Onboard a property with a CCM certificate

This workflow uses the Property Manager API (PAPI) to create a property that's protected by a Cloud Certificate Manager (CCM) certificate.

📘

CCM certificate is in Limited Availability

This is an additional service that needs to be added to your contract. Only a select number of customers can use it. Contact your Akamai representative to see if you're eligible. Otherwise, you need to onboard a custom cert property.

Before you begin

Make sure you get these things done before you start with this workflow.

  • Determine the level of security. What level of security do you need to deliver your content to requesting clients? Have a look at Understand the levels of security to figure out if you need Enhanced or Standard TLS security.

📘

Currently, we support only the Enhanced TLS security. We are working on introducing the Standard TLS security option.

  • Set up authentication for PAPI. To make calls through PAPI, you need to authenticate to ​Akamai​ using tokens you generate in your API client tool.

    • Property Manager API (PAPI). This is what you'll use to set up your property to deliver your traffic. You'll need to ensure that your authentication is set up for READ/WRITE access to PAPI.

    • Cloud Certificate Manager (CCM) API. As a step in this workflow, you'll need to set up a certificate to secure the connection between clients requesting your content and the Akamai edge network. You can use an API for this process. You'll need to ensure that the access authentication for it is also set up for READ/WRITE access. See Cloud Certificate Manager API.

  • Make sure you have the write access to your primary DNS servers. You'll need to modify DNS records during the process.

  • Review limits imposed on PAPI operations. Make sure you don't exceed the rate and resource limits and familiarize yourself with the concurrency control rules this API applies.

  • If your account is enabled for mandatory domain validation, you need to prove ownership to ​Akamai​ of the domains you set up as property hostnames, before activating the property. You can either pre-validate your domains by generating validation challenges or use the challenges you get while adding or updating your property version hostnames.

1 - Add the origin layer to your DNS

Get the IP address of your existing origin and create an A record in your DNS.

2 - Use Cloud Certificate Manager to prepare your edge certificate

Cloud Certificate Manager is a separate ​​Akamai​​ utility you can use to generate certificates using either Enhanced TLS security. Those certificates are signed by a Certificate Authority (CA) that is known to be trusted by every major browser or operating system. When creating a certificate in Cloud Certificate Manager, you need to set the domain name that clients use to access your site or asset as the common name (CN), or include it as a subject alternate name (SAN) in the certificate.

Use the Cloud Certificate Manager API

Seedeveloper documentation for Cloud Certificate Manager for details.

Use ​​Akamai Control Center​

You can also use a separate user interface in ​​Control Center​​ to create Cloud Certificate Manager certificates. To learn how, see the Cloud Certificate Manager documentation. There are multiple phases of the process and you need to apply specific settings:

  1. After you enter certificate information, set your domain name as either the Common Name (CN) or a Subject Alternate Name (SAN). Make note of it, because you need this value later in the process.

  2. Make sure that the Deployment Network is set to the Enhanced TLS level of security. Currently it’s the only supported type.

  3. Set all other options for all other phases of the certificate creation process as desired.

Wait for the certificate to provision

Regardless of the tool you used, a certificate can take up to 10 minutes to provision, based on the level of security. You’ll get the certificate on the email address of the account you used to create the certificate once it's ready.

3 - Get contracts, groups, and products

These identifiers specify what modules and features you'll be able to use in your property.

4 - Create an edge hostname

An edge hostname is used to process the request between a client and the ​​Akamai​ edge network. Create your edge hostname using the domain name you set as the Common Name (CN) or Subject Alternate Name (SAN) in your certificate:

5 - Create a CP code

CP codes track any web traffic handled by edge servers. Each property’s default rule needs a valid CP code to bill and report for the service.

6 - Create a property

Think of a property as a container for your product configuration. Set one up to control how your content is delivered.

7 - Set variables for your property (optional)

Do you have specific values you'll repeatedly use in the property's rule tree? Use built-in system variables or create your own and apply them as needed.

8 - Update your property with your edge hostname

Map your property hostname to the edge hostname that you created, so that the edge servers can take over the client traffic from your origin.

9 - Check the status of your hostname

Run the List hostnames for a property operation and locate your hostname based on its "cnameFrom": "<your domain>". It needs to be active. Check for the status object in the response:

  • You see the status object. Any status value indicates that it's still being processed. Wait a while and rerun the operation.
  • No status object means the hostname is active. Review the response to confirm that the cnameFrom value is the correct domain for your site or resource and store the cnameTo value to use later in the process.

10 - Add the edge hostname to your DNS

In your DNS configuration, create a CNAME record and map your domain (cnameFrom) to the cnameTo value that you stored.

11 - Get the rule tree

Get the baseline of your property's rule tree. It includes all of the default rules and behaviors that ​Akamai​ adds. The response varies depending on your ​Akamai​ product.

12 - Edit the rule tree

Provide necessary details for the top-level default rule. At a minimum, configure these mandatory behaviors in a rule:

You can optionally include any number of your own rules to customize content delivery. Rule trees are maintained in a special form of JSON that you can best edit and validate in the dedicated VS code or Eclipse IDE plugins.

13 - Validate the rule tree changes

Make sure your JSON file is correct and complete before deploying it on edge servers. You need to resolve returned errors, as they block the activation, but you can activate a property version that yields less severe warnings. For more information, see Rule tree errors and warnings. Both VS code and Eclipse plugins support full rule tree validation.

14 - Update the property's rule tree

Push your updated JSON file back to the property.

15 - Activate the property on staging and production

With brand new setups, you only need to test your configuration on production. But, you can activate your property on both networks at the same time.

16 - Confirm activation

Make sure the activation was successful. The response should contain "status": ACTIVE.

17 - Check the hostname certificate

After activation, your certificate should be in the DEPLOYED status.

18 - Test the activated settings

Temporarily set up your local browser to target an edge server to access your property.

  1. You need your edge hostname's actual IP address. Get it by running a command for your stored edge hostname. For example, the domain you set in your edge hostname was example.com and you're using a Enhanced TLS certificate that adds the edgesuite.net suffix to your hostname behind the scenes:

    Windows:

    nslookup www.example.com.edgesuite.net
    

    Mac OS, Linux, or Unix:

    dig www.example.com.edgesuite.net
    
    dig AAAA www.example.com.edgesuite.net
    
  2. Go to your local hosts file in a text editor.

    • Windows. You should be able to find your hosts file in: C:\Windows\System32\drivers\etc\hosts
    • Mac OS, Linux, or Unix. You should be able to find your hosts file in: /etc/hosts
  3. At the end of the hosts file, add an entry for the actual domain to your website that includes the edge hostname's IP address.

    1.23.45.78 example.com
    
  4. Save and close your hosts file. Restart your browser to clear your DNS cache and verify that your site is working the way you expect.

For more details on testing and activation, see Activate a property.

19 - Go live

Start serving live traffic through the ​Akamai​ Edge Platform. Replace your existing CNAME record and with a new one, setting its value to the ​Akamai​ edge hostname.

Remember to remove any entries from your local hosts file that you may have set up for testing. Now, you can restart your browser and do a smoke test of your website or application.