Mutual authentication improves the security of business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of an Application Load Balancer (ALB) instance.
Background information
One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. The client downloads the public key certificate from the server for authentication. A connection can be established after the identity of the server is authenticated.
Mutual authentication: The client downloads the server certificate (public key certificate) from the server and uploads the client certificate (public key certificate) to the server for authentication. A connection can be established only after both the client and the server are authenticated. Mutual authentication provides higher security.
Limits
Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.
Prerequisites
A standard or WAF-enabled ALB instance is created. For more information, see Create an ALB instance.
NoteBasic ALB instances do not support mutual authentication.
A virtual private cloud (VPC) is created. VPC1 is used in this example. For more information, see Create and manage a VPC.
Two Elastic Compute Service (ECS) instances named ECS01 and ECS02 are created in VPC1. ECS01 and ECS02 function as the backend servers of the ALB instance, and applications are deployed on ECS01 and ECS02.
For more information about how to create an ECS instance, see Create an instance by using the wizard.
The following code blocks show how to deploy applications on ECS01 and ECS02.
A server group is created and ECS01 and ECS02 are added to the server group. For more information, see Create and manage a server group.
A server certificate is purchased or uploaded in the Certificate Management Service console. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
An intermediate CA certificate is purchased in the Certificate Management Service console, and at least one private intermediate CA certificate is available. For more information, see Purchase and enable a private CA.
Procedure
On the server side, a server certificate must be purchased. On the client or user side, a client certificate must be obtained, exported, and installed.
Step 1: Prepare a server certificate
You can purchase or upload a server certificate in the Certificate Management Service console, or upload a third-party server certificate. A browser verifies the identity of a server by checking whether the certificate sent by the server is issued by a trusted certificate authority (CA).
In this example, a server certificate is purchased from the Certificate Management Service console. For more information about how to purchase a server certificate, see Purchase an SSL certificate and Upload an SSL certificate.
Make sure that you have a valid domain name to associate with the certificate.
Step 2: Prepare a client certificate
Log on to the Certificate Management Service console.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, click the Private CAs tab and find the root CA certificate.
Click the icon and click Apply for Certificate in the Actions column.
In the Apply for Certificate panel, configure the parameters and click Confirm.
The following table describes only the parameters that are relevant to this topic. For more information, see Manage private certificates.
Parameter
Description
Certificate Type
Select the type of private certificate that you want to obtain. In this example, Client Certificate is selected.
Common Name
Specify the common name on the private certificate.
In this example, the domain name of the ALB instance is specified.
Validity Period
Specify a validity period for the private certificate. The validity period of the private certificate cannot exceed the subscription duration of the Private Certificate Authority (PCA) service that you purchase.
In this example, the default validity period is used, which is 30 days.
The private certificate is issued immediately after the request is submitted. To view the details of the issued private certificate, find the private certificate and click Certificates in the Actions column. You can view the information about the certificate on the Certificates page.
Step 3: Export the client certificate
If you have purchased a client certificate in the console and want to use the client certificate for mutual authentication, perform the following operations to export the client certificate:
Log on to the Certificate Management Service console.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, click the Private CAs tab and find the root CA certificate.
Find the root CA certificate and click the icon. Then, find the intermediate CA certificate and click Certificates in the Actions column.
On the Certificates page, find the client certificate that you want to manage and click Download in the Actions column. Select the PFX format that is recognizable by browsers as the certificate format. The certificate file includes a
.pfx
client certificate file and a.txt
password file that is used to encrypt the client private key.
Step 4: Install the client certificate
Install the client certificate on the client based on the installation guide.
In this example, the Windows operating system is used.
Step 5: Configure mutual authentication on an HTTPS listener
Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance that you want to manage.
On the Listener tab, click Create Listener, configure the parameters, and then click Next.
The following table describes some of the parameters. Use the default values for other parameters.
Parameter
Procedure
Select Listener Protocol
Select a listener protocol.
In this example, HTTPS is selected.
Listener Port
Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. In this example, port 443 is used.
In the SSL Certificate step, select the server certificate purchased in Step 1.
Click Modify to show the advanced settings and turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud as the source of the CA certificate. Select the CA certificate that you purchased in Step 2: Obtain a client certificate from the Default CA Certificate drop-down list.
Select a TLS security policy and click Next.
In the Server Group step, configure the Server Type parameter and select a server group based on the Server Type parameter. Confirm the ECS instances (ECS01 and ECS02) and click Next.
In the Confirm step, confirm the configurations and click Submit.
Step 6: Configure domain name resolution
Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
Copy the domain name of your ALB instance.
To create a CNAME record, perform the following steps:
Log on to the Alibaba Cloud DNS console.
On the Manage DNS page, click Add Domain Name.
In the Add Domain Name dialog box, enter the domain name and click OK.
ImportantEnter the domain name that is associated with the server certificate.
Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, click Add Record.
In the Add DNS Record panel, configure the following parameters and click OK.
Parameter
Description
Record Type
Select CNAME from the drop-down list.
Hostname
Enter the prefix of your domain name.
DNS Request Source
Select Default.
Record Value
Enter the CNAME, which is the domain name of the ALB instance.
TTL
Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.
NoteAfter you create a CNAME record, it immediately takes effect. After you modify a record, the record takes effect based on the TTL of the record. By default, the TTL is 10 minutes.
If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name. For more information, see Rules for conflicting DNS records.
Step 7: Test whether mutual authentication works as expected
Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance. Then, click the Listener tab to view the health check status of the HTTPS listener.
If Healthy is displayed in the Health Check Status column, it indicates that the backend servers can process requests forwarded by the ALB instance.
Visit
https://domain:port
from your browser. In the dialog box that appears, select the client certificate and click OK.If you refresh the page, requests are distributed between ECS01 and ECS02, as shown in the following figures.