Secure Sockets Layer (SSL) encryption is the most common method for protecting data sent over the Internet. This topic describes how to bind an SSL certificate purchased from a trusted certification authority (CA) to an Enterprise Distributed Application Service (EDAS) application.

Purchase an SSL certificate

To configure SSL for an application, you first need to obtain an SSL certificate signed by a CA, a trusted third party that issued the certificate for this purpose. If you have no SSL certificate, you need to purchase an SSL certificate from a company that sells SSL certificates.
  • Alibaba Cloud SSL Certificates Service: If you want to use an Alibaba Cloud SSL certificate, you can purchase it from Alibaba Cloud SSL Certificates Service. For more information, see Select and purchase certificates.
  • Third-party CA: For information about how to obtain SSL certificates from a third-party CA, see the documentation that is provided by the CA.

Bind an SSL certificate to an application that is deployed with a WAR package

To bind an SSL certificate to an application that is deployed with a WAR package, package the certificate file in the WAR package and use the WAR package to deploy the application. Then, modify the Connector parameter in the server.xml file in Tomcat settings.

  1. Package the certificate file into the WAR package and record the certificate file path, for example: jks_path.
  2. Use the WAR package to deploy applications in the EDAS console. For more information, see Create and deploy an application in an ECS cluster.
  3. Log on to the EDAS console.
  4. In the left-side navigation pane, click Applications. In the top navigation bar, select a region. In the upper part of the page, select a namespace. On the Applications page, click the name of the desired application.
  5. On the Basic Information tab of the application, click Settings on the right side of the Application Settings section. Select Tomcat from the Settings drop-down list, and then click Advanced Settings.
  6. Click to expand Advanced Settings. In the server.xml file, modify the current Connector (only one connector is allowed) to enable SSL configuration, and then click Save. Example:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="../app/{app_ID}/{app_name}/{jks_path}" keystoreType="PKCS12" keystorePass="jks_password" clientAuth="false" SSLProtocol="TLS" connectionTimeout="15000" maxParameterCount="1000" maxThreads="400" maxHttpHeaderSize="16384" maxPostSize="209715200" acceptCount="200" useBodyEncodingForURI="true" URIEncoding="ISO-8859-1">
  7. Restart the application so that the configuration immediately takes effect.

Bind an SSL certificate to an application that is deployed with a JAR package

To bind an SSL certificate to an application that is directly deployed with a JAR package, modify the application.properties file to enable SSL configuration, and package the certificate file in the JAR package. Then, use the JAR package to deploy the application, and then change the application port of Tomcat to 8443 on the Application Settings page.

  1. Modify the application.properties file to enable SSL configuration. Example:
    server.ssl.enabled=true
    server.ssl.key-store=classpath:{jks}
    server.ssl.key-store-password=jks_password
    server.ssl.key-store-type=PKCS12
  2. Store the certificate file in the resources path, which is at the same file level as application.properties, and then generate a JAR deployment package.
  3. Follow the same procedure for Create and deploy an application in an ECS cluster to deploy the application by using the JAR package.
  4. Log on to the EDAS console.
  5. In the left-side navigation pane, click Applications. In the top navigation bar, select a region. In the upper part of the page, select a namespace. On the Applications page, click the name of the desired application.
  6. On the Basic Information tab of the application, click Settings on the right side of the Application Settings section. Select Tomcat from the Settings drop-down list.
  7. Set the HTTPS port to 8443, and then click Save. Restart the application so that the configuration immediately takes effect.

Bind an SSL certificate to an application that is deployed with an image

Both WAR and JAR Docker images can be used to deploy applications. If you want to bind an SSL certificate to an application that is deployed with an image, see the following content to perform relevant operations.

Create an image by using a WAR package

To bind an SSL certificate to an application that is deployed with an image created by using a WAR package, you must modify the configuration parameter of Tomcat and package the certificate file in the Docker image.

  1. Download the Ali-Tomcat package and decompress the downloaded package to a directory, such as d:\work\tomcat\.
  2. Modify the Connector parameter in the server.xml file. Example:
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="../app/{app_ID}/{app_name}/{jks_path}" keystoreType="PKCS12" keystorePass="jks_password">
  3. Store the modified server.xml file and certificate file at the same file level as Dockerfile. Add the following settings to Dockerfile:
    ADD server.xml ${CATALINA_HOME}/conf/ADD {jks} ${CATALINA_HOME}/conf/
  4. Package the image and deploy the application.
Create an image by using a JAR package

To bind an SSL certificate to an application that is deployed with an image created by using a JAR package, modify the application.properties file to enable SSL configuration. Then, package the certificate file in the JAR package that is used to create the image, and change the application port in Dockerfile to enable SSL configuration.

  1. Modify the JAR package configuration parameter and generate a JAR package. For more information, see Bind an SSL certificate to an application that is deployed with a JAR package.
  2. Set server.port=8443 in start.sh of Dockerfile.
  3. Package the image and deploy the application.

Bind an SLB instance to an EDAS application

You can bind a public Server Load Balancer (SLB) instance to an application. This SLB instance must be created in the SLB console in advance.

In the window that appears, select the SLB instance that you created in the SLB console, and then select Add a New Listening Port when selecting and configuring a listener, and then set the listener port to 443. You can also click Select An Existing Listening Port and then select the listener you created on this SLB instance. Then, click Next and add the Elastic Compute Service (ECS) instances of the application to the default group or a virtual group. Finally, confirm the changes.

Verify the SSL connection

In the address bar of your browser, enter the IP address or domain name of the application and add the prefix https:// to the IP address or domain name to check whether you can access the homepage of the application. If you can access the homepage, the SSL certificate is successfully bound to the application.

References

  • You can use an SLB instance to configure an SSL certificate for an application. For more information, see Add an HTTP listener.