Document toolboxDocument toolbox

TLS Changes for KyvosCloud

Owned by NIDHI BHANDARI
Dec 01, 2023
3 min read

Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace

Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)

On Kyvos Manager UI, navigate to Properties > global.properties 

Add the following parameter:

HOSTNAME_VERIFIER : yes

Restart All Services from the Kyvos Manager dashboard. 

Bastion Host autoscaling

A bastion host is a jump host from which Kyvos Manager is accessible by the port forwarding method. The Bastion host should be attached to the autoscaling group to enable the autoscaling mechanism.

To verify autoscaling is enabled on the Bastion host, navigate to AWS console > EC2 > Auto Scaling groups screenshot:

Infrastructure changes to incorporate TLS Changes

Copy the VPC ID of the cluster, go to the Security Group, and select the KM (Primary webserver) instance as per the VPC ID:

Allow traffic from the following security groups in KM node Security Group

  1. Bastion Host SG custom tcp protocol, and 8080-9444 port range

  2. KM-ALB SG custom tcp protocol, 9443 port

  3. ALB SG custom tcp protocol, 8443 port

 

Configurations after enabling TLS

After enabling TLS, create a new target group named Single Target Group for port 8443 for the KM node with the below specifications:

Fill the port 8443 and click to create the target group:

Verify the created target group.

NOTE: Target should be healthy

Add the created target group to the cluster’s load balancer listener ID HTTPS:443

Now go to ALB On 443 listener, click View and Edit rules. Now add a new rule as any of the following and assign it to the Single Target Group.

/kyvos/sql
OR
 /kyvos/sql/*
 OR
 /kyvos/sql/sqlSSO
 OR
 /kyvos/sql/sqlSSO/*

Verify Security Group changes after TLS enable (Kyvos user portal on port 8443)

Application Load Balancer will have two listeners after cluster creation (by default). The two listeners are 80 and 443.

As per SOC2 compliance, Kyvos Manager should only be accessible by Port forwarding (Tunneling). So, delete listener port 80 and its associated Target Group.

After TLS is enabled, change in security groups of  Kyvos Manager and Kyvos Web portal instance and need to create a new Target Group with port 8443 and associate it with ALB listener on port 443.

After changing inbound rules of Kyvos Manager and Kyvos Web portal security groups, a new target group is required to be created. Then in ALB (Application Load Balancer), edit the rule and attach it to the newly created Target Group.

Verify Web portal is accessible from Kyvos Manager host and bastion host by Port Forwarding after TLS enabled

After TLS is enabled, access the Kyvos Manager on port 9443 and the Kyvos Web server on port 8443.

For verification, try to log in on the Kyvos Manager instance and Web server instance with their respective ports with port forwarding (Tunneling) method to access Kyvos Manager from the Bastion host. This will confirm Applications are running on the correct port with TLS.

Copyright Kyvos, Inc. All rights reserved.