Configuring Back-end Server Authentication

When running a web application with HTTPS or SSL as the backend server’s protocol, you might want to authenticate the back-end servers using the public key of the back-end server’s certificate. This authentication can be used to ensure that back-end servers accept only encrypted communication and to ensure that the back-end servers have the correct certificate.

To configure back-end server authentication:

  1. Create a new loadbalancer with HTTPS as backend instance’s protocol:
    eulb-create-lb -l "protocol=HTTPS,lb-port=443,instance-protocol=HTTPS,instance-port=8443,cert-id=arn:aws:iam::000550595745:server-certificate/mycert01"\
                            -z one myloadbalancer
  2. Create a new PublicKeyPolicyType policy for the load balancer. In the example below, ‘server.crt’ is the file containing the public key of the backend server’s certificate.
    eulb-create-lb-policy -n webservercert -t PublicKeyPolicyType -a "name=PublicKey, value=$(<./server.crt)" myloadbalancer
  3. Use the eulb-describe-lb-policies to ensure that the policy was created. For example:
    eulb-describe-lb-policies -p webservercert myloadbalancer
  4. Create a new BackendServerAuthenticationPolicyType policy that refers to the public key policy created above.
    eulb-create-lb-policy -n webserverauthentication -t BackendServerAuthenticationPolicyType -a "name=PublicKeyPolicyName, value=webservercert" myloadbalancer
  5. Make sure the policy is created. For example:
    eulb-describe-lb-policies -p webserverauthentication myloadbalancer
  6. Set the created policy to the listener by specifying the instance's port number. For example:
    eulb-set-lb-policies-for-backend-server -i 443 -p webserverauthentication myloadbalancer
  7. Make sure the policy is attached to the intended listener. For example:
    eulb-describe-lbs --show-long myloadbalancer
    LOAD_BALANCER myloadbalancer
    {interval=30,target=TCP:8443,timeout=5,healthy-threshold=3,unhealthy-threshold=3} one \