Secure Sockets Layer (SSL) encryption is the most common method for protecting data that is sent over the Internet. This topic describes how to bind an SSL certificate purchased from a trusted certification authority (CA) to an Enterprise Distributed Application Service (EDAS) application.
Purchase an SSL certificate
To configure SSL for an application, you must obtain an SSL certificate signed by a CA, a trusted third party that issued the certificate for this purpose. If you have no SSL certificate, you must purchase an SSL certificate from a company that sells SSL certificates.
Certificate Management Service: If you want to use an Alibaba Cloud SSL certificate, you can purchase it from Certificate Management Service. For more information, see Purchase an SSL certificate.
Third-party CA: For information about how to obtain SSL certificates from a third-party CA, see the documentation that is provided by the CA.
Bind an SSL certificate to an application that is deployed with a WAR package
To bind an SSL certificate to an application that is deployed with a WAR package, package the certificate file in the WAR package and use the WAR package to deploy the application. Then, modify the Connector parameter in the server.xml file in Tomcat settings.
Package the certificate file in the WAR package and record the path of the certificate file. Example: jks_path.
Log on to the EDAS console and use the WAR package to deploy an application. For more information, see Create and deploy an application in an ECS cluster.
In the left-side navigation pane, choose . In the top navigation bar, select a region. In the upper part of the Applications page, select a microservices namespace from the Microservices Namespace drop-down list. Then, click the name of the application that you want to manage.
On the Basic Information tab of the application details page, click Edit next to Tomcat Context in the Application Settings section.
In the Application Settings dialog box, click Advanced Settings.
NoteYou can configure Advanced Settings only for applications that are deployed with WAR packages.
In server.xml, modify the Connector parameter to the following configuration and click Configure Tomcat.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="../app/{app_ID}/{app_name}/{jks_path}" keystoreType="PKCS12" keystorePass="jks_password" clientAuth="false" SSLProtocol="TLS" connectionTimeout="15000" maxParameterCount="1000" maxThreads="400" maxHttpHeaderSize="16384" maxPostSize="209715200" acceptCount="200" useBodyEncodingForURI="true" URIEncoding="ISO-8859-1">Restart the application to apply the configurations.
Bind an SSL certificate to an application that is deployed with a JAR package
To bind an SSL certificate to an application that is deployed with a JAR package, modify the application.properties file to enable SSL configuration, package the certificate file in the JAR package, use the JAR package to deploy the application, and then change the application port of Tomcat to 8443 in the Application Settings dialog box.
Modify the
application.propertiesfile to enable SSL configuration. The following code provides an example of the configuration:server.ssl.enabled=true server.ssl.key-store=classpath:{jks} server.ssl.key-store-password=jks_password server.ssl.key-store-type=JKSStore the certificate file in the resources path. The path is at the same file level as application.properties. Then, generate a JAR deployment package.
Deploy the application by using the JAR package. For more information, see Create and deploy an application in an ECS cluster.
Log on to the EDAS console.
In the left-side navigation pane, choose . In the top navigation bar, select a region. In the upper part of the Applications page, select a microservices namespace from the Microservices Namespace drop-down list. Then, click the name of the application that you want to manage.
On the Basic Information tab of the application details page, click Edit next to Tomcat Context in the Application Settings section.
In the Application Settings dialog box, set the Application Port parameter to 8443 and click Configure Tomcat.
Restart the application to apply the configurations.
Bind an SSL certificate to an application that is deployed with an image
Both WAR and JAR Docker images can be used to deploy applications. To bind an SSL certificate to an application that is deployed with an image, perform the following operations.
Create an image by using a WAR package
To bind an SSL certificate to an application that is deployed with an image created by using a WAR package, you must modify the configurations of Tomcat and package the certificate file in the Docker image.
Download the Ali-Tomcat package and decompress the downloaded package to a directory, such as d:\work\tomcat\.
Modify the Connector parameter in the server.xml file. The following code provides an example of the configuration:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="../app/{app_ID}/{app_name}/{jks_path}" keystoreType="PKCS12" keystorePass="jks_password">Store the modified server.xml file and certificate file at the same file level as Dockerfile. Add the following settings to Dockerfile:
ADD server.xml ${CATALINA_HOME}/conf/ ADD {jks} ${CATALINA_HOME}/conf/Package the image and deploy the application.
Create an image by using a JAR package
To bind an SSL certificate to an application that is deployed with an image created by using a JAR package, modify the application.properties file to enable SSL configuration. Then, package the certificate file in the JAR package that is used to create the image, and modify the application port in Dockerfile to apply SSL configuration.
Modify the configurations of the JAR package and generate a JAR package. For more information, see Bind an SSL certificate to an application that is deployed with a JAR package.
Set
server.port=8443in start.sh of Dockerfile.Package the image and deploy the application.
Bind an SLB instance to an EDAS application
Bind a public Server Load Balancer (SLB) instance to an application that is deployed in an Elastic Compute Service (ECS) cluster and set the listening protocol to HTTPS.
You must create an SLB instance in the SLB console in advance. For more information, see Create a CLB instance.
Log on to the EDAS console.
In the left-side navigation pane, choose . In the top navigation bar, select a region. In the upper part of the Applications page, select a microservices namespace from the Microservices Namespace drop-down list. Then, click the name of the application that you want to manage.
On the Basic Information tab of the application details page, click Add next to SLB (Internet) in the Application Settings section.
In the AddLoad Balancing(Public) dialog box, bind an SLB instance to the application. For more information, see Configure a dedicated SLB instance for an application.
ImportantYou must set the listener port to 443.
Verify the SSL connection
In the address bar of your browser, enter the IP address or domain name of the application and add the prefix https:// to the IP address or domain name to check whether you can access the homepage of the application. If you can access the homepage, the SSL certificate is successfully bound to the application.
Additional information
You can use an SLB instance to configure an SSL certificate for an application. For more information, see Add an HTTPS listener.