap-ca.key -out iap-ca.crt -days 356 -nodes -subj '/CN=IAP Certificate Authority'

    Note: If you already have a CA certificate and a private key, then you can skip this step.

  2. On the Linux instance, create a server certificate and a private key that have been signed using the private key of the CA created in step 1.

    openssl req -new -newkey rsa:2048 -keyout iap-wildcard.key -out iap-wildcard.csr -nodes -subj '/CN=*.example.com'

    openssl x509 -req -sha256 -days 365 -in iap-wildcard.csr -CA iap-ca.crt -CAkey iap-ca.key -set_serial 04 -out iap-wildcard.crt

    Ensure that you specify a wildcard character as the subdomain name in the Common Name (CN) of the server certificate. This ensures that the same server certificate is valid for all the subdomains of the given domain name.

    For example, consider that you have separate hostnames for the production and staging environments, prod.example.com and staging.example.com. By specifying a wildcard character in the Common Name of the server certificate, you can use the same server certificate to authenticate prod.example.com and staging.example.com.

  3. Copy all the certificates to a common directory.

    For example, create a directory named iap-certs and copy all the certificates that have been created to this directory.

6 - Uploading the Server Certificates to the AWS Identity and Access Management

Upload server certificates to the AWS IAM service.

This section describes the typical steps required to upload the server certificates that you have created in the section Creating Certificates and Keys for TLS Authentication to the AWS IAM service.

To upload the server certificate, takes a single command. On the Linux instance, run the following command to upload the server certificate to the AWS IAM service.

aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://path/to/server-certs --certificate-chain file://path/to/ca-certs --private-key file://path/to/server-key

For example:

aws iam upload-server-certificate --server-certificate-name CertificateName --certificate-body file://path/to/iap-wildcard.crt --certificate-chain file://path/to/iap-ca.crt --private-key file://path/to/iap-wildcard.key

The command returns the metadata of the uploaded certificate as an output. The metadata contains the Amazon Resource Name (ARN) for the certificate. You must specify this ARN in the SSLCertificate parameter of the CloudFormation template that you use to create the Auto Scaling Group.

For more information about uploading a server certificate to the AWS IAM, refer to the section Uploading a Server Certificate (AWS API).

For more information about the upload-server-certificate command, refer to the section upload-server-certificate in the AWS CLI Command Reference documentation.

7 - Uploading the RPSyncConfig Package to the AWS S3 Bucket

Upload the RPSyncConfig package to the AWS S3 bucket.

The RPSyncConfig package contains the configuration file for configuring the Application Protector Java. It also contains the certificates required to communicate between the ESA and the protector.

To upload the RPSyncConfig package:

  1. Navigate to the location where you have extracted the installation package for the AWS EC2 Protector.

    For more information about the extracted installation package, refer to the section Extracting the Installation Package.

  2. Upload the RPSyncConfig_Linux-ALL-64_x86-64_JRE-_<Build_version>.tgz: package to the AWS S3 bucket that you have created in the section Creating an AWS S3 Bucket.

8 - Preparing the AWS Requirements

Overview of preparing the AWS requirements.

This section describes how to prepare the AWS runtime environment.

Prerequisites

Before creating the runtime environment on AWS, ensure that you have a valid AWS account and the following information:

  • Login URL for the AWS account
  • Authentication credentials for the AWS account

Audience

It is recommended that you have working knowledge of AWS and knowledge of the following concepts:

  • Introduction to AWS S3
  • Introduction to AWS Cloud Security

Creating an AWS S3 Bucket

To create an AWS S3 bucket:

  1. Login to the AWS environment.

  1. Navigate to Services.

    A list of AWS services appears.

  2. In Storage, click S3.

    The S3 buckets screen appears.

  3. Click Create bucket.

    The Create bucket screen appears.

  4. In the General configuration screen, specify the following details.

    1. In the Bucket name field, enter a unique name for the bucket.

    2. In the AWS Region field, choose the same region in which you want to create your EC2 instance.

    If you want to configure your bucket or set any specific permissions, then you can specify the required values in the remaining sections of the screen. Otherwise, you can go directly to the next step to create a bucket.

  5. Click Create bucket.

    The bucket is created.