Amazon Elastic Cloud (EC2)

Using SOAPSonar to provision Amazon Elastic Compute Cloud (EC2)


Using SOAPSonar to provision Amazon Elastic Compute Cloud (EC2)

With Web Services Testing Tools - such as SOAPSonar™ - users can easily control Amazon Elastic Compute Cloud.

Introduction

Almost all software components expose their interface through Web Services for SOAP & XML messaging.  Amazon Elastic Compute Cloud (EC2) extends the web services interface notion beyond software components to provisioning Linux hardware instance on demand.  Amazon EC2 provides a simple web services interface that permit users to configure Linux servers to adjust to corporate capacity needs.

In this article, we will walk you through the simple steps of using SOAPSonar™ to control and configure Amazon EC2.  SOAPSonar™ is a web services testing product that provides comprehensive Web Services Testing across complex, dependent and distributed deployments.

As you build a robust, secure, and interoperable web services-enabled Service Oriented Architecture (SOA) with Amazon EC2 as a core capacity and scaling component, the need for using products like SOAPSonar for establishing quality and repeatability of your IT assets will become crucial.

Figure 1:  Amazon Elastic Compute Cloud Configuration & Management using SOAPSonar.

Step 1:  Download and Install SOAPSonar

SOAPSonar Enterprise Edition can be downloaded from here.  Registration is required since this product is subject to US Export Laws.  SOAPSonar can be installed on Windows XP/2K3 platforms.  SOAPSonar can rapidly embed the Amazon EC2 X.509 Binary Token within the SOAP request for secure message authentication between the client and the EC2 web services.

You can load as many WSDLs in the web services testing tool as you wish and mix-&-match tests across different WSDL operations. All test projects can be saved to your Desktop. SOAPSonar also provides operation chaining so that you can take outputs for an operation and use them as inputs to another operation.

Step 2:  Load Amazon EC2 WSDL & X.509 in SOAPSonar

SOAPSonar™ enables you to quickly load the Amazon EC2 WSDL from here.  You should review the Amazon EC2 website to ensure that you have the latest and greatest WSDL.  Once you load the WSDL, all operation will appear in SOAPSonar's right hand navigation panel as shown in Figure 2.

Figure 2:  SOAPSonar with Amazon Elastic Compute Cloud WSDL loaded.

Now we need to load the X.509 token that you should have obtained as a part of your Amazon EC2 registration process into SOAPSonar.  The file should have a pre-fix "cert-" and should be named something like: cert-LZ5C2BELFJDHFHDKLZ5C2BELFJDHFHDK.pem.  Obviously the 32 characters used in the sample name are fictitious.

  1. Manually change the file extension from .pem to .cer.  You'll see the file icon change to a Windows certificate icon. 
  2. Right click on the icon and select Install Certificate.  This will start the Certificate Import Wizard
  3. Click Next on the Wizard.  This will take you the Certificate Store panel. 
  4. Select the second radio button and browse to the Personal folder as shown in Figure 3.

    Figure 3:  Import Amazon EC2 Certificate to selected Windows Certificate Store.

  1. Click through the remaining steps in the Wizard.  An import successful notification will indicate that the Amazon Certificate is now in the Personal Certificate Store.

The certificate is now available from within SOAPSonar for X.509 Certificate authentication to Amazon EC2.

Step 3:  Setup Message-Level Authentication 

In this step, we will configure SOAPSonar with the Amazon EC2 X509 certificate loaded in the Personal Certificate Store on Windows as shown in Step 2.  As shown in Figure 4

  1. Open SOAPSonar and select operation DescribeImages_1.
  2. Select the Task Tab.
  3. Under WSS-Tokens, select Add WSS X509 Token.

 

Figure 4:  Add WSS X509 Task to DescribeImages_1 operation.

  1. Click on the red bullet to configure the WSS X509 Token. It will pop up the WS Security Token screen as shown in Figure 5.
  2. Mark all the check boxes to include Timestamp, include Time To Live with a value 100 (any value > 1 would work), and mark Must Understand.
  3. Click on Select X.509 Certificate on the WS Security Token panel and it will display a new panel title PKI Selection as shown in Figure 6.
  4. As shown in Figure 6, select AWS Customer X.509 certificate that appears under the MY folder.  Click OK.

Figure 5:  Configure WSS X509 Token

Figure 6:  Select Amazon AWS Customer X509 from PKI Selection

You are now ready to start sending messages to Amazon EC2 using SOAP requests. The X.509 certificate will be embedded in the SOAP Header for the DescribeImages operation.

Step 4:  Call Amazon EC2 SOAP API

With X509 certificate loaded in SOAPSonar, enter an ImageId.  You can use a public ImageId: ami-69ae-4b01.  When you click the Submit arrow as shown in Figure 7, the SOAP request is made to Amazon EC2 and the response with details about the image appears Response panel.

Figure 7:  Select Amazon AWS Customer X509 from PKI Selection

You can use any one of the operations in that Amazon EC2 WSDL provides.  However, keep in mind that you will have to follow the WS-X.509 process as depicted in Step 3 for every operation.  One of the feature enhancements for SOAPSonar is to define a "global" Task such that it is applicable across all operations.

Step 5 (optional):  Amazon S3 and EC2 Mashup

With SOAPSonar you can load as man WSDLs as you wish.  One useful API to use jointly with EC2 is the Amazon S3 WSDL.  The Amazon Simple Storage Service (S3) is an easy to use, inexpensive virtual storage where one can store any number of favorite images that can be instantiated by Amazon EC2.  The Amazon S3 WSDL enables you to create new buckets that can later be used for storing Linux images.  Figure 8 shows a screen shot of SOAPSonar with both Amazon S3 and Amazon EC2 WSDLs loaded.

 

Figure 8:  Amazon EC2 and Amazon S3 WSDLs loaded in SOAPSonar for comprehensive management

When loading the Amazon S3 WSDL, SOAPSonar auto-detects the S3 WSDL namespace and prompts you for your S3 credentials (access key and secret key).  The credential values for S3 are required only once and are auto-populated for all SOAP requests.  In Figure 8 above, the response shows contents of a bucket that contains image parts from an EC2 image upload.  With both WSDLs available, one can create mashups between different operations across Amazon EC2 and S3.

Summary & Recommendations

Using Amazon EC2 and S3 WSDL interface is easy.  We are impressed with interoperability displayed between a .NET-based web services client tool, SOAPSonar, and Linux-based products such as Amazon EC2 and S3.  The interoperability is evident across a couple of aspects:  1) Cross platform WSDL generation and consumption 2) WS-Security X.509 Profile generation by .NET and consumption by the Amazon platform.

The WSDL-based interfaces provided by both EC2 and S3 are powerful for quick integration within existing web services-aware management and provision products.  We would like to see these APIs aggressively enhanced to include performance related operation calls, listing multiple instances much like the command line interface, and better authentication characteristics.  At a minimum, the WSDL-based API should be always kept at par with the command line interface.  For security enhancements, we recommend that Amazon EC2 X.509 certificate handling should include signatures so that if I happen to share my X.509 Public certificate, others should not be able to use it unless the BinarySecurity Token is signed with my private key, which will never really leave my control.  Right now I need to keep both my X.509 public key as well as my private key locked up.