AWS Certificate Manager Integration

Introduction

This section refers to the AWS Certificate Manager (ACM) integration with Horizon, used to enroll certificates held in ACM.

This integration involves at least two infrastructure components:

  • AWS Certificate Manager

  • EverTrust Horizon

AWS Connector

Here is the section to manage the AWS Connector.

Required By

Prerequisites

On Horizon side, you might need to set up a Proxy , used to reach AWS, if necessary.

On AWS side, you need to create a user using the AWS IAM module, and following AWS guide. You should create an access key for that user, and give him appropriate permissions. The created user should hold the following permissions:

  • AWSResourceGroupsReadOnlyAccess

  • ResourceGroupsandTagEditorReadOnlyAccess

  • AWSCertificateManagerFullAccess

After performing these steps, you will get the following information, required later:

  • the AWS Region

  • the User Access Key ID

  • the User Access Key Secret

On top of that, you need to define a Resource Group, using AWS Resource Groups and Tags Editor, with the following characteristics:

  • Group Type: Tag based

  • Resource Type: AWS::CertificateManager::Certificate

  • Tag key and value (e.g. key=manage and value=HRZ)

After performing this steps, you will get the following information, required later:

  • The Resource Group name

  • the Tag name

  • the Tag value

How to configure AWS Connector

1. Log in to Horizon Administration Interface.

2. Access AWS Connectors from the drawer or card: Third Parties > AWS > Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • Region* (string input):
    Enter a valid AWS region. Here’s the region list from AWS.

  • Access key ID (string input):
    User Access Key ID used by Horizon to connect to AWS.

  • Access Key Secret (string input):
    Access Key Secret associated to the aforementioned User Access Key ID.

  • Proxy (select):
    The HTTP/HTTPS proxy to use to reach AWS, if any.

  • Timeout* (finite duration):
    The timeout for Horizon-initiated connections to AWS. Must be a valid finite duration.

Assets identification

  • Resource group name (string input):
    Name of the resource group pointing to the tag name and value.

  • Tag key (string input):
    Name of the tag used to identify certificates managed by Horizon in ACM.

  • Tag value (string input):
    Value of the tag used to identify certificates managed by Horizon in ACM.

Actors and renewal management

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be in valid finite duration.

  • Renewal period (finite duration):
    Certificate renewal period (time before expiration to trigger renewal). Must be in valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AWS Connector.

You won’t be able to delete an AWS Connector if it is referenced somewhere else.

AWS Trigger

Here is the section to manage the Triggers that will be used by WebRA Profiles to push or delete certificates to/from AWS ACM.

Prerequisites

AWS Connector

How to configure AWS Trigger

1. Log in to Horizon Administration Interface.

2. Access AWS Triggers from the drawer or card: Third Parties > AWS > Triggers.

3. Click on Add Trigger.

4. Fill the mandatory fields.

  • Name* (string input):
    Enter a meaningful trigger name. It must be unique for each trigger. Horizon uses the name to identify the trigger.

  • AWS Connector* (select):
    Select an AWS connector previously created.

  • Retries in case of error (int):
    Number of times to retry to push the change on the AWS repository in case of error. Must be an integer between 1 and 15.

5. Click on the save button.

You can update Edit Trigger or delete Delete Connector the AWS Trigger.

You won’t be able to delete an AWS Trigger if it is referenced somewhere else.