Configuring Amazon Private CA

Go to menu > KUBE+ > CLUSTER PKI > Certificate Authority

Select Amazon from the left-side vendor list.

The Amazon home page is displayed.

To configure Amazon CA, click the AWS Private CA tab from the home page.

The Amazon home page is updated to display the inventory grid as shown in the image. In the inventory grid for the Amazon Private CA, master and child account details are logged as separate entries, instead of having just one master entry.

Fields in the inventory grid are explained in the table below:

Table 1. AWS Private CA - Screen Description Table
Field	Description
Search	Use the Search field to search for accounts, by entering the value of one of the details listed in the inventory grid.
	To delete one or more accounts: From the inventory grid, select the checkbox corresponding to the account(s) you want to delete. Click . Tip: To delete all accounts listed in the inventory grid, select the checkbox in the grid header.
	To set the number of records that should be displayed on one page: Click . From the Show menu displayed, select the required value.
	If the inventory grid spans more than one page, use this control to navigate the pages, one page at a time.
Account Name	This is the unique name for the Certificate Authority (CA) account entered at the time of account creation.
Account Number	AWS account number
Account Type	Multi account: Indicates that the account is a cross account Single account: Indicates that the account is a standalone account
CA Status	For an account, after all configuration details for Amazon Private CA are entered, you will be required to click the Fetch issuer and save button to sync and discover the issuers and the respective certificates for that account. The CA Status field shows the current status of this sync and discovery process. Possible values for this field are: Completed In progress Note: An account entry in the grid will be disabled till the CA Status is In progress.
Connection Status	To validate if connection has been established with the CA, click Check. If a connection has been established, this field is updated to display Success or Failure.
No. of Issuers	This field displays the number of issuers associated with the account. Note: For a master account, this field will show the number of issuers associated with only the master account. The value does not include the number of issuers associated with the child account.

To add an account, click Configure Now (if you are creating your first account) or click

from the top-right corner of the screen.

The Amazon page is updated to display fields for entering the CA configuration-related information.

On this screen, enter the following Basic Information:

Table 2. Basic Information - Field Description Table
Field	Description
Account type*	From the dropdown list, from the following options, select the customer’s AWS account type: Standalone: The user account and the resources are available in the same account. Cross or Federated: Resources are available across multiple accounts and users are given role-based access.
Account name*	Enter a unique name for the Certificate Authority (CA) account that will be used during certificate enrollment and policy creation.
Account number*	Enter the customer’s AWS account number.
Account Description	Enter any additional details related to the account, if required.
Purpose/Usage*	From the dropdown list, select the purpose of the certificate that can be requested using this account.
Proxy Required	To allow all communication to the Certificate Authority (CA) to use the proxy details (provided in general settings; refer the Platform User Guide for more details), select this checkbox.
Default Region*	From the dropdown list, select the default region for API communication.
Data Center (AppViewX’s CA Agent)	From the dropdown list, select the data center that will be used to establish communication with the Certificate Authority (CA)

Enter the following Credentials-related information:

Table 3. Credentials - Field Description Table
Field	Description
Credential type*	From the dropdown list, from the following options, select the credential type: Manual Entry: Manually enter the access and secret key for the customer’s AWS account)
Access key*	Enter the access key ID for the customer’s AWS account. The access key and the secret access key (entered in the following field) are used together to authenticate requests. Note: This field is displayed only when Credential type is set to Manual Entry.
Secret key*	Enter the secret access key ID for the customer’s AWS account. The access key (entered in the previous field) and the secret access key are used together to authenticate requests. Note: This field is displayed only when Credential type is set to Manual Entry.
Credential name*	If the customer’s AWS credentials are stored in CyberArk, from the dropdown list, select the CyberArk credential name. Note: This field is displayed only when Credential type is set to Credential List - CyberArk.

In the Discover resources section, enter the following details:

Table 4. Discover Resources - Field Description Table

Field

Description

Role ARN for Resource Discovery*

Note: This field is displayed only when Account Type is Cross or Federated.

To let the master account assume role for the child account (get temporary privileges to discover resources from the child account), configure the role ARN for resource discovery:

Click .

Enter the following details:


Field	Description
Role Session name	Role Session name is an identifier for the assumed role session. Use the Role Session name to uniquely identify a session when the same rule is assumed by different principals or for different reasons.
Duration Seconds	Enter the duration, in seconds, for which the credentials should remain valid. Acceptable durations for IAM user sessions: Minimum: 900 seconds (15 minutes) Maximum: 129,600 seconds (36 hours) Default: 3600 seconds (1 hour)
External Id	External Id is a unique identifier that might be required when you assume a role in another account.
Source Identity	The source identity is specified by the principal that is calling the AssumeRole operation.
Session Tags	Session Tags are key-value pairs that you pass when you assume an IAM role or federate a user in AWS STS. To create a session tag: In the Enter Key field, enter a key for the key-value pair. In the Enter Value field, enter a value for the key-value pair. Click Add. The added key-value pair is shown in the table below the fields.

Service Region*

Service regions are regions that are supported by the selected service.

To select a service region:

To fetch the service regions for the account information provided, click Fetch Region.The retrieved service regions are populated in the Select the Region(s) dropdown list.
From the Select the Region(s) dropdown list, select the required service region.

CA Operation Mode*

From the following options, select one/both operation mode(s) for discovering all the certificates enrolled by the Private Certificate Authority:

ACM Private CA
AWS Certificate Manager (ACM)

S3 Bucket*

Note: This field is displayed only when the ACM Private CA operation mode is selected.

Enter the S3 bucket name.

Role ARN for S3 Bucket

Note: This field is displayed only when the ACM Private CA operation mode is selected for a Cross or Federated account.

Click .
The ARN Advanced Settings action pane is displayed.

In the ARN Advanced Settings action pane, enter the following details:


Field	Description
Role Session name*	Role Session name is an identifier for the assumed role session. Use the Role Session name to uniquely identify a session when the same rule is assumed by different principals or for different reasons.
Duration Seconds	Enter the duration, in seconds, for which the credentials should remain valid. Acceptable durations for IAM user sessions: Minimum: 900 seconds (15 minutes) Maximum: 129,600 seconds (36 hours) Default: 3600 seconds (1 hour)
External Id	External Id is a unique identifier that might be required when you assume a role in another account.
Source Identity	The source identity is specified by the principal that is calling the AssumeRole operation.
Session Tags	Session Tags are key-value pairs that you pass when you assume an IAM role or federate a user in AWS STS. To create a session tag: In the Enter Key field, enter a key for the key-value pair. In the Enter Value field, enter a value for the key-value pair. Click Add. The added key-value pair is shown in the table below the fields.

Click Apply.

Discover Certificate

To enable instant certificate discovery at the time of device addition, select this checkbox.

CA Sync*

Select from one of the following options:

Managed: AppViewX will connect with the customer’s AWS account and discover certificates. These certificates will be added to the inventory. Users with the relevant permissions can then perform the required certificate-related actions.
Monitored: AppViewX will connect with the customer’s AWS account and discover certificates. These certificates will be added to the inventory where the users will be allowed to only view the certificates.
Ignored: AppViewX will connect with the customer’s AWS account but certificate discovery will be disabled.

Auto Sync

To enable/disable automatic synchronization, use the Auto Sync key.

If Auto Sync is enabled, to set the frequency of the schedule-based sync:

From the first dropdown list, select the interval between two schedule-based syncs.
From the second dropdown, select a unit for the interval (Hours/Days).

For example, to set the frequency of the schedule-based sync to every 2 hours, from the first dropdown list, select 2 and from the second dropdown list, select Hours.

Click Fetch issuer and save.

AppViewX will now discover all the Private CA Certificate Authorities across the selected region(s).
The inventory grid on the Amazon CA home page will be populated with the properties and details retrieved from this discovery.