SignServer Cloud AWS
- AWS Launch Guide
- Quick Start Guide
- AWS Backup Guide
- AWS Restore and Upgrade Guide
- AWS TLS Certificate Generation Guide
- AWS Cluster Configuration Guide
Peering to EJBCA Cloud AWS Configuration Guide
- AWS Operating Environment
- EJBCA/SignServer Peering Security Groups
- Generate TLS Certificates for SignServer
- Allow Peer Connections in SignServer
- Peer Connection Configuration
- Creating the Peer Connection
- Allow Peer Connection in SignServer
- Configuring Automatic Generation and Key Renewal over Peers
- Automatically Renewing the Key Binding Key
SignServer CloudHSM Integration Guide
- Multiple Crypto Tokens with AWS CloudHSM
- Create a CloudHSM Cluster
- Use OpenSSL to Validate the HSM
- Initialize the CloudHSM
- Assigning Security Group
- Configure the cloudhsm-client
- PKCS11 PIN
- Activate Cluster
- Create a CloudHSM Crypto User
- Create Keystore in HSM with ClientToolBox
- Test with EJBCA ClientToolBox
- Create CryptoToken in SignServer
- Restoring HSM Backup to New Instance
SignServer Cloud Azure
- Azure Launch Guide
- Azure Key Vault Integration Guide
- SignServer Cloud Release Notes
Cluster Security Groups
Galera replication uses the following ports for communication:
- 3306: For MySQL client connections and State Snapshot Transfer that use the mysqldumpmethod.
- 4567: For Galera Cluster replication traffic, multicast replication uses both UDP transport and TCP on this port.
- 4568: For Incremental State Transfer (IST).
- 4444: For all other State Snapshot Transfer.
To create a security group that allows for Galera traffic within the VPCs, follow the steps below.
In this example, the VPC internal address space is 172.16.0.0/16 in US-East-1. The address space in US-East-2 is 172.31.0.0/16.
- Create a Security Group called "All Galera Traffic" with the following rules:
This will allow any connections outbound to any address and any inbound connection on ports 3306, 4567, 4568 and 4444 from any address on the 172.16.0.0/16 and 172.31.0.0/16 subnets. The same rule in the other VPC will also need the same rule configured. These rules may be tightened as required for the organization.
- To apply these Security Groups to the SignServer Cloud Nodes in each of the VPCs, right-click the node, select Networking and then ChangeSecurityGroups.
- Apply the security group to the instance so that it can communicate with the other nodes in the cluster by checking the box next to the line item for the security group needed.
- In the node details there is a link to View Inbound Rules. The associated IPs should be something like the following (modified for your IP ranges subnets):