Deploy a Self Managed Certificate for SSL Interception

To ensure that all traffic is properly analyzed, you can configure the Web Security Service to intercept and decrypt SSL traffic. By default, the Web Security Service portal supports only a certificate chain managed by Symantec for this task. If your organization prefers to use your own certificate infrastructure, you can license the Self Managed Certificate service to integrate your Web Security Service with a Hardware Security Module (HSM) hosted on Amazon Web Service (AWS).

This solution describes how to integrate an Amazon Cloud HSM service with a Web Security Service account.

Note: For each domain in your Web Security Service configuration, you must configure a unique HSM host.

About Integrating HSM

Self Managed Certificate support provides you with the ability to install your own certificate into the WSS portal. With this in place, you can now: 

  • Simplify user on-boarding

    When SSL/TLS traffic is intercepted and decrypted by the Web Security Service, the private key stored on the integrated HSM is used. At no point does the private key leave the HSM.As your users' browsers already trust your root certificate, adding users to WSS takes less time to set up.

  • Control your own certificates

    With this configuration, you retain control of your certificate chain and how it is used.

Prerequisites

Ensure that you have the following: .

  • An Amazon Web Service (AWS) account hosting a CloudHSM cluster.
  • An EC2 instance in the above AWS Account where the AWS CLI has been configured with AWS administrator credentials.
  • Python 2.7 (pre-installed in Amazon Linux)

    To check Python version run the following command in your EC2 instance: python --version.

  • A Python Installable Package (PIP) module version 6.x and above compatible with Python 2.7.

    To check your PIP version run the following command in your EC2 instance: pip --version.

    If PIP is not installed, execute this command: sudo yum install python2-pip.

  • Install the AWS Software Development Kit, Boto3, version 1.7 or later above.

    To check what version of Boto3 is installed in your EC2 instance, run this command: pip freeze | grep boto3.

    If Boto3 is not installed, run this command in your EC2 instance: sudo pip install boto3.

  • WSS SUBSCRIPTION ID.

    This ID is included in your order confirmation email sent by Symantec after subscribing to the Web Security Service.

    If you are new to the Web Security Service, wait to receive the confirmation mail before proceeding with steps outlined in this document.

  • CloudHSM Cluster ID

    See the step labeled To Create a Cluster in the CloudHSM documentation, available at https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster.html.

  • CloudHSM CA Certificate, saved as customerCA.crt

    This file is used in the step Initialize the Cluster in the CloudHSM documentation, available here: https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html.

  • CloudHSM Crypto Username and Password

    These credentials are created during the step Create Users in the CloudHSM documentation here: https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-hsm-users.html.

Tip: You can click the download button next to your certificate in the list to download the public key to your local system.