Configure
Learn about the necessary configuration steps for using X509 certificates on a load balancer in front of the VMware environment.
Perform the following activities.
- Create certificates.
- Connect SDDC workload with LBaaS.
- Use the certificates in OCI LBaaS.
Create a Dynamic Group
A dynamic group is created to allow OCI Certificates (the certificate management solution) to access keys in OCI Vault.
- In the OCI console, click the menu, then Identity & Security.
- Under Identity, click Domains.
- Click the Default link.
- In the left menu, click Dynamic groups.
- Click the Create dynamic group button.
- In the Name field, enter
Dynamic-group-cert-authority
. - In the Rule 1 field, enter
resource.type = 'certificateauthority'
. - Click the Create button.
Create a Policy
The policy allows the dynamic group to access keys from vault to be able to create a certificate authority. Optionally, it can also allow a group of users to manage OCI Certificates.
Create a Vault
Once the polices are defined, a private certificate authority can be created, which will use the key stored in OCI Vault.
Create a Master Key and an Encryption Key
The master key, the private key of the certificate authority, is created. OCI Certificates supports only keys stored in HSM and not in the software section of OCI Vault.
- In the OCI console, click the menu, then Key Management & Secret
Management.
Note:
If you're following along from the previous task, you should already see the Vault screen. - Click the WebCert link.
- Click the Create Key button.
- Under Protection Mode, ensure HSM is selected.
- In the Name field, enter
OCVS
. - Under Key Shape: Algorithm, select RSA.
- Click the Create Key button.
Create a Certificate Authority
Once the vault is created and stores the key, the private certificate authority can be created. If this fails, policies may not be correct or the service limits can be exceeded.
- In the OCI console, click the menu, then Identity & Security.
- Under Certificates, click Certificate Authorities.
- Click the Create Certificate Authority button.
- In the Name field, enter
OCVS
. - Click the Next button.
- In the Common Name field, enter
ocvs.local
. - Click the Next button, then Next, then Next again.
- On the Revocation Configuration page, enable Skip Revocation.
- Click the Next button.
- Review the summary, then click the Create Certificate Authority button.
- Click the Close link.
Note:
OCI Certificates provides organizations with certificate issuance, storage, and management capabilities. See Explore More to learn how to manage your certificates.Issue a Certificate
Issue an SSL/TLS certificate that will be used to verify the identity of and secure the network communication.
- In the OCI console, click the menu, then Certificate
Authorities under Certificates.
Note:
If you're following along from the previous task, you should already see the Certificate Authorities screen. - Click the
OCVS
link. - Click the Issue Certificate button.
- In the Name field, enter
ocvssecurity
. - Click the Next button.
- In the Common Name field, enter
ocvs.local
. - Click the Next button.
- Under Certificate Profile Type, select TLS Server.
- Under Not Valid After, click the calendar button, and select a date.
- Click the Next button, then Next again.
- Click the Create Certificate button.
Configure Connectivity to VCN Resources
Enable communication between the NSX segment where the web servers are deployed and the OCI public subnet where the load balancer will be deployed in the next step.
- In the OCI console, click the menu, then Hybrid.
- Under VMware Solution, click Software-Defined Data Centers.
- Click the Configure connectivity to VCN resources button.
- In the SDDC workload CIDR field, enter the web server's NSX segment IP address (for example, 192.168.10.0/24).
- Click the Add subnets button.
- Click the checkbox beside the Public subnet.
- Click the Add subnets button.
- Click the Next button.
Create and Deploy a Load Balancer
Creat an OCI load balancer that resides in front of the OCVS infrastructure.
- In the OCI console, click the menu, then Networking.
- Under Load balancers, click Load balancer.
- Click the Create load balancer button.
- Under Virtual cloud netwok in Ocvs, select OCVS-INTEL-VCN.
- Under Subnet in Ocvs, select Public (regional).
- Click the Next button, then Next
again.
Note:
Backends will be added later. - Under Certificate in Ocvs, select ocvssecurity.
- Click the Next button.
- Under Log group, select the log group indicated or one
that has already been created.
Note:
A log group is required to store the log files. - Click the Submit button.
- Click the Go to smart check button.
Note:
The smart check warning appears because we previously skipped adding the backend. - In the lower left corner, under Resources, click the Backend sets link.
- Under Backend sets, click the backend's link (for
example, bs_lb_2023-1003-1521).
Note:
The load balancer must be created and its State set to Active. - Under Resources, click the Backend sets link.
- Under Backend sets, click the backend's link (for example, bs_lb_2023-1003-1521).
- Under Resources, click the Backends link.
- Click the Add backends button.
- Click the IP addresses radio button.
- In the IP address field, enter the IP address of the Ubuntu web servers.
- Click the Additional backend button and enter the IP address for each backend you're adding.
- Click the Add button.
- Click the Close button.
Check the Configuration
Check the supporting infrastructure.
- In the OCI console, click the menu, then Networking.
- Under Load balancers, click Load balancer.
- Under IP address, copy the public IP address of the load balancer.
- Open a new browser tab, then go to the URL
https://
followed by the copied IP address.
- Check that the internet gateway is working.
- Check that the routing tables can access the internet.
- Check that the protocols are allowed for he security rules and network groups.