1. Secure web applications hosted on Oracle Cloud VMware Solution with OCI Certificates
  2. Configure

Configure

Learn about the necessary configuration steps for using X509 certificates on a load balancer in front of the VMware environment.

Perform the following activities.

  1. Create certificates.
  2. Connect SDDC workload with LBaaS.
  3. Use the certificates in OCI LBaaS.

Create a Dynamic Group

A dynamic group is created to allow OCI Certificates (the certificate management solution) to access keys in OCI Vault.

  1. In the OCI console, click the menu, then Identity & Security.
  2. Under Identity, click Domains.
  3. Click the Default link.
  4. In the left menu, click Dynamic groups.
  5. Click the Create dynamic group button.
  6. In the Name field, enter Dynamic-group-cert-authority.
  7. In the Rule 1 field, enter resource.type = 'certificateauthority'.
  8. Click the Create button.
The Dynamic-group-cert-authority group is created.

Create a Policy

The policy allows the dynamic group to access keys from vault to be able to create a certificate authority. Optionally, it can also allow a group of users to manage OCI Certificates.

A policy can have several statements. Based on the design, all statements can be put in one or in several policies. A policy has two parts: to entitle the certificates service to access the key and create certificates, and for a user to manage OCI Certificates.
  1. In the OCI console, click the menu, then Identity & Security.
  2. Under Identity, click Policies.
  3. Click the Create Policy button.
  4. In the Name field, enter Cert-Auth-Ocvs.
  5. In the Description field, enter OCVS.
  6. Click the Show manual editor toggle.
  7. In the Policy Builder field, enter: 
    Allow dynamic-group Dynamic-group-cert-authority to use keys in compartment Ocvs
Allow dynamic-group Dynamic-group-cert-authority to manage objects in compartment Ocvs
Allow group <groupName of certAdmins> to manage certificate-authority-family in compartment Ocvs
Allow group <groupName of certAdmins> to read keys in compartment Ocvs
Allow group <groupName of certAdmins> to use key-delegate in compartment Ocvs
Allow group <groupName of certAdmins> to read buckets in compartment Ocvs
Allow group <groupName of certAdmins> to read values in compartment Ocvs
  8. Click Create.
    The Cert-Auth-Ocvs policy is created.

Create a Vault

Once the polices are defined, a private certificate authority can be created, which will use the key stored in OCI Vault.

If you already have a vault, you can skip these steps and continue to the next section.
  1. In the OCI console, click the menu, then Identity & Security.
  2. Under Key Management & Secret Management, click Vault.
  3. Click the Create Vault button.
  4. In the Create in Compartment field, ensure Ocvs is selected.
  5. In the Name field, enter WebCert.
  6. Click the Create Vault button.
    The WebCert vault is created.

Create a Master Key and an Encryption Key

The master key, the private key of the certificate authority, is created. OCI Certificates supports only keys stored in HSM and not in the software section of OCI Vault.

The WebCert vault has to have been created and its State must be Active before following these steps.
  1. In the OCI console, click the menu, then Key Management & Secret Management.

    Note:

    If you're following along from the previous task, you should already see the Vault screen.
  2. Click the WebCert link.
  3. Click the Create Key button.
  4. Under Protection Mode, ensure HSM is selected.
  5. In the Name field, enter OCVS.
  6. Under Key Shape: Algorithm, select RSA.
  7. Click the Create Key button.
The master key and encryption keys are created.

Create a Certificate Authority

Once the vault is created and stores the key, the private certificate authority can be created. If this fails, policies may not be correct or the service limits can be exceeded.

  1. In the OCI console, click the menu, then Identity & Security.
  2. Under Certificates, click Certificate Authorities.
  3. Click the Create Certificate Authority button.
  4. In the Name field, enter OCVS.
  5. Click the Next button.
  6. In the Common Name field, enter ocvs.local.
  7. Click the Next button, then Next, then Next again.
  8. On the Revocation Configuration page, enable Skip Revocation.
  9. Click the Next button.
  10. Review the summary, then click the Create Certificate Authority button.
  11. Click the Close link.
The OCVS certificate authority is created.

Note:

OCI Certificates provides organizations with certificate issuance, storage, and management capabilities. See Explore More to learn how to manage your certificates.

Issue a Certificate

Issue an SSL/TLS certificate that will be used to verify the identity of and secure the network communication.

  1. In the OCI console, click the menu, then Certificate Authorities under Certificates.

    Note:

    If you're following along from the previous task, you should already see the Certificate Authorities screen.
  2. Click the OCVS link.
  3. Click the Issue Certificate button.
  4. In the Name field, enter ocvssecurity.
  5. Click the Next button.
  6. In the Common Name field, enter ocvs.local.
  7. Click the Next button.
  8. Under Certificate Profile Type, select TLS Server.
  9. Under Not Valid After, click the calendar button, and select a date.
  10. Click the Next button, then Next again.
  11. Click the Create Certificate button.
The OCVS certificate is created.

Configure Connectivity to VCN Resources

Enable communication between the NSX segment where the web servers are deployed and the OCI public subnet where the load balancer will be deployed in the next step.

  1. In the OCI console, click the menu, then Hybrid.
  2. Under VMware Solution, click Software-Defined Data Centers.
  3. Click the Configure connectivity to VCN resources button.
  4. In the SDDC workload CIDR field, enter the web server's NSX segment IP address (for example, 192.168.10.0/24).
  5. Click the Add subnets button.
  6. Click the checkbox beside the Public subnet.
  7. Click the Add subnets button.
  8. Click the Next button.
The connectivity to VCN resources is configured.

Create and Deploy a Load Balancer

Creat an OCI load balancer that resides in front of the OCVS infrastructure.

  1. In the OCI console, click the menu, then Networking.
  2. Under Load balancers, click Load balancer.
  3. Click the Create load balancer button.
  4. Under Virtual cloud netwok in Ocvs, select OCVS-INTEL-VCN.
  5. Under Subnet in Ocvs, select Public (regional).
  6. Click the Next button, then Next again.

    Note:

    Backends will be added later.
  7. Under Certificate in Ocvs, select ocvssecurity.
  8. Click the Next button.
  9. Under Log group, select the log group indicated or one that has already been created.

    Note:

    A log group is required to store the log files.
  10. Click the Submit button.
  11. Click the Go to smart check button.

    Note:

    The smart check warning appears because we previously skipped adding the backend.
  12. In the lower left corner, under Resources, click the Backend sets link.
  13. Under Backend sets, click the backend's link (for example, bs_lb_2023-1003-1521).

    Note:

    The load balancer must be created and its State set to Active.
  14. Under Resources, click the Backend sets link.
  15. Under Backend sets, click the backend's link (for example, bs_lb_2023-1003-1521).
  16. Under Resources, click the Backends link.
  17. Click the Add backends button.
  18. Click the IP addresses radio button.
  19. In the IP address field, enter the IP address of the Ubuntu web servers.
  20. Click the Additional backend button and enter the IP address for each backend you're adding.
  21. Click the Add button.
  22. Click the Close button.
The backend servers are deployed on OCVS.

Check the Configuration

Check the supporting infrastructure.

  1. In the OCI console, click the menu, then Networking.
  2. Under Load balancers, click Load balancer.
  3. Under IP address, copy the public IP address of the load balancer.
  4. Open a new browser tab, then go to the URL https:// followed by the copied IP address.
The welcome page of the installed web servers appears. If you encounter problems, try the following:
  • Check that the internet gateway is working.
  • Check that the routing tables can access the internet.
  • Check that the protocols are allowed for he security rules and network groups.