Creating an Amazon Web Services (AWS) application object

To install a certificate into the Amazon Web Services (AWS) ACM or IAM certificate store—and/or to bind a certificate to an Application Load Balancer (ALB), Elastic Load Balancer (ELB) or CloudFront distribution—you must apply the required configuration settings described in this topic.

BEST PRACTICE  Consider managing object settings using a policy. For more information, see Managing applications using policies.

As with other application drivers, make sure you first create the device object, which is the parent of application objects in Trust Protection Foundation. See Creating a device object in the Policy Tree and Device object settings (agent, agentless, and adaptable provisioning).

DID YOU KNOW?  When you add an installation to a certificate, you'll have the option of defining (and editing) this object during that process, which means that you don't have to log in to Policy Tree as the following procedure describes. And because the settings are the same, you can use this topic for information about each setting.

For more information, see Creating a certificate installation.

DID YOU KNOW?  Like most Trust Protection Foundation applications, AWS makes use of the Hostname/Address setting from its parent device object, even though it's a cloud service and not a typical device. This is because AWS is an Internet-based service with a public interface that is the same for all customers. But if you're provisioning to a secondary account, the parent device's Hostname/Address setting in Trust Protection Foundation is actually used to specify the AWS account ID (rather than the expected hostname or address).

This is a confusing but temporary method for managing this specific use case.

For more information about AWS configuration, see Amazon Web Services (AWS)—Overview.

To create and configure an AWS application object

  1. From the Certificate Manager - Self-Hosted menu bar, click Policy tree.

  2. In the Policy tree, select the device object to which you want to add the new application object, and then click Add > Application, and then select Amazon Certificate Manager.
  3. When the new application object page appears, then under Status, clear the Processing Disabled checkbox.

    When checked, this option disables provisioning of the certificates installed on the current application. This means that Trust Protection Foundation does not attempt to install, renew, process, or validate certificates on the application.

  4. (Optional) In the Device Certificate box, click to select and associate a certificate with the new application.

    NOTE  If you don't have a certificate ready, you can do this later or you can do it on the certificate's Association tab.

    To associate a certificate with the current application, you must have write permissions to the application object and either write or associate permissions to the certificate object.

    For detailed information on associating a certificate with an application, see Associating a certificate with an application object.

  5. Under General, do the following:

    1. In the Application Name field, type a name for the new application.
    2. (Optional) In the Description field, type a description for the purpose of the application.

      A strong description can help to provide context for other administrators who might need to manage the new application.

    3. In the Contacts field, select user or group identities you want assigned to this application object (or choose the Use policy value to configure contacts using a policy).

      Default system notifications are sent to the contact identities. The default contact is the master administrator.

      TIP  If the Identity Selector dialog is not populated when it first opens, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Foundation can query the external Identity store, then return the list of requested users or groups. If you want to display all user or group entries, enter the wildcard character (*).

      Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.

    4. In the Approvers field, select user or group Identities you want to assign to approve workflows (certificate approval or injection command) for the new application.

      The default approver is the master administrator. For more information on defining workflow objects, see Implementing certificate workflow management.

    5. (Conditional) If your application (or certificate) object is affected by a defined workflow and you want users to use a console other than Policy Tree, click Managed By and select which administration console to use as part of the workflow.

      You only need to configure this if you are using workflows and expect users to perform a task using a particular administration console. The default setting is Policy Tree.

      For more information, see Specify folders and certificates to be managed by Certificate Manager - Self-Hosted .

  1. Refer to the following table to complete the remaining application object settings:

    Field

    Policy

    Description

    Application Information

    AWS Credential

     

    Select an Amazon Credential.

    In previous versions of Trust Protection Foundation, you would have selected the access key ID and secret access key credentials. Beginning with version 18.3, you simply create an AWS credential—either a locally hosted or ADFS credential—and then select it here. This allows the support of both locally hosted credentials, and credentials stored externally (ADFS).

    For related information, see About Amazon credentials and Authenticating to multiple AWS accounts using a single Amazon Credential.

    Connection Method

     

    (Read Only) The Connection Method is the protocol that Trust Protection Foundation uses to connect to the server and manage the certificates installed on that server. In an application object's settings, this field is typically read-only.

    Installation Settings

    Certificate Issued By AWS Certificate Manager

    Choose from the following options:

    • Yes: Select this option to link the certificate that is enrolled by the Amazon CA to an AWS application.

      This means you'll need to be using the CyberArk Amazon CA template assigned to the certificate.

      TIP  When you use this setting, the Provision To, Region Code, and IAM Path for Certificate Upload settings are disabled because they're either controlled by the Amazon CA template or are not relevant for other reasons.

    • No: Select this option and select either ACM or IAM from the Provision To list if the certificates will be issued by another CA.

    Provision To

    Either ACM (default) or IAM, depending on where you want to import the certificate.

    Region

    If you're provisioning to ACM, choose a region from the list. This should be the region where your AWS application resides.

    When certificates are provisioned to the AWS IAM certificate store, they exist in the primary AWS region, which is us-east-1. If one of those certificates is to be bound to an ELB in a different region, there may be some delay while Amazon replicates the certificate to make it available in other regions. Trust Protection Foundation will attempt to bind the certificate to the ELB for up to 15 minutes to allow time for the AWS replication.

    For more information about AWS regions, visit the following URL:

    http://docs.aws.amazon.com/general/latest/gr/rande.html

    IAM Path for Certificate Upload (Optional)

    The IAM certificate store path where the certificate is to be provisioned.

    This value is optional except when provisioning to CloudFront when the path must begin with "/cloudfront/". When left blank, the certificate is provisioned to the root of the IAM certificate store.

    Replace Existing

    Select Yes if you want to overwrite certificates that were previously provisioned to the ACM store by Trust Protection Foundation.

    Enabling Replace Existing lets you automate the certificate renewal lifecycle for ACM-integrated applications like Elastic Beanstalk, API Gateway, and CloudFormation that aren't directly supported by the AWS application driver.

    The Amazon AWS driver supports binding of provisioned certificates to Elastic Load Balancer, Application Load Balancer, and CloudFront. So when you enable the Replace Existing option, Trust Protection Foundation replaces the certificate provisioned to ACM by Trust Protection Foundation with a new certificate.

    The Amazon Resource Name (ARN) used by the previous certificate is used by the new certificate. This means that the previous certificate is not available in ACM for rollback.

    This option is available only when you're provisioning to ACM and when the certificate is not issued by AWS Certificate Manager.

    IMPORTANT  If you're provisioning a new certificate to an AWS CloudFront distribution to replace an existing certificate in ACM, note that it could take more than an hour before the new certificate becomes active. For perspective, if a certificate isn't replacing an existing one, it usually takes 15 to 20 minutes to become active.

    Binding Target

    Indicates to what, if anything, the certificate should be bound.

    • No Binding
    • Elastic Load Balancer
    • CloudFront
    • Application Load Balancer

    Load Balancer Settings

    Load Balancer Name

     

    The name of the application or elastic load balancer.

    Listener Port

    The TCP port of the load balancer listener to which the certificate will be bound. The default is port 443.

    Create Listener

    Select Yes if you want to create a listener on the load balancer using the load balancer name and port, and then bind the certificate to it.

    If you select No, the listener must exist before provisioning.

    Default Target Group

     

    The name of the target group associated with the application load balancer listener.

    This setting doesn't apply to ELB.

    SNI Certificate

     

    For Application Load Balancer, enabling the SNI Certificate setting ensures that new certificates are checked for and then added to the SNI list without replacing the default certificate. If setting is not enabled, the application does not check for SNI certificates.

    Default SNI Certificate

     

    For Application Load Balancer, enabling the Default SNI Certificate setting ensures that the certificate is added to the SNI list and also replaces the existing default certificate.

    CloudFront Settings

    Distribution ID

     

    The identifier of the CloudFront distribution to which the certificate will be bound.

    Certificate Name Settings

    Certificate Name

     

    The automatically generated name of the certificate when it was provisioned to the AWS IAM certificate store.

    To ensure uniqueness, the name is derived from parts (or all) of the certificate's common name, expiration date, and serial number.

    This name is retained for two subsequent provisioning cycles of the certificate so that the certificate prior to the one that was just replaced can be automatically removed from the IAM certificate store.

  2. When you're finished, click Save.

What's next?

After you've created an application object, here are other things you can do to manage the new application:

  • On the application's Settings sub-tab:

    • Click to push a certificate to its associated application.

      For more information, see Pushing a certificate and private key to an application .

    • Click Reset to stop processing the application and reset the status and stage.
    • Click to reattempt installation of the certificate to its associated application, .
    • Click Validate Now to validate the applications associated certificate.

      Validation requests are placed into a queue. When your validation runs, the application and its associated certificate are scanned according to the settings configured in the application object’s Validation tab.

      For more information, see About certificate and application validation.

  • On the application object's Validation tab, you can configure validation settings for the application object.

  • On an object's General tab:

    • Click the Log sub-tab to view any events that are triggered by the template object.

    • Click the Permissions sub-tab to configure the users or groups to whom you want to grant permissions to the new object. For more information, see Permissions overview.

Related Topics Link IconRelated Topics