SafeNet Application Gateway for Amazon Elastic Beanstalk
SafeNet Application Gateway for AWS Beanstalk is designed to enable its integration with non-standard applications, such as SAML 2.0 or OIDC protocols that do not follow standard methods of communication.
Amazon Elastic Beanstalk is an AWS managed Platform as a Service (PaaS), which allows users to directly use a pre-configured server for their web applications. Instead of infrastructure management, Amazon Elastic Beanstalk helps in simplifying the process of deploying and managing web applications and allows developers to focus on their code and business logic.
Deploying SafeNet Application Gateway on Amazon Elastic Beanstalk makes the adoption of the solution easier and quicker. It reduces the overhead of managing the deployment locally, thus being convenient and reliable.
The users can utilize the built-in features of STA like Two-Factor Authentication (2FA), adaptive access, and SSO, and bring them to their native application platforms.
There are two ways to configure SafeNet Application Gateway with Amazon Elastic Beanstalk:
-
Configure the application for a single instance of SafeNet Application Gateway
-
Configure SafeNet Application Gateway as a high-availability pair to mitigate the failure points
Prerequisites: SafeNet Application Gateway for Amazon Elastic Beanstalk
Before you start the configuration to deploy the SafeNet Application Gateway on Amazon Elastic Beanstalk, ensure the following:
-
You must have an active Amazon Web Services (AWS) account with Amazon Elastic Beanstalk enabled on it.
-
Download the docker-compose.yml file from your Thales Group GitHub account and save it on your local machine.
Single Instance of SafeNet Application Gateway
Perform the following steps to create and configure the application for a single instance of SafeNet Application Gateway on Amazon Elastic Beanstalk:
Update docker-compose.yml for a single instance
Update the docker-compose.yml file that you downloaded as a prerequisite, as per your preferred configuration.
You can modify the following fields:
-
container_name
Default value: application-gateway
-
ADMIN_CONSOLE_USER
Default value: admin
-
ADMIN_CONSOLE_PASSWORD
Default value: admin
-
ENABLE_SSL
Default value: true
-
Default port mappings:
-
443:9443: Serves requests from users and proxies the connection to internal services.
-
8443:8443: Used for administrator tasks, for example, for configuring SafeNet Application Gateway. Port 8443 must not always be publicly exposed. It must allow traffic from authorized networks only or allow access to the SafeNet Application Gateway admin console. You can disable it from AWS security groups after doing the necessary configuration in the SafeNet Application Gateway admin console.
-
Configure a single instance
Perform the following steps to configure the application for a single instance of SafeNet Application Gateway on Amazon Elastic Beanstalk:
-
On the Amazon Elastic File System (EFS) console, in the right pane, under Amazon Elastic Beanstalk, click Create Application.
-
On the Configure environment window, under Environment tier, select Web server environment.
-
Under Application information, in the Application name field, enter a name for the application (for example, application-gateway).
-
(Optional) Under Application tags, click Add tag or Remove tag to add or remove the tags according to your preferred configuration.
-
Under Environment information, in the Environment name field, change the name (for example, appgateway-env), and then enter the domain name according to the availability for your application.
-
Under Platform, perform the following steps:
-
Under Platform type, select Managed platform.
-
In the Platform field, select Docker.
-
In Platform branch field, select Docker running on 64bit Amazon Linux 2.
-
In the Platform version field, select the latest version of Docker. For example, 3.5.8 (Recommended).
-
-
Under Application code, select Upload your code.
-
Under Version label, add a unique name for the version of your application code.
-
Under Source code origin, select Local file, select Choose file to search, and then select the docker-compose.yml file that you downloaded.
-
Under Presets, select Single instance (Free Tier eligible), and then select Next.
-
On the Configure service access window, keep the default settings for Service role, EC2 key pair, and EC2 instance profile. Select Next.
-
(Optional) On the Set up networking, database, and tags window, configure as required and then select Next.
-
(Optional) On the Configure instance traffic and scaling window, configure as required and then select Next.
-
(Optional) On the Configure updates, monitoring and logging window, configure as required and then select Next.
-
On the Review window, review the configurations and select Submit.
SafeNet Application Gateway as a high availability pair
The SafeNet Application Gateway also works in high availability mode to mitigate the failure points. Perform the following steps to configure a high availability pair of SafeNet Application Gateway:
Update docker-compose.yml for high availability mode
-
Update the docker-compose.yml file that you downloaded as a prerequisite, as per your preferred configuration. You can modify the following fields:
-
container_name
Default value: application-gateway
-
ADMIN_CONSOLE_USER
Default value: admin
-
ADMIN_CONSOLE_PASSWORD
Default value: admin
-
ENABLE_SSL
Default value: false
-
Default port mappings:
-
8080:8080: Serves requests from users and proxies the connection to internal services.
-
7443:7443: Used for administrator tasks, for example, for configuring SafeNet Application Gateway. Port 7443 must not always be publicly exposed. It must allow traffic from authorized networks only or allow access to the SafeNet Application Gateway admin console. You can disable it from AWS security groups after doing the necessary configuration in SafeNet Application Gateway admin console.
Note
In the docker-compose.yml file, you need to:
-
Uncomment port 7443
-
Comment port 8443
-
-
-
Uncomment the volumes tag as shown below:
-
Download the Beanstalk_Package.zip package.
-
Copy the updated docker-compose.yml file and paste it in the Beanstalk_Package.zip package that you downloaded.
Create an EFS file system in AWS
Perform the following steps to create an Amazon Elastic File System (EFS) in the Amazon Elastic File System Service in AWS:
-
Log in to the Amazon EFS console using the login URL, for example,
https://us-east-1.console.aws.amazon.com/efs/home
. -
Click Create file system on the Amazon Elastic File System home page.
-
On the Create file system window, in the Name - optional field, enter a name of your file system (for example, EFS_ApplicationGateway).
-
From the Virtual Private Cloud (VPC) drop-down list, select the VPC, and then click Create.
Note
Ensure that you select the VPC that was created for EC2 instances while deploying the Application Gateway on the Beanstalk service. It is advisable to first create a custom VPC and then select it in the above step.
-
After the file system is created, copy the File system ID from the File systems window and paste it in a text editor. You will need this ID later.
-
Open the Beanstalk_Package.zip package that you downloaded in Update docker-compose.yml for high availability mode.
-
Navigate to the .ebextensions folder and open the mount.config file.
-
Under option_settings, in the FILE_SYSTEM_ID field, paste the File system ID that you copied and then save the file.
-
Now, you need to ensure that the security group assigned to the EFS mount target has an inbound rule allowing NFS traffic on port 2049 from the security group associated with the Elastic Beanstalk EC2 instances. It is advisable to first create a custom security group and then select it in the step below.
Add an SSL Certificate in AWS Certificate Manager (ACM)
Perform the following steps:
-
Obtain the following for HTTPS traffic in the Application Gateway deployment:
-
SSL certificate
-
Certificate’s Private Key
-
PEM-encoded certificate chain (optional)
You can use a self-signed certificate or a certificate generated from a Public CA or AWS ACM.
-
-
Open the SSL certificate and Private Key that you obtained in a text editor and copy the entire text. You will need this later.
-
Log in to the ACM console.
-
On the ACM console, in the left pane, click Import certificate.
-
In the right pane, under Input certificate details, perform the following steps:
-
In the Certificate body field, paste the PEM-encoded certificate that you copied. It should begin with
-----BEGIN CERTIFICATE-----
and end with-----END CERTIFICATE-----
. -
In the Certificate private key field, paste the unencrypted private key that you copied. It should begin with
-----BEGIN PRIVATE KEY-----
and end with-----END PRIVATE KEY-----
. -
(Optional) In the Certificate chain field, paste the PEM-encoded certificate chain that you copied.
-
Click Next.
-
-
(Optional) Under Add Tags, click Add tag to add the tags, and then click Next.
-
Under Review and import, under Step 1: Certificate details, verify the certificate details. The certificate details must include the following fields as per your preferred configuration:
-
Domains: A list of Fully Qualified Domain Names (FQDN) authenticated by the certificate.
-
Public key info: The cryptographic algorithm used to generate the key pair.
-
Can be used with: A list of ACM integrated services that support the type of certificate you are importing.
-
Signature algorithm: The cryptographic algorithm used to create the certificate signature.
-
Expires in: Number of days after which the certificate expires.
-
-
Click Import.
Configure SafeNet Application Gateway as a high availability pair
-
On the Amazon EFS console, in the right pane, under Amazon Elastic Beanstalk, click Create Application.
-
On the Configure environment window, under Environment tier, select Web server environment.
-
Under Application information, in the Application name field, enter a name for the application (for example, application-gateway).
-
(Optional) Under Application tags, select Add tag and Remove tag to add or remove tags according to your preferred configuration.
-
Under Platform, perform the following steps:
-
Under Platform type, select Managed platform.
-
In the Platform field, select Docker.
-
In Platform branch field, select Docker running on 64bit Amazon Linux 2.
-
In the Platform version field, select the latest version of the docker. For example, 3.5.8 (Recommended).
-
-
Under Application code, select Upload your code.
-
Under Version label, add a unique name for the version of your application code.
-
Under Source code origin, select Local file, select Choose file to search, and then select the updated Beanstalk_SourceCode.zip package that you downloaded as a prerequisite.
-
Under Presets, select High Availability and select Next.
-
On the Configure service access window, keep the default settings for Service role, EC2 key pair, and EC2 instance profile, and then select Next.
-
(Optional) On the Set up networking, database, and tags window, configure as required, and then click Next.
-
Scroll down to the bottom of the window and click Save.
Configure the load balancer
-
On the Configure instance traffic and scaling window, under Capacity, increase the count of instances as required.
-
On the Configure instance traffic and scaling window, under Load balancer type, ensure that Application Load Balancer is selected.
-
Under Processes, click + Add process to create a process for the Admin Endpoint.
-
On the Environment process window, enter the following details:
-
In the Name field, enter AdminEndpoint.
-
In the Port field, enter 7443.
-
In the Protocol field, select HTTP.
-
Under Health check, in the HTTP code, enter 200.
-
In the Path field, enter /healthcheck.
-
Under Sessions, select the Stickiness policy enabled check box, and then click Add.
-
-
Under Processes, click + Add process to create another process for the Application Endpoint, and enter the following details:
-
In the Name field, enter ApplicationEndpoint.
-
In the Port field, enter 8080.
-
In the Protocol field, select HTTP.
-
Under Health check, in the HTTP code, enter 200.
-
In the Path field, enter /healthcheck.
-
Under Sessions, select the Stickiness policy enabled check box, and then click Add.
-
-
Under Listeners, click + Add listener to add a listener for the Admin Endpoint.
-
On the Application Load Balancer listener window, enter the following details:
-
In the Port field, enter 7443.
-
In the Protocol field, select HTTPS.
-
In the SSL certificate field, select the certificate that you added in the prerequisites section above.
-
In the SSL policy field, select the latest ELB security policy, for example, ELBSecurityPolicy-TLS13-1-3-2021-06.
-
In the Default process field, select AdminEndpoint, and then click Add.
-
-
Under Listeners, click + Add listener to add another listener for the Application Endpoint, and enter the following details:
-
In the Port field, enter 8080.
-
In the Protocol field, select HTTPS.
-
In the SSL certificate field, select the certificate that you added in prerequisites section above.
-
In the SSL policy field, select the latest ELB security policy, for example, ELBSecurityPolicy-TLS13-1-3-2021-06.
-
In the Default process field, select ApplicationEndpoint, and then click Add.
-
-
Select Next.
-
(Optional) On the Configure updates, monitoring and logging window, configure as required, and then select Next.
-
On the Review window, review the configurations and select Submit.
After the Application Gateway environment is successfully created, the following window displays:
Test the Solution
Perform the following steps to verify the successful deployment of SafeNet Application Gateway:
-
Copy the environment URL (for example, appgateway.us-east-1.elasticbeanstalk.com) from the Amazon Elastic Beanstalk Environment window.
-
Navigate to the login URL of the SafeNet Application Gateway admin console (for example, https://< Environment URL>:7443/).
Note
To access single instance of the SafeNet Application Gateway admin console, login using https://< Environment URL>:8443/ URL.
-
Enter the administrator credentials. You should be successfully logged in to SafeNet Application Gateway.
-
Navigate to the Application Endpoint URL of the SafeNet Application Gateway console (for example, https://< Environment URL>:8080).
Note
To access the protected application, the internal URL must correspond to https://< Environment URL>:8080.