How to setup a self-signed SSL certificate for a Cloud Foundry application on IBM Cloud

This blog post is about, how to setup a self-signed SSL certificate for an encrypted (https) communication with a Cloud Foundry application on IBM Cloud, if you are at a Hackathon. Keep in mind you don’t need to implement additional code inside of your Cloud Foundry application in this scenario. All is managed by IBM Cloud and you don’t need to modify your source-code. You need to have installed OpenSSL on your local machine and this example shows the setup on MacOS and Safari. You also need a Pay-As-You-Go or Trial-Account for the IBM Cloud to setup custom domain and ssl.

Motivation

In my example situation I want to access my Node-RED instance with a custom domain and a self-signed SSL certificate.

Normally you would create a certificate signing request to get public key certificate to encrypt the communication with https provided by a certificate authority for example “Let’s encrypt”, as you see simplified in the image below.

A certificate from a certificate authority can be costly, if you aren’t able to use a free certificate authority like for example “Let’s encrypt” supported by your domain provider. In my case the domain provider GoDaddy doesn’t support to request certificates directly from “Let’s encrypt”.

One easy solution to avoid additional costs is to create a self-signed certificate. This solution works well, if you only want to test and develop during a Hackathon and you have a very small count of users and you can give them the guidance to use the self-signed SSL certificate in their browser.
As you can see you need to upload self-signed SSL certificate in this simplified picture.

Overview of the needed steps

Here is an overview of the major needed steps:

  1. Create a custom domain and map it with the CNAME (this will result in the fully qualified domain name)
  2. Register the created custom domain in your Cloud Foundry org and region
  3. Create a route with your custom domain for your Cloud Foundry app
  4. Create a self-signed SSL certificate for custom domain
  5. Upload the self-signed certificate to IBM Cloud
  6. Invoke URL in a browser on a machine
  7. Copy the self-signed certificate from your browser to your computer
  8. Import the self-signed SSL certificate to the keychain of your operating-system on your local machine
  9. Restart the browser and see now your communication is encrypted
Continue reading

What do you think about the OWASP web application security top ten as a developer?

I like the OWASP Top Ten for “developers” charts. From my point of view, it gives an awesome advice, where to start and helps to take care and remember what you maybe already know about web security implementation. From my side it feels a bit like “rub salt into the wound” of a developer soul, isn’t it so? Especially when you starting developing cloud native and microservices based applications.

Continue reading

How to create a new realm with the Keycloak REST API?

In this blog post I want to show, how to create a new realm with Keycloak REST API , because later I want to automate the Keycloak realm creation for a workshop using curl in a bash script.

The reason of that blog post is, that the information in the REST API documentation wasn’t detailed enough for me. The image shows what I found first in the Keycloak REST API documentation .

keycloak-create-realm-01

In common it’s very simple to use the Keycloak REST API. For more details see in my blog post Getting started to secure a simple Java Microservice with Keycloak, MicroProfile and OpenLiberty.

First you need a bearer authorization token for an administration user and with that token you create a new realm using the realm json exported before.

Here is what I found:

I used POSTMAN to check it out. These are the steps I did in POSTMAN.

Continue reading

Getting started to secure a simple Java Microservice with Keycloak, MicroProfile and OpenLiberty