DocsICP FilingConsole
官方文档
首页

Configure SM HTTPS for ALB

更新时间:
复制 MD 格式
产品详情
我的收藏

ALB supports SM2 certificates and custom TLS security policies with SM cipher suites, enabling SM-compatible browsers to access your services over the Transport Layer Cryptography Protocol (TLCP). This provides HTTPS encryption that meets China's cryptographic standards and Multi-Level Protection Scheme (MLPS) Level 3 requirements for industries such as finance and government.

Prerequisites

  • The SM certificate feature is not enabled by default. Go to Quota Center to apply for the required quota.

  • You have registered a custom domain name. Because the ALB instance in this example is in China (Shanghai), the domain name must have a completed ICP filing.

  • You have purchased or uploaded an SM2 certificate in Certificate Management Service. The certificate must match the domain name with a completed ICP filing.

  • You have created a VPC named VPC1 in China (Shanghai) with vSwitches VSW1 (zone E) and VSW2 (zone F).

Procedure

1. Create an ECS instance and deploy a service

  1. Create an ECS instance with the following configurations.

    • Name: ECS01

    • Region: China (Shanghai)

    • VPC: VPC1

    • vSwitch: VSW1

    • Image: Alibaba Cloud Linux 3.2104 LTS 64-bit

  2. Connect to the ECS01 instance. Run the following commands to deploy an Nginx service.

    sudo yum install -y nginx
sudo systemctl start nginx
echo "Hello from ECS backend" | sudo tee /usr/share/nginx/html/index.html

  3. Add a high-priority inbound rule to the security group of the ECS instance to allow incoming traffic.

    • Policy: Allow

    • Protocol: Custom TCP

    • Source: Select IPv4, and then select This VPC CIDR block.

    • Destination (This Instance): Select Port, and then select HTTP (80).

Create an instance by using the wizard, Connection methods, Add security group rules.

2. Create an ALB instance

  1. Log on to the ALB console, select the China (Shanghai) region, and then click Create ALB.

  2. On the purchase page, specify the following parameters and click Create Now.

    • Instance Network Type: Select Internet.

    • VPC: Select VPC1.

    • Zone: Select Shanghai Zone E with VSW1 and Shanghai Zone F with VSW2. Enable Assign EIP.

    • IP Version: Select IPv4.

    • Edition (Instance Fee): Select Standard.

  3. On the Confirm Order page, verify the instance configurations and click Activate Now.

3. Create a server group and add servers

  1. In the Server Group console, make sure that China (Shanghai) is selected as the region, and then click Create Server Group.

  2. Configure the server group as follows and click Create.

    • Server Group Type: Select Server.

    • Server Group Name: Enter sg-nginx.

    • VPC: Select VPC1.

    • Backend Server Protocol: Use the default value HTTP.

  3. In the The server group is created dialog box, click Add Backend Server. Select ECS01 and click Next. In the Ports/Weights step, set the server Port to 80 and click OK.

4. Create a custom TLS security policy

SM2 certificates require a custom TLS security policy with an SM cipher suite associated with the listener. System security policies do not include SM cipher suites.

  1. In the left-side navigation pane of the ALB console, click TLS Security Policies. On the Custom Policy tab, click Create Custom Policy.

  2. In the panel that appears, set the policy Name to gm-tls-policy and Minimum Version to TLS 1.0 or Later. In the Cipher Suite section, move ECC-SM2-WITH-SM4-SM3 to the selected box, and then click Create.

ECC-SM2-WITH-SM4-SM3 is an alias for ECC-SM2-SM4-CBC-SM3 and ECC-SM2-SM4-GCM-SM3.

5. Create an HTTPS listener with an SM2 certificate

  1. In the ALB console, click the ID of the target instance to go to the Instance Details page. On the Listener tab, click Create Listener.

  2. In the Configure Listener step, set Listener Protocol to HTTPS and Listener Port to 443. Then, click Next.

  3. In the SSL Certificate step, select your SM2 certificate. The algorithm type is displayed in the certificate list, where SM2 indicates an SM2 certificate. Select gm-tls-policy for TLS Security Policies and click Next.

  4. In the Server Group step, select the sg-nginx server group and click Next.

  5. In the Configuration Review step, confirm the configurations and click Submit.

After configuring an SM2 certificate, you must select a custom TLS security policy that includes an SM cipher suite. Otherwise, clients cannot access your service.

6. Configure domain name resolution

Add a CNAME record to map your custom domain name to the DNS name of the ALB instance.

This example uses Alibaba Cloud DNS. If your domain name is not registered with Alibaba Cloud, add the domain name to the Alibaba Cloud DNS console first.

  1. In the ALB console, copy the Domain Name of the target instance.

  2. Log on to the Alibaba Cloud DNS console. For the target domain name, click Settings in the Actions column. On the Settings page, click Add Record.

  3. Add a CNAME record with the following information and click OK.

    • Record Type: Select CNAME.

    • Hostname: Enter a prefix, such as sm2. If your custom domain name is example.com, the domain name used to access the ALB instance is sm2.example.com.

    • Query Source and TTL: Keep the default values.

    • Record Value: Enter the DNS name of the ALB instance.

  4. In the Change Resource Record Confirmation dialog box, confirm the DNS record information and click OK.

7. Verify the configuration

Verify SM HTTPS

In the ZOS browser, go to https://sm2.example.com. Click the lock icon in the address bar to view the certificate. If the certificate type is SM2, the configuration is successful.

More information

Limitations

  • Only upgraded ALB instances support SM2 certificates. Use ALB instance cloning to migrate services from a pre-upgrade instance.

  • Only Standard and WAF-enabled ALB instances support SM2 certificates. Basic and Advanced editions do not support this feature.

  • SM2 certificates do not support mutual authentication or SM2 CA certificates.

Billing

  • ALB instance: ALB supports pay-as-you-go and subscription billing. ALB billing overview.

  • ECS instance: ECS billing overview. For testing, create a low-specification pay-as-you-go instance and release it afterward to avoid unnecessary fees.

  • Domain name and DNS resolution fees: Besides domain name provider fees, Alibaba Cloud DNS charges for public authoritative DNS resolution.

FAQ

SSL handshake error with an SM-compatible browser

  • Verify that ECC-SM2-WITH-SM4-SM3 is selected in the custom TLS security policy.

  • Verify that the listener uses the custom TLS security policy with the SM cipher suite.

Previous:Blacklist and whitelist for an ALB instanceNext:Use ALB with other services