サービス概è¦
AWS Nitro Enclavesã¨ã¯ã€EC2インスタンスã‹ã‚‰ã€ã‚¨ãƒ³ã‚¯ãƒ¬ãƒ¼ãƒ–(飛ã³åœ°ã€æ˜Žç¢ºã«ä»–ã¨åŒºåˆ¥ã•ã‚Œã‚‹é›†å›£ï¼‰ã¨å‘¼ã°ã‚Œã‚‹åˆ†é›¢ãƒ»ç‹¬ç«‹ãƒ»å¼·åŒ–ã•ã‚Œã€é«˜åº¦ã«åˆ¶ç´„ã•ã‚ŒãŸä»®æƒ³ãƒžã‚·ãƒ³å®Ÿè¡Œç’°å¢ƒã‚’作æˆã§ãã‚‹EC2ã®æ©Ÿèƒ½ã§ã™ã€‚親インスタンスã¨ã®å®‰å…¨ãªãƒãƒ¼ã‚«ãƒ«ã‚½ã‚±ãƒƒãƒˆæŽ¥ç¶šã®ã¿ã‚’æä¾›ã—ã€å¤–部ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ãªã„ãŸã‚ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ã¯ã‚¨ãƒ³ã‚¯ãƒ¬ãƒ¼ãƒ–ã«SSHã§æŽ¥ç¶šã§ããšã€ã‚¨ãƒ³ã‚¯ãƒ¬ãƒ¼ãƒ–内ã®ãƒ‡ãƒ¼ã‚¿ã‚„アプリケーションã«ã¯ã€è¦ªã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã®ãƒ—ãƒã‚»ã‚¹ã€ã‚¢ãƒ—リケーションã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒã‚¢ã‚¯ã‚»ã‚¹ã§ãã¾ã›ã‚“。ã“ã‚Œã«ã‚ˆã‚Šã€PIIãªã©ã®æœ€ã‚‚機密性ã®é«˜ã„データやã€ãƒ‡ãƒ¼ã‚¿å‡¦ç†ã‚¢ãƒ—リケーションをä¿è·ã§ãã¾ã™ã€‚
(https://docs.aws.amazon.com/images/enclaves/latest/user/images/enclave-overview.pngより)
AWS Certificate Manager(ACM) for Nitro Enclavesã¯ã€Nitro Enclavesを使用ã—ãŸEC2ã§å®Ÿè¡Œã•ã‚Œã¦ã„ã‚‹Webアプリケーション・ Webサーãƒãƒ¼ã§ã€ãƒ‘ブリックï¼ãƒ—ライベートSSL/TLS 証明書を使用ã§ãã¾ã™ã€‚
EC2 インスタンスã§HTTPSサーãƒãƒ¼ã‚’実行ã™ã‚‹å ´åˆã€SSL証明書を作æˆã—ã€ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã«ãƒ—レーンテã‚ストã¨ã—ã¦ä¿å˜ã—ã¦ã„ã¾ã—ãŸã€‚ACM for Nitro Enclavesを使用ã™ã‚‹ã¨ã€ACM証明書をエンクレーブã«ãƒã‚¤ãƒ³ãƒ‰ã—ã€è¨¼æ˜Žæ›¸ã‚’プレーンテã‚スト形å¼ã§è¦ªã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã¨ãã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ã«å…¬é–‹ã™ã‚‹ã“ã¨ãªãã€ãれらã®è¨¼æ˜Žæ›¸ã‚’Webサーãƒãƒ¼ã§ç›´æŽ¥ä½¿ç”¨ã§ãã¾ã™ã€‚
目的・やりãŸã„ã“ã¨
2024å¹´7月ç¾åœ¨ã€ACM for Nitro Enclavesã¯Nginxã¾ãŸã¯Apacheã§å‹•ä½œã—ã¾ã™ã€‚
ã¨ã“ã‚ãŒã€é¡§å®¢ã‹ã‚‰ã®è¦æœ›ã§ã¯ã€ŒNginxã‚‚Apacheも使ã‚ãšã€ç‹¬è‡ªãƒ‡ãƒ¼ãƒ¢ãƒ³ãƒ—ãƒã‚°ãƒ©ãƒ を使ã†ã€ã¨ã®ã“ã¨ã€‚æžœãŸã—ã¦ã“ã®ç‹¬è‡ªãƒ‡ãƒ¼ãƒ¢ãƒ³ã§ACM for Nitro EnclavesãŒæ©Ÿèƒ½ã™ã‚‹ã‹ã‚ã‹ã‚Šã¾ã›ã‚“。ã•ã‚‰ã«ã€ç‹¬è‡ªãƒ‡ãƒ¼ãƒ¢ãƒ³ã®ä»•æ§˜ã‚‚ã‚ã‹ã‚Šã¾ã›ã‚“。
ãã“ã§ã€ä»¥ä¸‹ã®æ‰‹é †ã§Apacheã¨Nginxを仮称独自デーモンã¨ã—ã¦å‹•ä½œã™ã‚‹ã‹æ¤œè¨¼ã—ã¦ã„ãã¾ã™ã€‚
- Apacheã¨Nginxã‚’ãƒãƒ¼ãƒˆç•ªå·å¤‰ãˆã¦ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—ã¦ãŠã
- Apacheå´ã«ACM for Nitro Enclavesè¨å®šã™ã‚‹
- 自動ã§è¨¼æ˜Žæ›¸ãƒ•ã‚¡ã‚¤ãƒ«ãŒä½œã‚‰ã‚Œã‚‹ï¼Ÿï¼Ÿï¼ˆå‹•ä½œç¢ºèªï¼‰
- Nginxå´ã‹ã‚‰ä½œã‚‰ã‚ŒãŸè¨¼æ˜Žæ›¸ã‚’指定ã—ã¦SSL化ã§ãã‚‹ã‹ã©ã†ã‹
対象ã¨ãªã‚‹æŠ€è¡“
å‚考URL
- Nitro Enclaves application: AWS Certificate Manager for Nitro Enclaves - AWS
- Deep dive on AWS Nitro Enclaves for applications running on Amazon EC2
- EC2ã§ç¨¼åƒã™ã‚‹ã‚¢ãƒ—リケーションã«ã•ã‚‰ãªã‚‹ç’°å¢ƒåˆ†é›¢ã‚’æä¾›ï¼ï¼Nitro Enclavesを試ã—ã¦ã¿ãŸ | DevelopersIO
- ã€AWS】ACM for Nitro Enclavesã§EC2インスタンス用ã®è¨¼æ˜Žæ›¸ã‚’ç®¡ç† #Apache - Qiita
æ¡ä»¶ï¼ˆNitro Enclavesã®è¦ä»¶ï¼‰
- 親インスタンスã®è¦ä»¶ï¼š
- 仮想化ã•ã‚ŒãŸNitroベースã®ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹
- 4vCPUã‚’æ載ã—ãŸIntelã¾ãŸã¯AMDベースã®ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆC7aã€C7iã€G4adã€M7aã€M7iã€M7i-Flexã€R7aã€R7iã€R7izã€T3ã€T3aã€Trn1ã€Trn1nã€U-*ã€VT1ã¯é™¤ã)
- 2vCPUã‚’æ載ã—ãŸAWS Gravitonベースã®ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼ˆA1ã€C7gdã€C7gnã€G5gã€Hpc7gã€Im4gnã€Is4genã€M7gã€M7gdã€R7gã€R7gdã€T4gã¯é™¤ã)
- Linuxã¾ãŸã¯Windows(2016年以é™ï¼‰OS
- 仮想化ã•ã‚ŒãŸNitroベースã®ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹
- エンクレーブã®è¦ä»¶ï¼š
- Linux OSã®ã¿
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html#nitro-enclave-reqs
è€ƒæ…®äº‹é …
- 親インスタンスã”ã¨ã«æœ€å¤§ 4 ã¤ã®å€‹åˆ¥ã®ã‚¨ãƒ³ã‚¯ãƒ¬ãƒ¼ãƒ–を作æˆã§ãã‚‹
- エンクレーブã¯è¦ªã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã¨ã®ã¿é€šä¿¡ã§ãる(åŒã˜ã¾ãŸã¯ç•°ãªã‚‹è¦ªã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã§å®Ÿè¡Œã•ã‚Œã¦ã„るエンクレーブã¯ç›¸äº’ã«é€šä¿¡ã§ããªã„)
- エンクレーブã¯ã€è¦ªã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ãŒrunning状態ã«ã‚ã‚‹é–“ã®ã¿ã‚¢ã‚¯ãƒ†ã‚£ãƒ–ã«ãªã‚‹ï¼ˆè¦ªã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ãŒåœæ¢ãƒ»çµ‚了ã™ã‚‹ã¨ã€ãã®ã‚¨ãƒ³ã‚¯ãƒ¬ãƒ¼ãƒ–も終了ã™ã‚‹ï¼‰
- åŒã˜ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã§ä¼‘æ¢çŠ¶æ…‹ã¨ã‚¨ãƒ³ã‚¯ãƒ¬ãƒ¼ãƒ–を有効ã«ã™ã‚‹ã“ã¨ã¯ã§ããªã„
- Nitro Enclaves 㯠Outpostsã€ãƒãƒ¼ã‚«ãƒ«ã‚¾ãƒ¼ãƒ³ã¾ãŸã¯ Wavelength ゾーンã§ã¯ã‚µãƒãƒ¼ãƒˆã•ã‚Œã¦ã„ãªã„
- ACM for Nitro Enclaves㯠RSA 証明書ã®ã¿ã‚’サãƒãƒ¼ãƒˆ
- ACM for Nitro Enclaves㯠Linux インスタンスã§ã®ã¿åˆ©ç”¨å¯èƒ½ï¼ˆ2024å¹´7月ç¾åœ¨ã€Windows インスタンスã§ã¯ã‚µãƒãƒ¼ãƒˆã•ã‚Œã¦ã„ãªã„)
- ACM for Nitro Enclavesã¯2024å¹´7月ç¾åœ¨ã€ã‚¢ã‚¸ã‚¢å¤ªå¹³æ´‹ (大阪) ãŠã‚ˆã³ã‚¢ã‚¸ã‚¢å¤ªå¹³æ´‹ (ジャカルタ) ã§ã¯ã‚µãƒãƒ¼ãƒˆã•ã‚Œã¦ã„ãªã„
注æ„äº‹é …
https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html
ç¾åœ¨ã€Nitro Enclavesã®ACMã¯NGINXサーãƒãƒ¼ã€ãŠã‚ˆã³Apache HTTPサーãƒãƒ¼ã§å‹•ä½œã—ã¾ã™ã€‚**è¿½åŠ ã® Web サーãƒãƒ¼ã®ã‚µãƒãƒ¼ãƒˆã¯ã€ä»Šå¾Œè¿½åŠ ã•ã‚Œã‚‹äºˆå®šã§ã™ã€‚**
※ACM for Nitro Enclaves ã¯ã€è¦ªã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã¨ã‚¨ãƒ³ã‚¯ãƒ¬ãƒ¼ãƒ–é–“ã®æ¨™æº–化ã•ã‚ŒãŸ PKCS11 æš—å·åŒ–インターフェースを使用ã—ã¾ã™ã€‚PKCS11 プãƒãƒˆã‚³ãƒ«ã‚’サãƒãƒ¼ãƒˆã™ã‚‹ã‚¢ãƒ—リケーションã§ã‚ã‚Œã°ã€è¨¼æ˜Žæ›¸ã¨ã‚ーをä¿è·ã™ã‚‹ãŸã‚ã« ACM for Nitro Enclaves を使用ã™ã‚‹ã‚ˆã†ã«é©å¿œã§ãã¾ã™ã€‚
作æ¥ã®æµã‚Œ
事å‰ä½œæ¥
1.EC2インスタンスã®èµ·å‹•
インスタンスタイプ:m5.xlarge(4vCPUã€16GB)
OS:Amazon Linux 2023ï¼ˆç„¡æ–™åˆ©ç”¨æž ï¼‰
[▼高度ãªè©³ç´°]を展開ã—ã€ä¸‹ã®æ–¹ã«ã‚ã‚‹Nitro Enclaveを有効化
ã¡ãªã¿ã«m5.largeãªã©2vCPUã®ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ã‚¿ã‚¤ãƒ—ã‚’é¸æŠžã™ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ãªè¦å‘ŠãŒå‡ºã¾ã™ã€‚
「You cannot enable Nitro Enclaves for "m5.large" instance types. Specify a supported instance type and try again.ã€
2.aws-nitro-enclaves-cliã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«
# yum install aws-nitro-enclaves-cli -y
# yum install aws-nitro-enclaves-cli-devel -y
# nitro-cli --version
Nitro CLI 1.3.1
3.nitro-enclaves-allocatorã®èµ·å‹•&自動起動を有効化
# systemctl start nitro-enclaves-allocator.service && systemctl enable nitro-enclaves-allocator.service
Created symlink /etc/systemd/system/multi-user.target.wants/nitro-enclaves-allocator.service → /usr/lib/systemd/system/nitro-enclaves-allocator.service.
# more /etc/nitro_enclaves/allocator.yaml
---
# Enclave configuration file.
#
# How much memory to allocate for enclaves (in MiB).
memory_mib: 512
#
# How many CPUs to reserve for enclaves.
cpu_count: 2
4.Dockerサービスã®èµ·å‹•ï¼†è‡ªå‹•èµ·å‹•ã‚’有効化
# systemctl start docker && systemctl enable docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
5.Dockerサンプルファイル(/usr/share/nitro_enclaves/examples/hello)ã®ãƒ“ルド
# docker build /usr/share/nitro_enclaves/examples/hello -t hello
[+] Building 2.3s (7/7) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 307B 0.0s
=> [internal] load metadata for docker.io/library/busybox:latest 1.8s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 307B 0.0s
=> [1/2] FROM
・・・
=> [2/2] COPY hello.sh /bin/hello.sh 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:**** 0.0s
=> => naming to docker.io/library/hello
# docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
hello latest 0d44f8558cf6 2 minutes ago 4.26MB
6.DocerkイメージをNitro Enclavesイメージã«å¤‰æ›
# nitro-cli build-enclave --docker-uri hello:latest --output-file sample.eif
Start building the Enclave Image...
Using the locally available Docker image...
Enclave Image successfully created.
{
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "4***f",
"PCR1": "4***3",
"PCR2": "6***2"
}
7.Nitro Enclavesã®èµ·å‹•
例ãˆã°ã€æ¬¡ã®ã‚³ãƒžãƒ³ãƒ‰ã¯ã€åŒã˜ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«ã‚ã‚‹sample.eifã¨ã„ã†Nitro Enclaveイメージファイルを使用ã—ã¦ã€2vCPUã€512MBã®Nitro Enclaveを作æˆã—ã¾ã™ã€‚
# nitro-cli run-enclave --cpu-count 2 --memory 512 --eif-path sample.eif
Start allocating memory...
Started enclave with enclave-cid: 16, memory: 512 MiB, cpu-ids: [1, 3]
{
"EnclaveName": "sample",
"EnclaveID": "i-0****7",
"ProcessID": 28484,
"EnclaveCID": 16,
"NumberOfCPUs": 2,
"CPUIDs": [
1,
3
],
"MemoryMiB": 512
}
8.Nitro Enclaves起動確èª
# nitro-cli describe-enclaves
[
{
"EnclaveName": "sample",
"EnclaveID": "i-0****7",
"ProcessID": 28484,
"EnclaveCID": 16,
"NumberOfCPUs": 2,
"CPUIDs": [
1,
3
],
"MemoryMiB": 512,
"State": "RUNNING",
"Flags": "NONE",
"Measurements": {
"HashAlgorithm": "Sha384 { ... }",
"PCR0": "4****f",
"PCR1": "4****3",
"PCR2": "6****2"
}
}
]
"State"ãŒ"RUNNING"ã«ãªã£ã¦ã¾ã™ã。
æ‰‹é †
ã•ã¦ã€ã‚ˆã†ã‚„ãNitro EnclavesインスタンスãŒèµ·å‹•ã§ããŸã®ã§ã€æ¬¡ã¯ã„よã„よACM証明書をè¨å®šã—ã¾ã™ã€‚
1.ACM証明書ã®ç™ºè¡Œ
事å‰ã«ãŠåå‰.comã§nozaki2.comドメインをå–å¾—ã—ã€ãƒãƒ¼ãƒ サーãƒãƒ¼ã«Route 53ã®nozaki2.comゾーンã®NSレコードを登録ã—ã¦ãŠãã¾ã™ã€‚
ACMã§nozaki2.comã®ãƒ‘ブリック証明書を発行ã—ã€è¨¼æ˜Žæ›¸ARN:arn:aws:acm:ap-northeast-1:************:certificate/c60a1383-e409-42ad-83ad-70044654c8c3をメモã—ã¦ãŠãã¾ã™ã€‚
2.Apacheã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«
# yum -y install httpd mod_ssl
3.ACM for Nitro Enclavesã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«
# yum install aws-nitro-enclaves-acm -y
4.IAMãƒãƒ¼ãƒ«ã®ä½œæˆ
ACMã¨é–¢é€£ä»˜ã‘ã‚‹ãŸã‚ã€ACM for Nitro Enclaves専用ã®ãƒãƒ¼ãƒ«ã‚’作æˆã—ã¦ãŠãã¨ã„ã„ã§ã™ã€‚ã‚‚ã¡ã‚んコンソール作æ¥ã®ãŸã‚ã«SSMã®æ¨©é™ã‚‚忘れãšã«
以下ã®ãƒãƒªã‚·ãƒ¼ã‚’è¨å®šã—ãŸã€ŒACMforNitroEnclavesRoleã€ã‚’作æˆã—ã¾ã™ã€‚
- ä¿¡é ¼ãƒãƒªã‚·ãƒ¼
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
]
}
許å¯ãƒãƒªã‚·ãƒ¼ï¼šAmazonSSMManagedInstanceCore
Â
作æˆã•ã‚ŒãŸã‚‰ã€ARN:arn:aws:iam::************:role/ACMforNitroEnclavesRoleをメモã—ã¦ãŠãã¾ã™ã€‚
5.IAMãƒãƒ¼ãƒ«ã¨ACM証明書ã®é–¢é€£ä»˜ã‘
aws-cliãŒã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚Œã¦ã„る環境ã§ã€4.ã®IAMãƒãƒ¼ãƒ«ã¨1.ã®ACM証明書を関連付ã‘ã‚‹aws-cliコマンドを実行ã—ã¾ã™ã€‚
ã“ã“ã§ã€4.ã§ãƒ¡ãƒ¢ã—ãŸARNã‚’--role-arnã«ã€1.ã§ãƒ¡ãƒ¢ã—ãŸARNã‚’certificate_ARNã«æŒ‡å®š
# aws ec2 associate-enclave-certificate-iam-role --certificate-arn arn:aws:acm:ap-northeast-1:************:certificate/c60a1383-e409-42ad-83ad-70044654c8c3 --role-arn arn:aws:iam::************:role/ACMforNitroEnclavesRole --no-verify
urllib3/connectionpool.py:1063: InsecureRequestWarning: Unverified HTTPS request is being made to host 'ec2.ap-northeast-1.amazonaws.com'. Adding certificate verification is strongly advised.
See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
{
"CertificateS3BucketName": "aws-ec2-enclave-certificate-ap-northeast-1-prod",
"CertificateS3ObjectKey": "arn:aws:iam::123456789012:role/ACMforNitroEnclavesRole/arn:aws:acm:ap-northeast-1:123456789012:certificate/c****3",
"EncryptionKmsKeyId": "0****3"
}
自己署å証明書を使ã£ã¦ã„ã‚‹ãŸã‚ã€ãã®ã¾ã¾ã ã¨CERTIFICATE_VERIFY_FAILEDエラーã«ãªã‚‹ãŸã‚--no-verifyオプションを指定ã—ã¦å›žé¿ã—ã¦ã¾ã™ã€‚è¦å‘Šã¯å‡ºã¡ã‚ƒã£ã¦ã¾ã™ãŒã‚³ãƒžãƒ³ãƒ‰ã¯é€šã£ã¦ã¾ã™ã€‚
6.IAMãƒãƒ¼ãƒ«ã«è¨±å¯ãƒãƒªã‚·ãƒ¼ã‚’追åŠ
4.ã§ä½œæˆã—ãŸIAMãƒãƒ¼ãƒ«ã«ã€è¨¼æ˜Žæ›¸ãŒä¿å˜ã•ã‚Œã‚‹S3ãƒã‚±ãƒƒãƒˆã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã€KMSã€ãƒãƒ¼ãƒ«ã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ãŒã§ãるよã†è¨±å¯ãƒãƒªã‚·ãƒ¼ã€ŒACMforNitroEnclaves-policyã€ã‚’作æˆã—ã¦è¿½åŠ ã—ã¾ã™ã€‚
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-ec2-enclave-certificate-ap-northeast-1-prod/*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:ap-northeast-1:*:key/0****3"
},
{
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::************:role/ACMforNitroEnclavesRole"
}
]
}
7.EC2インスタンスã«IAMãƒãƒ¼ãƒ«ã‚’アタッãƒ
8.ACM for Nitro Enclavesè¨å®šãƒ•ã‚¡ã‚¤ãƒ«ä½œæˆ
ACM for Nitro Enclavesã«ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã®ã‚µãƒ³ãƒ—ルè¨å®šãƒ•ã‚¡ã‚¤ãƒ«acm-httpd.example.yaml ãŒã‚ã‚‹ã®ã§ã€ãれをリãƒãƒ¼ãƒ ã—ã¦ã‹ã‚‰ç·¨é›†ã—ã¾ã™ã€‚
# cd /etc/nitro_enclaves/
# ls
acm-httpd.example.yaml acm.example.yaml allocator.yaml vsock-proxy.yaml
# mv acm-httpd.example.yaml acm.yaml
# ls -la
total 32
drwxr-xr-x. 2 root root 92 Jul 4 01:22 .
drwxr-xr-x. 83 root root 16384 Jul 3 07:17 ..
-rw-r--r--. 1 root root 2948 Feb 8 2023 acm.example.yaml
-rw-r--r--. 1 root root 3006 Feb 8 2023 acm.yaml
-rw-rw-r--. 1 root root 473 Jun 6 21:12 allocator.yaml
-rw-r--r--. 1 root root 2955 Jun 6 21:12 vsock-proxy.yaml
ã“ã®ã‚‚ã†ä¸€ã¤ã®acm.example.yamlã¨ã„ã†ã®ãŒæ°—ã«ãªã£ãŸã®ã§ä¸èº«ã‚’見ã¦ã¿ã‚‹ã¨ã€Nginx用ã®è¨å®šã£ã½ã„。åå‰ãŒè‹¥å¹²ç´›ã‚‰ã‚ã—ã„。
acm-httpd.example.yaml⇨Apacheサンプル用
acm.example.yaml   ⇨Nginxサンプル用
acm.yamlを編集ã—ã€certificate_arn:ã«è¨¼æ˜Žæ›¸ã®ARNを指定
certificate_arn: "arn:aws:acm:ap-northeast-1:************:certificate/c****3"
ã¾ãŸã€acm.yamlã§ä»¥ä¸‹ã®ã‚ˆã†ã«ãƒ‘スを指定ã—ã¦ã„る箇所ãŒã‚ã‚Šã¾ã™ã€‚
target:
Conf:
# Path to the server configuration file to be written by
# the ACM service whenever the certificate configuration changes
# (e.g. after a certificate renewal). The SSLCertificateKeyFile and
# optionally the SSLCertificateFile directives shall be populated.
path: /etc/httpd/conf.d/httpd-acm.conf
httpd-acm.confã¯ã€è¨¼æ˜Žæ›¸ã®æ›´æ–°ãªã©è¨¼æ˜Žæ›¸ãŒå¤‰æ›´ã•ã‚Œã‚‹ãŸã³ã«ã€ACMã«ã‚ˆã£ã¦æ›¸ãè¾¼ã¾ã‚Œã‚‹ã‚µãƒ¼ãƒãƒ¼è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã¨ã„ã†ã“ã¨ã‚‰ã—ã„。
httpd-acm.confã¨ã„ã†ã®ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ã¯ç„¡ã„ã®ã§ã€ssl.confをリãƒãƒ¼ãƒ ã—ã¦httpd-acm.confã«ã—ã¾ã™ã€‚
(コピーã ã¨ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ssl.confãŒèªã¿è¾¼ã¾ã‚Œã¦ã—ã¾ã†ãŸã‚ã€å¿…ãšãƒªãƒãƒ¼ãƒ ã—ã¦ãã ã•ã„)
# cd /etc/httpd/conf.d/
# ls
README autoindex.conf ssl.conf userdir.conf welcome.conf
# mv ssl.conf httpd-acm.conf
httpd-acm.confã®ä¸€ç•ªä¸‹ã«ä»¥ä¸‹ã‚’è¿½åŠ ã—ã¾ã™ã€‚
<VirtualHost *:443>
ServerName nozaki2.com
SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"
SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"
</VirtualHost>
ã¡ãªã¿ã«SSLCertificateKeyFileã¨SSLCertificateFileã®ãƒ‘スã¯é©å½“ã§ã‚ˆã„よã†ã§ã™ã€‚サービス起動後ã«ä»¥ä¸‹ã®ã‚ˆã†ã«è‡ªå‹•çš„ã«å¤‰ã‚ã£ã¦ã¾ã—ãŸã€‚
SSLCertificateKeyFile "pkcs11:model=p11ne-token;manufacturer=Amazon;token=httpd-acm-token;id=%01;object=acm-key;type=private?pin-value=2****6"
SSLCertificateFile "/run/nitro_enclaves/acm/httpd-cert-6****e.pem"
9.サービス起動
ACM for Nitro Enclavesサービスを起動・有効化ã—ã¾ã™ã€‚
# systemctl start nitro-enclaves-acm.service
# systemctl enable nitro-enclaves-acm.service
Created symlink /etc/systemd/system/multi-user.target.wants/nitro-enclaves-acm.service → /usr/lib/systemd/system/nitro-enclaves-acm.service.
10.接続テスト
ãã®å‰ã«Apache(httpd)ãŒãªãœã‹èµ·å‹•ã›ãšå¤±æ•—。証明書ç‰ãŒèªã‚ãªã„ã£ã½ã„
[Thu Jul 04 02:59:31.637600 2024] [ssl:error] [pid 25984:tid 25984] AH10491: Init: OSSL_STORE_open failed for PKCS#11 URI `pkcs11:model=p11ne-token;manufacturer=Amazon;token=httpd-acm-token;id=%01;object=acm-key;type=private?pin-value=41f033d01ee982a4936c426daf2fd110'
[Thu Jul 04 02:59:31.637618 2024] [ssl:emerg] [pid 25984:tid 25984] AH10492: Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `pkcs11:model=p11ne-token;manufacturer=Amazon;token=httpd-acm-token;id=%01;object=acm-key;type=private?pin-value=41f033d01ee982a4936c426daf2fd110'
[Thu Jul 04 02:59:31.637624 2024] [ssl:emerg] [pid 25984:tid 25984] AH02312: Fatal error initialising mod_ssl, exiting.
考察
AL2023 OpenSSLã¨ã®ç›¸æ€§ã‹ã€çµå±€OpenSSLãŒè¨¼æ˜Žæ›¸ç‰ã‚’èªã¿è¾¼ã‚ãšã€‚
ã›ã£ã‹ããªã®ã§ã“ã“ã§nitro-enclaves-acmサービスã®ä¸èº«ã‚’考察ã—ã¦ã¿ã¾ã™ã€‚
# cat /usr/lib/systemd/system/nitro-enclaves-acm.service
[Unit]
Description=Nitro Enclaves ACM Agent
After=network-online.target
DefaultDependencies=no
Requires=nitro-enclaves-allocator.service
After=nitro-enclaves-allocator.service
Before=nginx.service httpd.service
[Service]
Type=simple
ExecStartPre=-/usr/bin/mkdir -p /run/nitro_enclaves/acm
ExecStart=/usr/bin/p11ne-agent
ExecStopPost=/usr/bin/rm -r /run/nitro_enclaves/acm
Restart=always
RestartSec=5
StartLimitInterval=60
StartLimitBurst=5
[Install]
WantedBy=multi-user.target
-
[Unit]セクション:
ä¾å˜é–¢ä¿‚を定義- nitro-enclaves-allocator.serviceã®å¾Œã€ã‹ã¤nginx.serviceã‚„httpd.serviceã®å‰ã«èµ·å‹•ã™ã‚‹ã‚ˆã†ã«è¨å®š
- nitro-enclaves-allocatorã§CPUã®å‰²ã‚Šå½“ã¦
-
[Service]セクション:
- èµ·å‹•å‰ã«/run/nitro_enclaves/acmディレクトリを作æˆ
- /usr/bin/p11ne-agentを実行ã—ã¦ã‚µãƒ¼ãƒ“ス開始
- サービスåœæ¢å¾Œã«/run/nitro_enclaves/acmディレクトリを削除
- サービスãŒçµ‚了ã—ãŸå ´åˆã«5秒後ã«å†èµ·å‹•ã™ã‚‹ã‚ˆã†ã«è¨å®š
- 60秒間ã«5回ã¾ã§ã‚µãƒ¼ãƒ“スをå†èµ·å‹•ã§ãるよã†ã«åˆ¶é™
-
[Install]セクション:
- multi-userターゲットã§ã‚µãƒ¼ãƒ“スを有効化
ã“ã®systemdサービスã¯ã€Nitro Enclaves環境ã§ã®ACMエージェント(p11ne-agent)ã®ç®¡ç†ã‚’è¡Œã£ã¦ã„ã¾ã™ã€‚残念ãªãŒã‚‰p11ne-agentã¯ãƒã‚¤ãƒŠãƒªã®ãŸã‚ä¸èº«ã¯è¦‹ã‚Œãš
# more /usr/bin/p11ne-agent
******** /usr/bin/p11ne-agent: Not a text file ********
nitro-enclaves-acmサービスã®ã‚¹ãƒ†ãƒ¼ã‚¿ã‚¹ã‚’見るã¨ã€
# systemctl status nitro-enclaves-acm
â— nitro-enclaves-acm.service - Nitro Enclaves ACM Agent
Loaded: loaded (/usr/lib/systemd/system/nitro-enclaves-acm.service; enabled; preset: disabled)
Active: active (running) since Sat 2024-07-06 09:43:03 JST; 40min ago
Process: 2167 ExecStartPre=/usr/bin/mkdir -p /run/nitro_enclaves/acm (code=exited, status=0/SUCCESS)
Main PID: 2172 (p11ne-agent)
Tasks: 5 (limit: 18909)
Memory: 45.7M
CPU: 9.448s
CGroup: /system.slice/nitro-enclaves-acm.service
├─2172 /usr/bin/p11ne-agent
└─2191 nitro-cli run-enclave --eif-path /usr/share/nitro_enclaves/p11ne/p11ne.eif --cpu-count 2 --memory 256
Jul 06 09:53:13 ip-10-0-16-102.ap-northeast-1.compute.internal p11ne-agent[2172]: |INFO | Refreshing token httpd-acm-token
Jul 06 09:53:13 ip-10-0-16-102.ap-northeast-1.compute.internal p11ne-agent[2172]: |INFO | Service: httpd | Force_Start: true | Reload: 0 | Sync: 600
Jul 06 09:53:13 ip-10-0-16-102.ap-northeast-1.compute.internal p11ne-agent[2172]: |INFO | Reloading HTTPD configuration.
Jul 06 09:53:13 ip-10-0-16-102.ap-northeast-1.compute.internal p11ne-agent[2172]: |INFO | HTTPD is not running. Starting it now.
Jul 06 09:53:13 ip-10-0-16-102.ap-northeast-1.compute.internal systemctl[2895]: Job for httpd.service failed because the control process exited with error c>
Jul 06 09:53:13 ip-10-0-16-102.ap-northeast-1.compute.internal systemctl[2895]: See "systemctl status httpd.service" and "journalctl -xeu httpd.service" for>
Jul 06 09:53:13 ip-10-0-16-102.ap-northeast-1.compute.internal p11ne-agent[2172]: |ERROR | Unable to reload HTTPD: SystemdStartHttpdError(Some(1))
Jul 06 10:03:11 ip-10-0-16-102.ap-northeast-1.compute.internal p11ne-agent[2172]: |INFO | Syncing token httpd-acm-token
p11ne-agentãŒHTTPD構æˆã®ãƒªãƒãƒ¼ãƒ‰ã‚’ã—ã¦å‘¼ã³å‡ºã—ã¦ã‚‹ã£ã½ã„。ã“ã®ã“ã¨ã‹ã‚‰ã€ACMエージェントãŒApacheã‚„Nginxã®è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã®è¨¼æ˜Žæ›¸ã®ãƒ‘スç‰ã‚’書ãæ›ãˆã¦ã‚‹ã®ã§ã¯ã¨ã€‚
ãªã®ã§ã€ç‹¬è‡ªWebデーモンを使ã£ã¦ã„ãŸã¨ã—ã¦ã‚‚ã€ã“ã®ãƒ‘スç‰ã‚’è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã«ã‚³ãƒ”ーã—ã¦å‘¼ã³å‡ºã™ã‚ˆã†ã«ã™ã‚Œã°ã€Apacheã‚„Nginxã®ä»£æ›¿ãŒã§ãã‚‹ã®ã§ã¯ãªã„ã‹ã¨æŽ¨æ¸¬ã—ã¾ã™ã€‚
所è¦æ™‚é–“
2時間
