• Call: 1-73222-666-55

Achieving HIPAA on AWS / EC2 with Windows Server 2008

Wednesday, June 15th, 2011 | Posted in Amazon EBS, Amazon EC2, Amazon S3, Amazon Web Services, Cloud computing

When you are creating a HIPAA compliant system on cloud service like AWS / EC2 / S3, you have to carefully examine the different levels of data security provided by the Cloud Service provider

At a minimum level, the following should be ascertained:

i) Where is the Cloud provider’s data center physically located. In some countries, HIPAA restricts Protected Health Information ( PHI ) to be stored on servers located outside of the country.

ii) Whether the cloud provider contractually obligated to protect the customer’s data at the same level as the customer’s own internal policies?

iii) Cloud provider’s Backup and Recovery policies

iv) What are the provider’s policies on data handling/management and access control? Do adequate controls exist to prevent impermissible copying or removal of customer data by the provider, or by unauthorized employees of the company?

v) What happens to data when it is deleted? This is very important as customers will be storing data on virtual Machines. Also What happens to cloud hardware when the hardware is replaced?

In this blog we are only looking at the different security levels to be taken by the application developer to make sure that a web application built on AWS / EC2 using Windows Server 2008 / .NET / MSSQL / IIS 7 / is HIPAA compliant. The basic requirement is to encrypt all the data at rest and transit

1. Encrypting Data in transit between the user ( clients ) and the server ( Webserver )

SSL over HTTP ( HTTPS )

Steps used to Implement SSL on IIS are the following: 

1.Open IIS Manager.
2.Click on the server name.
3.Double-click the "Server Certificates" button in the "Security" section
4.Click on self-signed certificate
5.Enter certificate name and click ok
6. Select the name of the server to which the certificate was installed. 

7. From the "Actions" menu (on the right), click on "Bindings." This will open the "Site Bindings" window

8. In the "Site Bindings" window, click "Add" This will open the "Add Site Binding" window

9. Under "Type" choose https. The IP address should be the IP address of the site , and the port over which traffic will be secured by SSL is usually 443. The "SSL Certificate" field should specify the certificate that was installed in step 5.

10.Click "OK." . SSL is now installed .

2 ) Encrypting Data at Rest ( Document Root )

EFS with IIS

You can use EFS ( Encrypted File System ) in Windows 2008 Server to automatically encrypt your data when it is stored on the hard disk.

Encrypt a Folder:

 1. Open Windows Explorer.
 2. Right-click the folder that you want to encrypt , and then click Properties.
 3. On the General tab, click Advanced.
 4. Under Compress or Encrypt attributes, select the Encrypt contents to secure data check  box and then click OK.
 5. Click OK.
 6. In the Confirm Attribute Changes dialog box that appears, use one of the following steps:
 i) If you want to encrypt only the folder, click Apply changes to this folder only, and then click OK.
 ii) If you want to encrypt the existing folder contents along with the folder, click Apply changes to this folder, subfolders and files, and then click OK.

The folder becomes an encrypted folder. New files that you create in this folder are automatically encrypted


3 ) Encrypting MSSQL Database ( Data at Rest )

TDE ( Transparent Data Encryption )

TDE is a new feature inbuilt in MSSQL Server 2008 Enterprise Edition . Data is encrypted before it is written to disk; data is decrypted when it is read from disk. The “transparent” aspect of TDE is that the encryption is performed by the database engine and SQL Server clients are completely unaware of it. There is absolutely no code that needs to be written to perform the encryption and decryption .So there is no need for changing any code ( Database Queries ) in the Application .

STEPS

i) Create a Master Key

A master key is a symmetric key that is used to create certificates and asymmetric keys. Execute the following script to create a master key:

USE master;
CREATE MASTER KEY
ENCRYPTION BY PASSWORD = 'Pass@word1';
GO

ii)Create Certificate

Certificates can be used to create symmetric keys for data encryption or to encrypt the data directly. Execute the following script to create a certificate:

CREATE CERTIFICATE TDECert
WITH SUBJECT = 'TDE Certificate'
GO

iii) Create a Database Encryption Key and Protect it by the Certificate

1.Go to object explorer in the left pane of the MSSQL SERVER Management Studio
2.Right Click on the database on which TDE Requires
3.Click Tasks and Navigate to Manage Database Encryption
4. Select the encrytion algorithm (AES 128/192/256) and select the certificate you have created
5.Then Mark the check Box for Set Database Encryption On

You can query the is_encrypted column in sys.databases to determine whether TDE is enabled for a particular database.

SELECT [name], is_encrypted FROM sys.databases
GO


4 ) Encrypting Data in transit between the Webserver and the MSSQL Database

MSSQL secure connection using SSL

i) Creating a self-singned cert using makecert

makecert -r -pe -n "CN=YOUR_SERVER_FQDN" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\test.cer

ii) Install this cert

Copy c:\test.cer into your client machine, run c:\test.cer from command window, select "Install Certificate". -> click "Next" -> select "Place all certificates in the following store" --> click "Browser" -> select "Trusted Root Certification Authorities" -> select OK and Finish

iii) Open SQL Server Configuration Manager

Expand SQL Server Network Configuration, right-click "Protocols for MSSQLSERVER" then click "properties". On the "Certificate" tab select the certificate just installed . On the "Flags" tab, set "ForceEncryption" YES.

Now SSL is ready to be used on the server. The only modification needed in the .NET code is connection string. It will be

connectionString="Data Source=localhost;Initial Catalog=mydb;User ID=user1;Password=pas@123;Encrypt=true;TrustServerCertificate=true"

SSL for Tomcat on AWS EC2

Monday, May 23rd, 2011 | Posted in Amazon EC2, Cloud computing, IaaS

To launch an AWS/EC2 instance, at first setting up a security group to specify what network traffic is allowed to reach the instance. Then select an AMI and launch an instance from it. And create a volume in the same zone of the instance and attach with it. Format the device and mount it to a directory. After that follow the steps to create SSL for Tomcat:

1. For the tomcat we need java, so create a directory to save the Java Binary file.

 mkdir /usr/java
cd /usr/java

2. Download jdk binary file (jdk-x-linux-ix.bin) here
Use URL http://www.oracle.com/technetwork/java/archive-139210.html

3. Execute the Binary file

 /usr/java/jdk-x-linux-ix.bin

Now we have the Java in our device. Then Download the Tomcat and install it followed by the instructions:-

1. Create a directory to save the tomcat

 mkdir /usr/tomcat
cd /usr/tomcat

2. Download tomcat source file (apache-tomcat-x.tar.gz) here
Use URL http://apache.hoxt.com/tomcat/tomcat-6/v6.0.32/bin/

3. Extract that file

 tar -zxvf apache-tomcat-x.tar.gz

4. Edit the catalina.sh file

 vim /usr/tomcat/apache-tomcat-x/bin/catalina.sh 

#** Add at the top **
JAVA_HOME=/usr/java/jdk1.x.x_x

save and exit
5. Start the tomcat

 /usr/tomcat/apache-tomcat-x/bin/startup.sh

6. We can see the logs by using the given command

tail -f /usr/tomcat/apache-tomcat-x/logs/catalina.out

7. Take the browser and enter the URL http://localhost
Now we can see the tomcat index page

8. To stop the tomcat

/usr/tomcat/apache-tomcat-x/bin/shutdown.sh

Now configure the SSL Certificate for tomcat. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys – a Private Key and a Public Key. The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) – a data file also containing your details.

Create a self signed certificate authority (CA) and keystore.

1. Make a directory to hold the certs and keystore. This might be something like:

 mkdir /usr/tomcat/ssl
cd /usr/tomcat/ssl

2. Generate a private key for the server and remember it for the next steps

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
…………………..++++++
…++++++
e is 65537 (0×10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:

3. Generate a CSR (Certificate Signing Request). Give the data after executing this command

openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

4. Remove the passphrasse from the key

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

Enter pass phrase for server.key.org:
writing RSA key

5. Generate the self signed certificate

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok
subject=/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
Getting Private key

You should then submit the CSR. During the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL. Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiration date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate.

Create a certificate for tomcat and add both to the keystore

1. Change the path to ssl

cd /usr/tomcat/ssl

2. Create a keypair for ‘tomcat’

keytool -genkey -alias tom  -keyalg RSA -keystore tom.ks

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:

Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for <tom>
(RETURN if same as keystore password):
Re-enter new password:

3. Generate a CSR (Certificate Signing Request) for tomcat

keytool -keystore tom.ks -alias tom -certreq -file tom.csr

Enter keystore password:

4. create unique serial number

echo 02 > serial.txt

5. Sign the tomcat CSR

openssl x509 -CA server.crt -CAkey server.key -CAserial serial.txt -req -in tom.csr -out tom.cer -days 365

Signature ok
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
Getting CA Private Key

6. Import the server CA certificate into the keystore

keytool -import -alias serverCA -file server.crt -keystore tom.ks

Enter keystore password:
Owner: O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB
Issuer: O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB
Serial number: ee13c90cb351968b
Valid from: Thu May 19 02:12:51 EDT 2011 until: Fri May 18 02:12:51 EDT 2012
Certificate fingerprints:
MD5: EE:F0:69:01:4D:D2:DA:A2:4E:88:EF:DC:A8:3F:A9:00
SHA1: 47:97:72:EF:30:02:F7:82:BE:CD:CA:F5:CE:4E:ED:89:73:23:4E:24
Signature algorithm name: SHA1withRSA
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore

7. Add the tomcat certificate to the keystore

keytool -import -alias tom -file tom.cer -keystore tom.ks

Enter keystore password:
Certificate reply was installed in keystore

To configure a secure (SSL) HTTP connector for Tomcat, verify that it is activated in the $TOMCAT_HOME/conf/server.xml file. Edit this file and add the following lines.

Tomcat configuration

1. Edit the given portion of tomcat configuretion file and change the port as 80

vim /usr/tomcat/apache-tomcat-6.0.13/conf/server.xml
“””””” <Connector port="8080" protocol="HTTP/1.1"
                    connectionTimeout="20000"
                      redirectPort="8443" /> “”””””

              <Connector port="80" protocol="HTTP/1.1"
                    connectionTimeout="20000"
                      redirectPort="8443" />

2. Add the given portion to server.xml and give your password in the password portion


<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
      maxThreads="150" scheme="https" secure="true"
                 keystoreFile="tom.ks"
                keystorePass="password"
           clientAuth="false" sslProtocol="TLS" />

When you start the Tomcat Your web server will match your issued SSL Certificate to your Private Key. Your web server will then be able to establish an encrypted link between the website and your customer’s web browser.

Start the tomcat with SSL Certificate

1. Restart tomcat

/usr/tomcat/apache-tomcat-6.0.13/bin/shutdown.sh
/usr/tomcat/apache-tomcat-6.0.13/bin/startup.sh

2. Go to https://Public DNS name:443/

Then your browser shows a security issue. Click the Approve button. Then you can enter to the tomcat with your certificate. When a browser connects to a secure site it will retrieve the site’s SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.

You are Done !!!

MySQL Optimization

Friday, December 10th, 2010 | Posted in MySQL

Database optimization is the process of configuring database to use system resource efficiently and perform tasks quickly. To optimize mysql you should know the work flow of entire system, your hardware, operating system, disk I/O performance etc.
Why to Optimize
You can do more with less. The default mysql setup is optimized for a minimal system because it should work well on a minimal hardware. But when you use a dedicated mysql server with high traffic and complex queries you have to optimize mysql.
MySQL Server tuning Considerations
Here you will find some common optimization parameters.

  • MySQL variables
  • Hardware
  • Disk
  • Application

    • MySQL Optimization
    MySQL global variables don’t have any predefined optimum values. It is a trial and monitor process. It depends on all the above parameters. Here you will see some of the common parameters.
    Key-buffer-size
    It is size of the buffer used to index blocks for MyISAM tables. On a dedicated mysql server with MyISAM storage engine 25-30% of systems total memory you can allocate for key_buffer_size. To fine tune key_buffer_size you can compare the variables key_reads and the key_read_requests.
    This ratio should be at least 1:100.

    SHOW STATUS LIKE ‘%key_read%’;
    +——————-+————-+
    | Variable_name | Value |
    +——————-+————-+
    | Key_read_requests | 10726813161 |
    | Key_reads | 92790146 |
    +——————-+————-+
    Here the ratio is 1:115 which is acceptable.
    But suppose you get a ratio 1: 10 then you need to add more key buffer and upgrade hardware accordingly.
    Query Cache
    “My website is too slow while loading dynamic pages”. If it is a mysql database related issue, following MySQL variables will be your solution.
    query_cache_type
    Set the query cache type. There are 3 values 0 ,1 or 2

    0 Do not cache any query result
    1 Cache query results.
    2 Cache results ondemand. Cacheable queries that begin with SELECT SQL_CACHE.

    query_cache_size
    The amount of memory used to cache query result. Default is 0 which disable query cache.
    The optimum value is depend on your application.
    query_cache_limit
    Do not cache results that are larger than this number of bytes. The default value is 1MB.
    Status checking
    SHOW STATUS LIKE ‘%qcache%’;
    +————————-+———-+
    | Variable_name | Value |
    +————————-+———-+
    | Qcache_free_blocks | 1 |
    | Qcache_free_memory | 8371272 |
    | Qcache_hits | 23547551 |
    | Qcache_inserts | 46909131 |
    | Qcache_lowmem_prunes | 5110536 |
    | Qcache_not_cached | 2760196 |
    | Qcache_queries_in_cache | 0 |
    | Qcache_total_blocks | 1 |
    +————————-+———-+
    There were 46909131 queries and out which 23547551 queries cached and remaining not cached. Here the issue will either the result is greater than query_cache_limit or greater than query_cache_size itself. You have to trial and monitor :)
    Qcache_lowmem_prunes.
    When a query is removed from the query cache, this value will be incremented. If it increases quickly, and you still have memory to spare, you can set query_cache_size high, If it never increases, you can reduce the cache size.

    sort_buffer
    The sort_buffer is a useful for speed up myisamchk operations. It can also be useful when performing large numbers of sorts.

    tmp_table_size

    This variable determines the maximum size for a temporary table in memory. The maximum in memory size is minimum of tmp_table_size and max_heap_table_size. You can compare
    Created_tmp_disk_tables and Created_tmp_tables to optimize tmp_table_size.

    innodb_buffer_pool_size

    This variable is target for innodb table and it is similar to key_buffer_size in MyISAM table.
    On a dedicated mysql server using innodb you can set this upto 80% of RAM.
    Hardware for mysql
    If you have large tables(>3GB), you should consider 64 bit hardware as mysql uses a lots of 64bit integers internally.

    You need more memory(RAM) if you want mysql to handle large number of connections simultaneously. More RAM will speed up key updates by keeping most of the pages in RAM

    Another consideration is Ethernet device, You can use a 1G Ethernet for a dedicated mysql server for fast remote connections.

    Disk performance is also an important parameter.
    Disk Optimization
    Striping disk (RAID 0) will increase both read and write throughput.

    Don’t use RAID 1 or mirroring on disk for temporary files.

    On Linux, mount the disks with async (default) and noatime.
    Optimizing your application
    Cache process in your application

    Specify the column name in queries(eg dont use SELECT * FROM……)

    Use persistent connections

    USE EXPLAIN to explain!!.You will see detail below.

    Queries and Indexes

    Let us start with a simple query SELECT firstname FROM student WHERE id=’145870′;
    MySQL start searching from the beginning row to find the student with id 145870. It does not even know it exist or not. An index is a sorted file which have an entry for each row.MySQL can find the corresponding record very quickly by referring this index.
    EXPLAIN is a nice tool to understand your queries

    EXPLAIN SELECT firstname,lastname FROM student WHERE id=’145870′;

    +———-+——+—————+——+———+——+——+————+
    | table | type | possible_keys | key | key_len | ref | rows | Extra |
    +———-+——+—————+——+———+——+——+————+
    | student | ALL | NULL | NULL | NULL | NULL |10000 | where used |
    +———-+——+—————+——+———+——+——+————+
    The possible_keys is null. In this case mysql will check all the 10000 rows. We can say this query(or table) is not optimized.

    Now suppose we have use index for above table and run EXPLAIN again then we will get
    +———-+——-+—————+———+———+——-+——+——-+
    | table | type | possible_keys | key | key_len | ref | rows | Extra |
    +———-+——-+—————+———+———+——-+——+——-+
    | employee | const | PRIMARY | PRIMARY | 10 | const | 1 | |
    +———-+——-+—————+———+———+——-+——+——-+
    The type is “const”, which means that the table has only one matching row. The primary key is being used to find this particular record.

    There are many more optimization variables and indxing methods. It is difficult include everything in a single article. But you can start mysql fine tuning while you database is underperfoming.

    Creating phusion passenger AMI on Amazon EC2

    Wednesday, December 1st, 2010 | Posted in Amazon EC2

    Phusion Passenger is an Apache and Nginx module for deploying Ruby web applications.(such as those built on the Ruby on Rails web framework). Phusion Passenger works on any POSIX-compliant operating system,which means practically any operating system , except Microsoft Windows.

    Here we are not going to discuss much about ruby on rails applications as our aim is creating an ami of an ubuntu aws instance from which we can launch an instance for developing and deploying rails applications pre-built.

    Install apache2 web-server

    sudo apt-get install apache2 ( By default its DocumentRoot is /var/www/ )

    Install mysql-server and mysql-client ( To support rails applications that access database ) 

    sudo apt-get install mysql-server mysql-client

    Install Ruby from repository

    The default ruby1.8 is missing some important files. So install ruby1.8-dev. Otherwise at some stage when using gem install, it may end up with “ Error : Failed to build gem native extensions “.

    sudo apt-get install ruby1.8-dev

    Install RubyGems

    Install rubygems >= 1.3.6

    The package can be downloaded from here

    wget http://rubyforge.org/frs/download.php/70696/rubygems-1.3.7.tgz

    tar xvzf rubygems-1.3.7.tgz
cd rubygems-1.3.7
sudo ruby setup.rb
sudo ln -s /usr/bin/gem1.8 /usr/bin/gem

    Install Rails via rubygems

    Once rubygems is installed use it to install Rails :

    sudo gem install rails

    Installing Phusion Passenger

    There are three ways to install Phusion Passenger :

    1. By installing the Phusion Passenger gem.

    2. By Downloading the source tarball from the PhusionPassenger website(passenger-x.x.x.tar.gz).

    3. By installing the native Linux package (eg: Debian package)

    Before installing, you will probably need to switch to the root user first. The Phusion Passenger installer will attempt to automatically detect Apache, and compile Phusion Passenger against that Apache version. It does this by looking for the apxs or apxs2 command in the PATH environment variable.

    Apache installed in a non-standard location, prevent the Phusion Passenger installer from detecting Apache.To solve this, become root user and export the path of apxs.

    Easiest way to install Passenger is installing via the gem

    Please install the rubygems and then run the Phusion Passenger installer, by typing the following commands as root.

    1.Open a terminal, and type:

    gem install passenger

    2.Type:

    passenger-install-apache2-module

    and follow the instructions from the installer.

    The installer will :

    1. Install the Apache2 module.

    2. instruct how to configure Apache.

    3. inform how to deploy a Ruby on Rails application.

    If anything goes wrong, this installer will advise you on how to solve any problems.

    The installer will ask to add the following lines to the apache2.conf file.

     LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.0/

ext/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/

gems/passenger-3.0.0

PassengerRuby /usr/bin/ruby1.8


    Now consider, you have a rails application in directory /var/www/RPF_tool/. Add the following virtualhost entry to your apache configuration file

    <VirtualHost *:80>

ServerName  www.yoursite.com

DocumentRoot  /home/RFP_tool/public

<Directory  /var/www/RFP_tool/public>

AllowOverride  all

Options  -MultiViews

</Directory>

</VirtualHost>

    Restart your apache server.

    Phusion Passenger installation is finished.

    Installation via the source tarball

    Extract  the tarball to whatever location you prefer

    cd /usr/local/passenger/tar xzvf passenger-x.x.x.tar.gz
/usr/local/passenger/ passenger-x.x.x/bin/passenger-install-apache2-module

    Please follow the instructions given by the installer. Do not remove the passenger-x.x.x folder after installation. Furthermore, the passenger-x.x.x folder must be accessible by Apache.

    CREATING AN AMI OF AN EC2 INSTANCE

    First you will have to install ec2-api-tools.zip from

    http://www.amazon.com/gp/redirect.html/ref=aws_rc_ec2tools?location=http://s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip&token=A80325AA4DAB186C80828ED5138633E3F49160D9

    unzip ec2-api-tools.zip
mkdir ~/ec2
cp -rf ec2-api-tools/* ~/ec2

    Upload your aws certificate and private-key to /mnt of the instance.

    Then add the following to ~/.bashrc

    export EC2_HOME=~/ec2
export PATH=$PATH:$EC2_HOME/bin
export EC2_PRIVATE_KEY=/mnt/pk-xxxxxxxxxxxxxxxxxxx.pem
export EC2_CERT=/mnt/cert-xxxxxxxxxxxxxxxx.pem
export JAVA_HOME=/usr/local/java/ ( your JAVA_HOME here)
export PATH=~/ec2/bin:$PATH

    If your EC2 instance is an EBS-backed one, you can use the following command to create an AMI

    ec2-create-image -n your-image-name instance-id

    If your instance is an s3-backed ( instance store ) one, you will have to install ec2-ami-tools first. It can be downloaded from

    http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip

    unzip ec2-ami-tools.zip
cp ec2-ami-tools-x.x-xxxxx/bin/* ~/ec2/bin

    vim ~/.bashrc

    export EC2_AMITOOL_HOME=~/ec2/ec2-ami-tools-1.3-56066/

    Now you can use the following commands to create an AMI of your s3-backed instance 

     mkdir /mnt/bundle-vol/
ec2-bundle-vol -u USER-ID -c /mnt/cert-xxxxxxx.pem -k
/mnt/pk-xxxx.pem -d /mnt/bundle-vol

    ( Login to your AWS account; your USER-ID is available from Account–> Security Credentials )

     ec2-upload-bundle -u s3-bucket-name -a aws-access-key -s aws-secret-key -d
/mnt/bundle-vol/ -m
/mnt/bundle-vol/image.manifest.xml
ec2-register -K  /mnt/pk-xxxxxx.pem -C/mnt/cert-xxxxxxx.pem s3-bucket-name/image.manifest.xml -n name-of-the-image

    To see the created images

    ec2-describe-images

    Simulating multiple IP-Camera with h.264 stream in Amazon EC2 using Wowza

    Tuesday, November 30th, 2010 | Posted in Amazon EC2, Amazon Web Services, Cloud computing

    When you are setting up a Wowza based streaming application which need to stream and record more than a thousand cameras, and in the testing stage you need to see how the system works by providing multiple H.264 camera streams. But, when you have only one camera for testing purposes, you cannot overload the camera by taking a thousand streams from it to test the application. And if the camera gives an MPEG-4 stream, Wowza is not going to play since H.264 is the only supported format by it. We did a workaround to overcome this situation in Amazon EC2. We launched a large wowza instance from paid AMI and installed VLC in it. Using VLC we transcoded the MPEG-4 video stream to H.264. Illustration given below
    Simulating multiple=
    vlc -vvv rtsp://camera.hostname:port/stream-name --sout "#transcode{venc=x264{keyint=60,profile=baseline,level=3.0,nocabac, qpmax=36,qpmin=10,me=hex,merange=24,subme=9,qcomp=0.6},vcodec=x264,vb=128,scale=1, width=640,height=480,acodec=mp4a,channels=1,fps=15,samplerate=4750} :rtp{dst=local.amazon.ip.ofwowzainstance,port-video=10000,port-audio=10002 ,sdp=file:///wowza-installation-dir/content/vlc.sdp}" -R -d

    Next we added a username and password to file /usr/local/WowzaMediaServer/conf/admin.password so that we can access the stream manager. Then we had to start wowza server, access the stream manager using the url http://public-dns-name-of.instance:8086/streammanager/

    After Login using the username and password mentioned in /usr/local/WowzaMediaServer/conf/admin.password. Click on “start receiving stream” under rtplive.

    In the configuration window mentioned Application as rtplive/_definst_ , MediaCaster Type as rtp, and Stream Name as vlc.sdp and clicked “OK” to submit and stream to start. The RSTP url to access the stream was be rtsp://public-dns-name-of.instance:8086/rtplive/vlc.sdp and this give an H.264 stream which is equivalent to a stream from an H.264 camera. The advantage of this setup is you need not overload a single IP camera by taking 1000 streams as this single rtsp output can be used multiple times to simulate a multiple IP-Camera system and feed it as input to the wowza streaming infrastructure we are developing in Amazon EC2.

    Microsoft SQL Server 2008 Encryption: Part l

    Wednesday, September 22nd, 2010 | Posted in Cloud computing, MySQL

    Entrusted with a project where we have to implement data protection and privacy guidelines in accordance with international regulations we found ourselves investigating ways to implement data encryption in MSSQL database in Amazon EC2. We are deploying an application which has to deployed in all the AWS availability zones and our problems like syncing between zones are still at large as fine tune MS-SQL for the cloud.

    Data security and privacy

    The applications which storing sensitive information like customer information, Financial information, personal health information(PHI) etc, will have to meet certain data privacy and security acts. The Health Information Portability and Accountability Act (HIPAA) of 1996 protects health information. To make applications HIPAA compliance we can use some of new security features in SQL server 2008. MSSQL Server 2008 introduce new with security feature enhancements for powerful encryption and better key management capabilities

    Data security in cloud

    The data in cloud is in a shared hardware environment. Therefore data segregation is one of the major security issue. All cloud providers have their own storage management. But the security and privacy of data is again an issue because the customers don’t have much control over this storage area. They don’t know the exact location where data is stored. Customers can overcome these issues by implementing their own security features based own their application.

    We had 2 issues to address:

    1. Encrypt data in transit
    2. Encrypt data at rest

    In this one we are starting by implementing encryption of data in transit for MSSQL server. MSSQL Server uses the Secure Socket Layer(SSL) to encrypt data transfer between SQL server and applications. This encryption will ensure secure data transmission over the network. This is much more important when application and database are distributed on many AWS availability zones.

    Implementation of SSL

    1.Creating a self-singned cert using makecert

    makecert -r -pe -n "CN=SERVER-FQDN" -b 01/01/2010 -e 01/01/2015 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "SSL Providerl" -sy 12 c:\testssl.cer

    2.Install this cert

    Copy c:\tesssl.cer into your client machine, run c:\testssl.cer from command window, select “Install Certificate”. -> click “Next” -> select “Place all certificates in the following store” –> click “Browser” -> select “Trusted Root Certification Authorities” -> select OK and Finish

    3.Open SQL Server Configuration Manager

    Expand SQL Server Network Configuration, right-click “Protocols for MSSQLSERVER” then click “properties”. On the “Certificate” tab select the certificate just installed . On the “Flags” tab, set “ForceEncryption” YES.

    Now SSL is ready to use on server. You have modify your connection string to use SSL.

    For Example

    connectionString=”Data Source=db.server.com;Initial Catalog=mydb;User ID=user1;Password=pas@123;Encrypt=true;TrustServerCertificate=true”

    You are Done!

    Microsoft SQL Server 2008 Encryption: Part ll

    Wednesday, September 22nd, 2010 | Posted in Cloud computing, MySQL

    In our first article we had discussed security and privacy of data in cloud and how to meet MSSQL server HIPPA(Health Information Portability and Accountability Act) compliance. We had also learn how to encrypt data in transit between MSSQL server and applications. Here you will learn how to encrypt data in rest in MSSQL using Transparent Data Encryption(TDE).

    It seems that most of the security products focused their effort on securing data in transit only, using SSL/TLS. But when you build a security system that meet the international security regulations and acts, you need to encrypt data in rest also. The insecure configuration of server, operating system, firewall and network in general, will make it easier for some one to gain access to data at rest.

    TDE performs real time encryption and decryption of data while writing and reading data from MSSQL. As the name implies encryption is transparent, that is no need to modify code or architecture of applications when implementing TDE.

    Implementation of TDE

    1. Create a master key
    A master key is a symmetric key that is used to create certificates and asymmetric keys.

    USE master;
CREATE MASTER KEY
ENCRYPTION BY PASSWORD = '<password>';
GO

    2.Create Certificate

    Certificates can be used to create symmetric keys for data encryption or to encrypt the data directly. Execute the following script to create a certificate:

    CREATE CERTIFICATE TDECert
WITH SUBJECT = 'TDECertificate'
GO

    3.Create a Database Encryption Key and Protect it by the Certificate

    1.Click object explorer in the left pane of the MSSQL SERVER Management Studio
    2.Right Click on the database which you want to encrypt
    3.Click Tasks and Navigate to Manage Database Encryption
    4. Select the encrytion algorithm (AES 128/192/256) and select the certificate you have created
    5.Then Mark the check Box for Set Database Encryption On

    You can query the is_encrypted column in sys.databases to determine whether TDE is enabled for a particular database.

    SELECT [name], is_encrypted FROM sys.databases
GO

    Important Back up the certifi cate and private key to a fi le to ensure recoverability as follows

    BACKUP  CERTIFICATE  TDECert  TO FILE = 'C:\TDECert.cer'

    You are Done!!

    Older Entries
    Newer Entries