Step 3: Configure the Web Server
Update your web server software's configuration to use the HTTPS certificate and corresponding fake PEM private key that you created in the previous step. This will finish setting up your Linux web server software for SSL/TLS offload with AWS CloudHSM.
To update your web server configuration, complete the steps from one of the following procedures. Choose the procedure that corresponds to your web server software.
To update the web server configuration for NGINX
-
Connect to your client instance.
-
Run the following command to create the required directories for the web server certificate and the fake PEM private key.
sudo mkdir -p /etc/pki/nginx/private
-
Run the following command to copy your web server certificate to the required location. Replace
<web_server.crt>
with the name of your web server certificate.sudo cp
<web_server.crt>
/etc/pki/nginx/server.crt -
Run the following command to copy your fake PEM private key to the required location. Replace
<web_server_fake_PEM.key>
with the name of the file that contains your fake PEM private key.sudo cp
<web_server_fake_PEM.key>
/etc/pki/nginx/private/server.key -
Run the following command to change the file ownership so that the user named nginx can read them.
sudo chown nginx /etc/pki/nginx/server.crt /etc/pki/nginx/private/server.key
-
Run the following command to back up the
/etc/nginx/nginx.conf
file.sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
-
Use a text editor to edit the
/etc/nginx/nginx.conf
file. At the top of the file, add the following lines:ssl_engine cloudhsm; env n3fips_password;
Then uncomment the TLS section of the file so that it looks like the following:
# Settings for a TLS enabled server. server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; # It is *strongly* recommended to generate unique DH parameters # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048 #ssl_dhparam "/etc/pki/nginx/dhparams.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
Save the file. This requires Linux root permissions.
-
Back up the
systemd
configuration file, and then set theEnvironmentFile
path. -
Check if the
/etc/sysconfig/nginx
file exists, and then do one of the following:-
If the file exists, back up the file by running the following command:
$
sudo cp /etc/sysconfig/nginx /etc/sysconfig/nginx.backup
-
If the file doesn't exist, open a text editor, and then create a file named
nginx
in the/etc/sysconfig/
folder.Tip There is no need to back up the newly created file.
-
-
Open the
/etc/sysconfig/nginx
file in a text editor, and then add the Cryptography User (CU) credentials:$
n3fips_password=<CU user name>:<password>
Replace the
<CU user name>
and<password>
with the cryptography user credentials.Save the file. This requires Linux root permissions.
-
Start the NGINX web server.
-
Configure your server to start NGINX when the server starts, if needed.
After you update your web server configuration, go to Step 4: Enable HTTPS Traffic and Verify the Certificate.
To update the web server configuration for Apache
-
Connect to your Amazon EC2 client instance.
-
Run the following command to make a backup copy of the default certificate.
sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.backup
-
Run the following command to make a backup copy of the default private key.
sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.backup
-
Run the following command to copy your web server certificate to the required location. Replace
<web_server.crt>
with the name of your web server certificate.sudo cp
<web_server.crt>
/etc/pki/tls/certs/localhost.crt -
Run the following command to copy your fake PEM private key to the required location. Replace
<web_server_fake_PEM.key>
with the name of the file that contains your fake PEM private key.sudo cp
<web_server_fake_PEM.key>
/etc/pki/tls/private/localhost.key -
Run the following command to change the ownership of these files so that the user named apache can read them.
sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
-
Run the following command to make a backup copy of the file named
/etc/httpd/conf.d/ssl.conf
.sudo cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backup
-
Use a text editor to edit the file named
/etc/httpd/conf.d/ssl.conf
. Replace the line that starts withSSLCryptoDevice
so that it looks like the following:SSLCryptoDevice cloudhsm
Save the file. This requires Linux root permissions.
-
Run the following command to back up the
/etc/apache2/envvars
file.sudo cp /etc/apache2/envvars /etc/apache2/envvars.backup
-
Use a text editor to edit the
/etc/apache2/envvars
file. Add the following command, specifying the user name and password of the crypto user (CU). Replace<CU user name>
with the name of the crypto user. Replace<password>
with the CU password.export n3fips_password=
<CU user name>
:<password>
Save the file. This requires Linux root permissions.
-
Run the following command to start the Apache HTTP Server.
sudo service httpd start
-
Run the following command to configure your server to start Apache when the server starts.
sudo chkconfig httpd on
After you update your web server configuration, go to Step 4: Enable HTTPS Traffic and Verify the Certificate.