Creating a Load Balancer With SSL Cipher Settings and Back-end Server Authentication

To configure listeners for your load balancer

1. Start the Create Load Balancer wizard:

   1. On the Amazon EC2 Console Dashboard page, click Load Balancers in the Navigation pane.

      

   2. On the Load Balancers page, click Create Load Balancers.

   3. The DEFINE LOAD BALANCER page of the Create a New Load Balancer wizard opens.

2. On the DEFINE LOAD BALANCER page, enter a name for your load balancer (e.g., MyLoadBalancer).

3. Leave the Listener Configuration set to the default value for the first listener.

4. Select HTTPS (Secure HTTP) from the drop-down box in the Load Balancer Protocol box. This populates the Load Balancer Port box. Select HTTPS (Secure HTTP) from the drop-down box in the Instance Protocol box, then enter port number 443 for the instance port in the Instance port box.

   

5. Click Save, then Click Continue to upload your SSL certificate.

6. Select Choose from your existing SSL Certificates to use the previously uploaded SSL certificate and select the certificate from the drop-down box.

7. Or, select Upload a new SSL Certificate to define a new SSL certificate.

   1. Enter the name of the certificate to upload.

   2. Copy and paste the contents of the private key file (pem encoded) in the Private Key box.

   3. Copy and paste the contents of the public key certificate file (pem encoded) in the Public Key Certificate box.

   4. [Optional] Copy and paste the contents of the public key certificate chain file (pem encoded) in the Certificate Chain box.

      	Note
      	The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.

   

8. Click Continue to configure SSL ciphers for the HTTPS/SSL listeners.

1. To customize the SSL ciphers, select Custom on the DEFINE LOAD BALANCER page, then select the protocol version and the ciphers from the list box.

   	Note
   	You must enable at least one protocol version and one cipher for SSL negotiation to take place.

   

2. Click Continue to configure back-end server authentication.

Next the wizard gives you an option to enable authentication for your back-end server if you have selected HTTPS/SSL protocol between your load balancer and the back-end instance.

1. Select Proceed without backend authentication if you do not want to enable authentication for your back-end server

2. Or, select Enable backend authentication to enable back-end server authentication.

   1. Enter the name of the public key certificate in the Certificate Name box, and then copy and paste the contents of the certificate (pem encoded) in the Certificate body box.

      

   2. Click Add another Backend Certificate to add multiple certificates.

3. Click Continue to configure health check for your back-end server.

To configure the health check

1. Configure the health check settings that your application requires.

   

2. Click Continue to add your Amazon EC2 instances.

To add Amazon EC2 instances

1. Check the boxes in the Select column to add instances to your load balancer.

   

2. Click Continue to review your configuration. On the Review page, click Create to create your load balancer.

In this example, you configure the listeners for your load balancer by specifying the ports and protocols to use for front-end connection (client to load balancer) and back-end connection (load balancer to back-end instance). The first listener accepts HTTP requests on port 80 and sends the request to the back-end application instances on port 8080 using HTTP. The second listener accepts HTTPS requests on port 443 and sends the request to back-end application instances using HTTPS on port 443. You also need to specify the Availability Zone that you want to enable for your load balancer.

For detailed descriptions of the Elastic Load Balancing API operations, see Elastic Load Balancing API Reference.

To configure listeners for your load balancer

1. Call the AWS Identity and Access Management UploadServerCertificate API with the following parameters:

   • ServerCertificateName = testCert

   • CertificateBody = <encoded certificate body>

   • PrivateKey = <encoded private key>

   • CertificateChain = <concatenation of the encoded public key certificates>

     	Note
     	CertificateChain is optional. If you are using CertificateChain, then you must order the certificates such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.

   • Path = /

     	Note
     	Path is optional. If it is not included, the path defaults to /. For more information about paths, go to Identifiers for IAM Entities in Using AWS Identity and Access Management.

   The response includes the ARN of the server certificate. Use this value for the SSLCertificateId parameter in the following call to CreateLoadBalancer.

2. Call CreateLoadBalancer with the following parameters:

   • AvailabilityZones = us-east-1a

   • Listener

     • Protocol = HTTP

     • InstanceProtocol = HTTP

     • InstancePort = 8080

     • LoadBalancerPort = 80

   • Listener

     • Protocol = HTTPS

     • InstanceProtocol = HTTPS

     • InstancePort = 443

     • LoadBalancerPort = 443

     • SSLCertificateID = arn:aws:iam::55555555555:server-certificate/production/myCert

   • LoadBalancerName = MyLoadBalancer

   The operation returns the DNS name of your load balancer. You can then map any other domain name (such as www.example.com) to your load balancer’s DNS name using CNAME or some other technique.

In this example, you create an SSL cipher policy to configure SSL ciphers for SSL negotiation when a connection is established between the client and your load balancer. The Elastic Load Balancing service defines a policy called SSLNegotiationPolicyType. You create your own SSL cipher policy MySSLNegotiationPolicy of the type SSLNegotiationPolicyType. After creating the SSL cipher policy, you enable the cipher settings by associating MySSLNegotiationPolicy with a listener.

To configure SSL Ciphers

1. List all the policies associated with your load balancer by calling DescribeLoadBalancerPolicies with the following parameter:

   • LoadBalancerName = MyLoadBalancer

   The response includes the policy names and the attributes of all the policies associated with your load balancer. The attributes associated with SSLNegotiationPolicyType list the default cipher settings for your load balancer. Use the attributes in the following call to CreateLoadBalancerPolicy to configure your own cipher settings.

   	Note
   	For more information on the available ciphers, go to http://www.openssl.org/docs/apps/ciphers.html.

2. Call CreateLoadBalancerPolicy with the following parameters:

   • PolicyName = MySSLNegotiationPolicy

   • PolicyTypeName = SSLNegotiationPolicyType

   • PolicyAttributes

     • AttributeName = Protocol-TLSv1

     • AttributeValue = true

   • LoadBalancerName = MyLoadBalancer

3. Call SetLoadBalancerPoliciesOfListener with the following parameters:

   • LoadBalancerPort = 443

   • PolicyNames = MySSLNegotiationPolicy

   • LoadBalancerName = MyLoadBalancer

4. View the details of MySSLNegotiationPolicy by calling DescribeLoadBalancerPolicies with the following parameters:

   • LoadBalancerName = MyLoadBalancer

   • PolicyNames = MySSLNegotiationPolicy

In this example, you enable back-end server authentication. First you create a public key policy that uses a public key for authentication. You then use the public key policy to create a back-end server authentication policy. Finally, you enable the backend server authentication by setting the back-end server authentication policy with the back-end server port. In this example, the back-end server is listening with SSL/HTTPS protocol set to instance port 443.

The value of the public key policy is the public key of the certificate that the back-end servers will present to the load balancer. You can retrieve the public key using OpenSSL.

	Note
	To extract the public key from a pem-encoded certificate, you can use the following command: PROMPT> openssl x509 -inform pem -in <CERTIFICATE_FILE_NAME> -noout -pubkey) Remove the BEGIN and END lines from the output so that the output is similar to that described below."

To configure back-end server authentication

1. Call CreateLoadBalancerPolicy with the following parameters:

   • PolicyName = MyPublicKeyPolicy

   • PolicyTypeName = PublicKeyPolicyType

   • PolicyAttributes

     • AttributeName = PublicKey

     • AttributeValue = MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjEXAMPLE

   • LoadBalancerName = MyLoadBalancer

2. Call CreateLoadBalancerPolicy with the following parameters:

   • PolicyName = MyBackendServerAuthenticationPolicy

   • PolicyTypeName = BackendServerAuthenticationPolicyType

   • PolicyAttributes

     • AttributeName = PublicKeyPolicyName

     • AttributeValue = MyPublicKeyPolicy

   • LoadBalancerName = MyLoadBalancer

3. Call SetLoadBalancerPoliciesForBackendServer with the following parameters:

   • LoadBalancerName = MyLoadBalancer

   • InstancePort = 443

   • PolicyNames = MyBackendServerAuthenticationPolicy

4. To list all the policies associated with your load balancer,

   call DescribeLoadBalancerPolicies with the following parameters:

   • LoadBalancerName = MyLoadBalancer

5. To view the details of MyBackendServerAuthenticationPolicy,

   call DescribeLoadBalancerPolicies with the following parameters:

   • LoadBalancerName = MyLoadBalancer

   • PolicyNames = MyBackendServerAuthenticationPolicy

In this example, you configure the health check settings for your back-end servers.

To configure health check settings

• Call ConfigureHealthCheck with the following parameters:

  • LoadBalancerName = MyLoadBalancer

  • Target = http:8080/ping

    	Note
    	Make sure your instances respond to/ping on port 8080 with an HTTP 200 status code.

  • Interval = 30

  • Timeout = 3

  • HealthyThreshold = 2

  • UnhealthyThreshold = 2

In this example, you register your newly created load balancer with your Amazon EC2 instances.

	Important
	You should only register instances that are in the Pending or Running state and are not in a Virtual Private Cloud(VPC). If you are using Elastic Load Balancing in a VPC, see How Do I Use Elastic Load Balancing in Amazon VPC

To add Amazon EC2 instances

• Call RegisterInstancesWithLoadBalancer with the following parameters:

  • LoadBalancerName = MyLoadBalancer

  • Instances = [ i-4f8cf126, i-0bb7ca62 ]

  Note

  To allow communication between Elastic Load Balancing and your back-end instances, create a security group ingress rule that applies to all of your back-end instances. The security group rule can either allow ingress traffic from all IP addresses (the 0.0.0.0/0 CIDR range) or allow ingress traffic only from Elastic Load Balancing. To ensure that your back-end EC2 instances can receive traffic only from Elastic Load Balancing, enable network ingress for the Elastic Load Balancing security group on all of your back-end EC2 instances. For more information, see Using Security Groups with Elastic Load Balancing.

In this example, you configure the listeners for your load balancer by specifying the ports and protocols to use for front-end connection (client to load balancer) and back-end connection (load balancer to back-end instance). The first listener accepts HTTP requests on port 80 and sends the request to the back-end application instances on port 8080 using HTTP. The second listener accepts HTTPS requests on port 443 and sends the request to back-end application instances using HTTPS on port 443. You also need to specify the Availability Zone that you want to enable for your load balancer.

For descriptions of all the Elastic Load Balancing commands, see Elastic Load Balancing Quick Reference Card.

To configure listeners for your load balancer

1. Enter the command iam-servercertupload in verbose mode to upload your digitally signed certificate to the AWS IAM service.

   	Note
   	For information on how to create a signed certificate, go to Creating and Uploading Server Certificates in Using AWS Identity and Access Management.

   PROMPT> iam-servercertupload -b <encoded certificate body> -k <encoded private key> -s myCert [-c <concatenation of the encoded public key certificates>] -v

   	Note
   	-c is optional. If you are using -c, then you must order the certificates such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.

   The response includes the server certificate Amazon Resource Name (ARN) and GUID.

   arn:aws:iam::55555555555:server-certificate/production/myCert
   ASCACexampleKEZUQ4K	

2. Copy the ARN for the next step.

3. Enter the command elb-create-lb as in the following example.

   PROMPT> elb-create-lb  MyLoadBalancer --headers --listener "lb-port=80,instance-port=8080,protocol=http,instance-protocol=http" 
   		--listener "lb-port=443,instance-port=443,protocol=https,instance-protocol=https, cert-id=arn:aws:iam::55555555555:server-certificate/production/myCert" --availability-zones us-east-1a

   Elastic Load Balancing returns the following:

   DNS-NAME  DNS-NAME
   DNS-NAME  MyLoadBalancer-2111276808.us-east-1a.elb.amazonaws.com

When you first create your ELB, it is created with a default set of SSL ciphers and protocols. You can create overrides to this default by specifying your own cipher policy.

In this example, you create an SSL cipher policy to configure SSL ciphers for SSL negotiation when a connection is established between the client and your load balancer. The Elastic Load Balancing service defines a policy called SSLNegotiationPolicyType. You create your own SSL cipher policy MySSLNegotiationPolicy of the type SSLNegotiationPolicyType. After creating the SSL cipher policy, you enable the cipher settings by associating MySSLNegotiationPolicy with a listener.

To configure SSL ciphers

1. Enter the command elb-describe-lb-policies, as in the following example, to list all the policies associated with MyLoadBalancer.

   PROMPT>elb-describe-lb-policies MyLoadBalancer --headers

   Elastic Load Balancing returns the following:

   POLICY  NAME                     TYPE_NAME
   POLICY  MyAppStickinessPolicy    AppCookieStickinessPolicyType
   POLICY  MyLBStickinessPolicy     LBCookieStickinessPolicyType
   POLICY  MySSLNegotiationPolicy   SSLNegotiationPolicyType
   					

   The response includes the policy names of all the policies associated with your load balancer. We will be using SSLNegotiationPolicyType to create a new policy by changing the pre-defined cipher settings. For more information on all the available ciphers, go to http://www.openssl.org/docs/apps/ciphers.html.

2. Enter the command elb-describe-lb-policy-types, as in the following example to retrieve a list of available ciphers and policies associated with SSLNegotiationPolicyType.

   PROMPT>elb-describe-lb-policy-types SSLNegotiationPolicyType --show-long

   We will be changing the cipher settings and the protocols associated with SSLNegotiationPolicyType to create MySSLNegotiationPolicy.

3. Enter the command elb-create-lb-policy, as in the following example, to create a new policy for your load balancer that accepts TLSv1 protocol, does not accept SSLv2 protocol, and accepts the cipher DHE-RSA-AES256-SHA. Protocol SSLv3 is still enabled, because that is part of the default policy.

   PROMPT>elb-create-lb-policy MyLoadBalancer --policy-name MySSLNegotiationPolicy --policy-type SSLNegotiationPolicyType --attribute "name=Protocol-TLSv1,value=true" --attribute "name=Protocol-SSLv2,value=false  --attribute "name=DHE-RSA-AES256-SHA,value=true" 

4. Enter the command elb-set-lb-policies-of-listener, as in the following example, to enable the cipher settings by setting the MySSLNegotiationPolicy with a listener.

   PROMPT>elb-set-lb-policies-of-listener MyLoadBalancer --lb-port 443 --policy-name MySSLNegotiationPolicy>

5. Enter the command elb-describe-lb-policies , as in the following example, to view details of MySSLNegotiationPolicy.

   PROMPT>elb-describe-lb-policies MyLoadBalancer --policy-names MySSLNegotiationPolicy>

   Following is the partial listing of the example response:

   POLICY,NAME,TYPE_NAME,POLICY_ATTRIBUTE_DESCRIPTIONS
   POLICY,MySSLNegotiationPolicy,SSLNegotiationPolicyType,"{name=Protocol-SSLv2,value=true},{name=EDH-DSS-DES-CBC3-SHA,value=false},{name=DHE-RSA-CAMELLIA128-SHA,value=false},{name=DES-CBC-MD5,value=false},{name=KRB5-RC4-SHA,value=false},{name=ADH-CAMELLIA128-SHA,value=false},{name=EXP-KRB5-RC4-MD5,value=false}

In this example, you enable the back-end server authentication by creating a public key policy that uses a public key for authentication. You then use the public key policy to create a back-end server authentication policy. Finally, you enable the backend server authentication by setting the back-end server authentication policy with the back-end server port. In this example, the back-end server is listening with SSL/HTTPS protocol set to instance port 443.

The value of the public key policy is the public key of the certificate that the back-end servers will present to the load balancer. You can retrieve the public key using OpenSSL.

To configure back-end server authentication

1. Enter the command openssl x509 to retrieve the public key.

   openssl x509 -in PublicKey -pubkey -noout

2. Enter the command elb-create-lb-policy, as in the following example, to create a public key policy.

   PROMPT>elb-create-lb-policy MyLoadBalancer --policy-name MyPublicKeyPolicy --policy-type-name PublicKeyPolicyType --attribute "name=PublicKey,value=MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6EXAMPLE"

   	Note
   	To specify a public key value for the attribute argument, remove the first and last lines of the public key (the line containing "-----BEGIN PUBLIC KEY-----" and the line containing "-----END PUBLIC KEY-----"). The CLI does not accept white space characters inside the value for the attribute argument.

3. Enter the command elb-create-lb-policy, as in the following example, to create a back-end server authentication policy by referring to MyPublicKeyPolicy. You can refer to multiple public key policies. When multiple public key policies are used, the load balancer will try all the keys one by one for authentication. If one of the public keys matches the server certificate, authentication passes.

   PROMPT>elb-create-lb-policy MyLoadBalancer --policy-name MyBackendServerAuthenticationPolicy --policy-type-name BackendServerAuthenticationPolicyType --attribute "name=PublicKeyPolicyName,value=MyPublicKeyPolicy" 

4. Enter the command elb-set-lb-policies-for-backend, as in the following example, to set MyBackendServerAuthenticationPolicy to the back-end server port.

   PROMPT>elb-set-lb-policies-for-backend MyLoadBalancer --instance-port 443 --policy-names MyBackendAuthenticationPolicy

5. Enter the command elb-describe-lb-policies, as in the following example, to list all the policies created for MyLoadBalancer.

   PROMPT>elb-describe-lb-policies MyLoadBalancer

6. Enter the command elb-describe-lb-policies, as in the following example, to view details of MyBackendServerAuthenticationPolicy.

   PROMPT>elb-describe-lb-policies MyLoadBalancer --policy-names MyBackendServerAuthenticationPolicy

In this example, you configure the health check settings for your back-end servers.

• To configure health check settings for your back-end server

  Enter the command elb-configure-healthcheck as in the following example.

  PROMPT> elb-configure-healthcheck  MyLoadBalancer  --headers --target "HTTP:8080/ping" --interval 30 --timeout 3 --unhealthy-threshold 2 --healthy-threshold 2

  Elastic Load Balancing returns the following:

  HEALTH-CHECK TARGET INTERVAL TIMEOUT HEALTHY-THRESHOLD UNHEALTHY-THRESHOLD
  HEALTH-CHECK  HTTP:8080/ping  30     3      2       2			

In this example, you register your newly created load balancer with your Amazon EC2 instances.

	Important
	You should only register instances that are in the Pending or Running state and are not in a Virtual Private Cloud (VPC). If you are using Elastic Load Balancing in a VPC, see How Do I Use Elastic Load Balancing in Amazon VPC.

• To add Amazon EC2 instances

  Use the elb-register-instances-with-lb command as in the following example.

  PROMPT> elb-register-instances-with-lb  MyLoadBalancer  --headers --instances i-4f8cf126,i-0bb7ca62

  Elastic Load Balancing returns the following:

  INSTANCE  INSTANCE-ID
  INSTANCE  i-4f8cf126
  INSTANCE  i-0bb7ca62