Step 3: Configure the Web Server
Update your web server software's configuration to use the HTTPS certificate and corresponding fake PEM private key that you created in the previous step. This will finish setting up your Linux web server software for SSL/TLS offload with AWS CloudHSM.
To update your web server configuration, complete the steps in one of the following procedures. Choose the procedure that corresponds to your web server software.
To update the web server configuration for NGINX
-
Connect to your client instance.
-
Run the following command to create the required directories for the web server certificate and the fake PEM private key.
sudo mkdir -p /etc/pki/nginx/private -
Run the following command to copy your web server certificate to the required location. Replace
<web_server.crt>with the name of your web server certificate.sudo cp<web_server.crt>/etc/pki/nginx/server.crt -
Run the following command to copy your fake PEM private key to the required location. Replace
<web_server_fake_PEM.key>with the name of the file that contains your fake PEM private key.sudo cp<web_server_fake_PEM.key>/etc/pki/nginx/private/server.key -
Run the following command to change the file ownership so that the user named nginx can read them.
sudo chown nginx /etc/pki/nginx/server.crt /etc/pki/nginx/private/server.key -
Run the following command to make a backup copy of the file named
/etc/nginx/nginx.conf.sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup -
Use a text editor to edit the file named
/etc/nginx/nginx.conf. At the top of the file, add the following line:ssl_engine cloudhsm;Then uncomment the TLS section of the file so that it looks like the following:
# Settings for a TLS enabled server. server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; # It is *strongly* recommended to generate unique DH parameters # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048 #ssl_dhparam "/etc/pki/nginx/dhparams.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }Save the file. This requires Linux root permissions.
-
Run the following command to make a backup copy of the file named
/etc/sysconfig/nginx.sudo cp /etc/sysconfig/nginx /etc/sysconfig/nginx.backup -
Use a text editor to edit the file named
/etc/sysconfig/nginx. Add the following line, specifying the user name and password of the cryptographic user (CU). Replace<CU user name>with the user name of the cryptographic user. Replace<password>with the CU password.export n3fips_password=<CU user name>:<password>Save the file. This requires Linux root permissions.
-
Run the following command to start the NGINX web server.
sudo service nginx start -
Run the following command if you want to configure your server to start NGINX when the server starts.
$sudo chkconfig nginx on
After you update your web server configuration, go to Step 4: Enable HTTPS Traffic and Verify the Certificate.
To update the web server configuration for Apache
-
Connect to your Amazon EC2 client instance.
-
Run the following command to make a backup copy of the default certificate.
sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.backup -
Run the following command to make a backup copy of the default private key.
sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.backup -
Run the following command to copy your web server certificate to the required location. Replace
<web_server.crt>with the name of your web server certificate.sudo cp<web_server.crt>/etc/pki/tls/certs/localhost.crt -
Run the following command to copy your fake PEM private key to the required location. Replace
<web_server_fake_PEM.key>with the name of the file that contains your fake PEM private key.sudo cp<web_server_fake_PEM.key>/etc/pki/tls/private/localhost.key -
Run the following command to change the ownership of these files so that the user named apache can read them.
sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key -
Run the following command to make a backup copy of the file named
/etc/httpd/conf.d/ssl.conf.sudo cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backup -
Use a text editor to edit the file named
/etc/httpd/conf.d/ssl.conf. Replace the line that starts withSSLCryptoDeviceso that it looks like the following:SSLCryptoDevice cloudhsmSave the file. This requires Linux root permissions.
-
Run the following command to make a backup copy of the file named
/etc/sysconfig/httpd.sudo cp /etc/sysconfig/httpd /etc/sysconfig/httpd.backup -
Use a text editor to edit the file named
/etc/sysconfig/httpd. Add the following line, specifying the user name and password of the cryptographic user (CU). Replace<CU user name>with the name of the cryptographic user. Replace<password>with the CU password.export n3fips_password=<CU user name>:<password>Save the file. This requires Linux root permissions.
-
Run the following command to start the Apache HTTP Server.
sudo service httpd start -
Run the following command to configure your server to start Apache when the server starts.
sudo chkconfig httpd on
After you update your web server configuration, go to Step 4: Enable HTTPS Traffic and Verify the Certificate.
