The Network Administrator



Export SSL Certificate from IIS

• Export your certificate from IIS 7 WITH the private key.
• make sure to check the option PKCS #12 (.pfx)
• I also checked the checkbox for “Include all certificates in the certification path if possible”

Here is a link for a tutorial on how to export your certificate

http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm

Now you should have your pfx file.

Convert the PFX file to PEM format

Next you will need to convert the PFX file to a valid pem format for the ELB.  In order to do this you will need the utility OpenSSL.

If you don’t have OpenSSL installed. You will need to. You can download the version (32 bit or 64 bit) you need below:

http://www.slproweb.com/products/Win32OpenSSL.html

There is a great post online that already explains how to do this which can be found here

http://www.petefreitag.com/item/16.cfm

For the ease of reading and to explain a bit futher I took the commands from the link above and insert them here as well.

First thing you need to do is open the windows command prompt and get to the directory where openssl is (if you did not put it in your PATH)

Command 1

# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem

it will prompt you for an Import Password. I entered in the one I created when I exported the cert from IIS

Command 2

# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

it will prompt you for an Import Password: I entered in the one I created when I exported the cert from IIS.
Then it will prompt you for a PEM passphrase. Enter one if you’d like, then confirm it

Command 3

# This removes the passphrase from the private key so Apache won’t
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key

It will prompt for a pem passphrase. This would be the passphrase you created after command number 1 (if you did)

Upload the PEM format SSL into the Elastic Load balancer

Now it’s time to take the files you created from openssl and copy and paste them into the Elastic Load Balancer. I just uploaded it via the AWS Console Management UI. However they do have api tools as well you can do this with.

I configured the following on the ELB:

• Microsoft IIS HTTP 80 for Load Balancer port to 80 EC2 instance Port
• Microsoft IIS HTTPS 443 for Load Balancer port to 80 EC2 Instance Port

When prompted for the certificate keys do the following:

• Open the file server.key that was created from above with openssl and paste into the Private Key textbox
• Open the file cert.pem that was created from above with openssl and copy the text from —-BEGIN till the end of the file and paste that into Public Key Certificate textbox

Note: I did not put anything into the certificate chain

Finish configuring the rest of your Elastic Load Balancer

I have used Cloudberry and Cloudberry Pro for some time and have had a great experience with the product. There is a function within Cloudberry to sync an S3 bucket with a drive on your local computer. I had a situation where I needed to pull down several log files daily, but I REALLY didn’t want to do this manually. Cloudberry actually has a PowerShell Snap-in that can be called and scheduled with windows task manager. http://www.cloudberrylab.com/default.aspx?id=14

So my requirements are simple, I want to sync the S3 bucket we will call “logs” with a local directory in this case “C:\temp”

1. Follow the prerequisite steps from Cloudberry first.

Installation

PowerShell Snap-In must be registered and added to console.

Registering Snap-In

If the PowerShell is installed prior to installation of Cloudberry Explorer, you do not need to install Snap-in. Otherwise, run the following command in the Cloudberry Explorer installation folder (c:\Program Files\Cloudberry Lab\Cloudberry Explorer for Amazon S3):
C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe Cloudberry Lab.Explorer.PSSnapIn.dll

Note: For x64 the command must be like : C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe "C:\Program Files (x86)\Cloudberry Lab\Cloudberry Explorer for Amazon S3\Cloudberry Lab.Explorer.PSSnapIn.dll"

Note: For PRO version the default installation folder is "C:\Program Files\Cloudberry Lab\Cloudberry S3 Explorer PRO"; on x64 – "C:\Program Files (x86)\Cloudberry Lab\Cloudberry S3 Explorer PRO"

Note: You can do this from command line or PowerShell.

You can verify that the Cloudberry Explorer Snap-in is registered. Run the following command:
Get-PSsnapin –Registered
PowerShell displays registered Snap-Ins. Check that Cloudberry Lab.Explorer.PSSnapIn is in the list.

Adding Snap-In to console

You can check that Cloudberry Explorer Snap-in is registered by running command above.
To add Snap-In to console run the following command:
Add-PSSnapin Cloudberry Lab.Explorer.PSSnapIn
Now new command will be available.

Exporting console configuration

You should run Add-PSSnapin command anytime you start PowerShell or you can save configuration using the following.

• Run PowerShell.
• Add Snap-In to console.
• Run the command: Export-Console CloudBerruExplorerConfig

CloudBerruExplorerConfig is the name of a console file to save configuration. To start the PowerShell from a saved configuration run the command:
C:\Program Files\Command Shell> PS -PSConsoleFile CloudBerruExplorerConfig.psc1.
Cloudberry Explorer commands will be available.

2. Using Notepad++ I modified the PowerShell script from cloudberry to satisfy my needs.

Get-PSsnapin –Registered
Add-PSSnapin Cloudberry Lab.Explorer.PSSnapIn

$s3 = Get-CloudS3Connection keystringgoeshere secretstringgoeshere

$source = $s3 | Select-CloudFolder –Path logs
$local = Get-CloudFileSystemConnection
$target = $local | Select-CloudFolder C:\temp
$source | Copy-CloudSyncFolders $target

3. With Notepad++ save the PowerShell script as .ps1

4. Copy the PowerShell script .ps1 file to your desired location on the server or workstation, say C:\autotask

5. Using notepad, etc. also create a cmd file inside the same directory as the PowerShell script file to call the PowerShell script. inside the cmd file type (yours might be different depending on what you named the PowerShell file.

powershell.exe -command C:\Cloudberry_Auto\syncremotelocal.ps1

6. Fire up the windows task scheduler and schedule the the cmd file to run, which in turn will run the PowerShell script.

Once you enable logging on your S3 bucket(s) and start collecting logs, the next thing is to try and make sense of them. The logs are created in the form of text files, which you could probably open in notepad or notepad++

The S3 files are really hard to read and understand for most people and there are usually a lot of them for each bucket. I looked at a few software solutions, but like many others they didn’t work for me.

S3Stat, I tried this for a few days, it is only about $5 a month and it does a good job of analyzing the logs. For me, I needed to analyze historical logs which S3 could not process.

SiSense Prism Viewer – This looked like a great solution, but unfortunately I learned this was part of a beta that is no longer available

I used cloudberry explorer to download all the log files for a particular bucket called ABC to a directory called grd. I should also mention we chose to gunzip our log files within the bucket, so once downloaded I had to use WinRAR to extract the files to plan text files. Next open a command prompt, browse to the grd directory containing all of the S3 log files and issue the command copy * combined_log_file    , you will have a file created in the directory containing all of your S3 logs.

Now you need  open Excel and go to File menu and choose Open, in the Open File dialog box, navigate to the folder where the combined_log_file  was created. You may not see it, because by default this dialog will only show files supported by Excel. You need to choose “All Files” in “Files of type” combo box. Locate your file, select it, and click the Open button. You should be presented with the Text Import Wizard. The screenshots below show you what you should do.

Choose “Delimited” in the Original data type options, and click Next. On the next screen, check “Space” and “Tab” in the Delimiters options, and click Finish. Excel will divide data into the right columns and rows.

Http://www.s3stat.com/, S3Stats does powerful web log analysis and statistics for Amazon S3

I have been looking at different load balancers especially ones that support sticky sessions and that will work on Amazon EC2.

I tried mod_proxy installed on a Fedora 8 AMI using Apache as my front end and then passing sessions to a set of backend Tomcat 6 servers. This did work, but for some reason our application was getting network errors.

I next tried HAProxy installed on a Fedora 8 AMI using HAProxy as my front end and passing sticky sessions to a tomcat 6 server. DNS round robin distributes the visits to each front each server and the sticky session stays with the correct tomcat server. Also if one of the AMIs goes down you have a redundant front end and back end server to continue serving sessions.

HAProxy can be installed using the command Yum install HAProxy*

Using DNS Round Robin I have two separate A records pointing to a set of Elastic IP Addresses each associated to an AMI.

From each Fedora 8 AMI under /etc/haproxy here is my config files.

Don’t forget to run these commands so that haproxy and tomcat will startup after a reboot.
chkconfig --level 2345 tomcat on;
chkconfig --level 2345 haproxy on;

You can go to http://externaldsnname or elasticip/haproxy?stats this will give you some insight into what is happening with HAPROXY.

I am also looking at a product called RightScale which will add a lot of automation options.