Menu
AWS CloudHSM
User Guide

Web Server SSL/TLS Offload Step 3: Configure the Web Server

To finish setting up your web server for SSL/TLS offload with AWS CloudHSM, see the following topics:

Update the Web Server Configuration

To update your web server configuration, complete the steps in one of the following procedures. Choose the procedure that corresponds to your web server software.

Update the web server configuration for Nginx

  1. Connect to your client instance.

  2. Run the following command to create the required directories for the web server certificate and the fake PEM private key.

    sudo mkdir -p /etc/pki/nginx/private
  3. Run the following command to copy your web server certificate to the required location. Replace <web_server.crt> with the name of your web server certificate.

    sudo cp <web_server.crt> /etc/pki/nginx/server.crt
  4. Run the following command to copy your fake PEM private key to the required location. Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.

    sudo cp <web_server_fake_PEM.key> /etc/pki/nginx/private/server.key
  5. Run the following command to change the file ownership so that the user named nginx can read them.

    sudo chown nginx /etc/pki/nginx/server.crt /etc/pki/nginx/private/server.key
  6. Run the following command to make a backup copy of the file named /etc/nginx/nginx.conf.

    sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
  7. Use a text editor to edit the file named /etc/nginx/nginx.conf. At the top of the file, add the following line:

    ssl_engine cloudhsm;

    Then uncomment the TLS section of the file so that it looks like the following:

    # Settings for a TLS enabled server. server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name _; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; # It is *strongly* recommended to generate unique DH parameters # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048 #ssl_dhparam "/etc/pki/nginx/dhparams.pem"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }

    Save the file. This requires Linux root permissions.

  8. Run the following command to make a backup copy of the file named /etc/sysconfig/nginx.

    sudo cp /etc/sysconfig/nginx /etc/sysconfig/nginx.backup
  9. Use a text editor to edit the file named /etc/sysconfig/nginx. Add the following line, specifying the user name and password of the cryptographic user (CU). Replace <CU user name> with the user name of the cryptographic user. Replace <password> with the CU password.

    export n3fips_password=<CU user name>:<password>

    Save the file. This requires Linux root permissions.

  10. Run the following command to start the Nginx web server.

    sudo service nginx start
  11. Run the following command if you want to configure your server to start Nginx when the server starts.

    $ sudo chkconfig nginx on

Update the web server configuration for Apache

  1. Connect to your Amazon EC2 client instance.

  2. Run the following command to make a backup copy of the default certificate.

    sudo cp /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/localhost.crt.backup
  3. Run the following command to make a backup copy of the default private key.

    sudo cp /etc/pki/tls/private/localhost.key /etc/pki/tls/private/localhost.key.backup
  4. Run the following command to copy your web server certificate to the required location. Replace <web_server.crt> with the name of your web server certificate.

    sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
  5. Run the following command to copy your fake PEM private key to the required location. Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.

    sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
  6. Run the following command to change the ownership of these files so that the user named apache can read them.

    sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
  7. Run the following command to make a backup copy of the file named /etc/httpd/conf.d/ssl.conf.

    sudo cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.backup
  8. Use a text editor to edit the file named /etc/httpd/conf.d/ssl.conf. Replace the line that starts with SSLCryptoDevice so that it looks like the following:

    SSLCryptoDevice cloudhsm

    Save the file. This requires Linux root permissions.

  9. Run the following command to make a backup copy of the file named /etc/sysconfig/httpd.

    sudo cp /etc/sysconfig/httpd /etc/sysconfig/httpd.backup
  10. Use a text editor to edit the file named /etc/sysconfig/httpd. Add the following line, specifying the user name and password of the cryptographic user (CU). Replace <CU user name> with the name of the cryptographic user. Replace <password> with the CU password.

    export n3fips_password=<CU user name>:<password>

    Save the file. This requires Linux root permissions.

  11. Run the following command to start the Apache HTTP Server.

    sudo service httpd start
  12. Run the following command to configure your server to start Apache when the server starts.

    sudo chkconfig httpd on

Add the Web Server to a Security Group

To connect to your web server from a client (such as a web browser), create a security group that allows inbound HTTPS connections. Specifically, it should allow inbound TCP connections on port 443. Assign this security group to your web server.

To create a security group for HTTPS and assign it to your web server

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Security Groups in the navigation pane.

  3. Choose Create Security Group.

  4. For Create Security Group, do the following:

    1. For Security group name, type a name for the security group that you are creating.

    2. (Optional) Type a description of the security group that you are creating.

    3. For VPC, choose the VPC that contains your Amazon EC2 instance.

    4. Choose Add Rule.

    5. For Type, choose HTTPS.

  5. Choose Create.

  6. In the navigation pane, choose Instances.

  7. Select the check box next to your web server instance. Then choose Actions, Networking, and Change Security Groups.

  8. Select the check box next to the security group that you created for HTTPS. Then choose Assign Security Groups.

Verify That HTTPS Uses the Private Key in Your AWS CloudHSM Cluster

After you add the web server to a security group, you can verify that SSL/TLS offload with AWS CloudHSM is working. You can do this with a web browser or with a tool such as OpenSSL s_client.

To verify SSL/TLS offload with a web browser

  1. Use a web browser to connect to your web server using the public DNS name or IP address of the server. Ensure that the URL in the address bar begins with https://. For example, https://ec2-52-14-212-67.us-east-2.compute.amazonaws.com/.

    Note

    You can use a DNS service such as Route 53 to route your website's domain name to your web server. For more information, see Routing Traffic to an Amazon EC2 Instance in the Amazon Route 53 Developer Guide or in the documentation for your DNS service.

  2. Use your web browser to view the web server certificate. For more information, see the following:

    Other web browsers might have similar features that you can use to view the web server certificate.

  3. Ensure that the SSL/TLS certificate is the one that you configured your web server to use. For more information, see Update the Web Server Configuration. Ensure that the private key is stored in an HSM in your AWS CloudHSM cluster.

To verify SSL/TLS offload with OpenSSL s_client

  1. Run the following OpenSSL command to connect to your web server using HTTPS. Replace <server name> with the public DNS name or IP address of your web server.

    $ openssl s_client -connect <server name>:443
  2. Ensure that the SSL/TLS certificate is the one that you configured your web server to use. For more information, see Update the Web Server Configuration. Ensure that the private key is stored in an HSM in your AWS CloudHSM cluster.

You now have a website that is secured with HTTPS. The private key for the web server is stored in an HSM in your AWS CloudHSM cluster. However, you have only one web server. To set up a second web server and a load balancer for higher availability, go to Add a Load Balancer.