This workflow uses the Property Manager API (PAPI) to create a property that's protected by a Cloud Certificate Manager (CCM) certificate.
CCM certificate is in Limited Availability
This is an additional service that needs to be added to your contract. Only a select number of customers can use it. Contact your Akamai representative to see if you're eligible. Otherwise, you need to onboard a custom cert property.
Before you begin
Make sure you get these things done before you start with this workflow.
- Determine the level of security. What level of security do you need to deliver your content to requesting clients? Have a look at Understand the levels of security to figure out if you need Enhanced or Standard TLS security.
Currently, we support only the Enhanced TLS security. We are working on introducing the Standard TLS security option.
-
Set up authentication for PAPI. To make calls through PAPI, you need to authenticate to Akamai using tokens you generate in your API client tool.
-
Property Manager API (PAPI). This is what you'll use to set up your property to deliver your traffic. You'll need to ensure that your authentication is set up for READ/WRITE access to PAPI.
-
Cloud Certificate Manager (CCM) API. As a step in this workflow, you'll need to set up a certificate to secure the connection between clients requesting your content and the Akamai edge network. You can use an API for this process. You'll need to ensure that the access authentication for it is also set up for READ/WRITE access. See Cloud Certificate Manager API.
-
-
Make sure you have the write access to your primary DNS servers. You'll need to modify DNS records during the process.
-
Review limits imposed on PAPI operations. Make sure you don't exceed the rate and resource limits and familiarize yourself with the concurrency control rules this API applies.
-
If your account is enabled for mandatory domain validation, you need to prove ownership to Akamai of the domains you set up as property hostnames, before activating the property. You can either pre-validate your domains by generating validation challenges or use the challenges you get while adding or updating your property version hostnames.
1 - Add the origin layer to your DNS
Get the IP address of your existing origin and create an A
record in your DNS.
2 - Use Cloud Certificate Manager to prepare your edge certificate
Cloud Certificate Manager is a separate Akamai utility you can use to generate certificates using either Enhanced TLS security. Those certificates are signed by a Certificate Authority (CA) that is known to be trusted by every major browser or operating system. When creating a certificate in Cloud Certificate Manager, you need to set the domain name that clients use to access your site or asset as the common name (CN), or include it as a subject alternate name (SAN) in the certificate.
Use the Cloud Certificate Manager API
Seedeveloper documentation for Cloud Certificate Manager for details.
Use Akamai Control Center
You can also use a separate user interface in Control Center to create Cloud Certificate Manager certificates. To learn how, see the Cloud Certificate Manager documentation. There are multiple phases of the process and you need to apply specific settings:
-
After you enter certificate information, set your domain name as either the Common Name (CN) or a Subject Alternate Name (SAN). Make note of it, because you need this value later in the process.
-
Make sure that the Deployment Network is set to the Enhanced TLS level of security. Currently it’s the only supported type.
-
Set all other options for all other phases of the certificate creation process as desired.
Wait for the certificate to provision
Regardless of the tool you used, a certificate can take up to 10 minutes to provision, based on the level of security. You’ll get the certificate on the email address of the account you used to create the certificate once it's ready.
3 - Get contracts, groups, and products
These identifiers specify what modules and features you'll be able to use in your property.
4 - Create an edge hostname
An edge hostname is used to process the request between a client and the Akamai edge network. Create your edge hostname using the domain name you set as the Common Name (CN) or Subject Alternate Name (SAN) in your certificate:
5 - Create a CP code
CP codes track any web traffic handled by edge servers. Each property’s default rule needs a valid CP code to bill and report for the service.
6 - Create a property
Think of a property as a container for your product configuration. Set one up to control how your content is delivered.
7 - Set variables for your property (optional)
Do you have specific values you'll repeatedly use in the property's rule tree? Use built-in system variables or create your own and apply them as needed.
8 - Update your property with your edge hostname
Map your property hostname to the edge hostname that you created, so that the edge servers can take over the client traffic from your origin.
9 - Check the status of your hostname
Run the List hostnames for a property operation and locate your hostname based on its "cnameFrom": "<your domain>"
. It needs to be active. Check for the status
object in the response:
- You see the
status
object. Anystatus
value indicates that it's still being processed. Wait a while and rerun the operation. - No
status
object means the hostname is active. Review the response to confirm that thecnameFrom
value is the correct domain for your site or resource and store thecnameTo
value to use later in the process.
10 - Add the edge hostname to your DNS
In your DNS configuration, create a CNAME record and map your domain (cnameFrom
) to the cnameTo
value that you stored.
11 - Get the rule tree
Get the baseline of your property's rule tree. It includes all of the default rules and behaviors that Akamai adds. The response varies depending on your Akamai product.
12 - Edit the rule tree
Provide necessary details for the top-level default rule. At a minimum, configure these mandatory behaviors in a rule:
You can optionally include any number of your own rules to customize content delivery. Rule trees are maintained in a special form of JSON that you can best edit and validate in the dedicated VS code or Eclipse IDE plugins.
13 - Validate the rule tree changes
Make sure your JSON file is correct and complete before deploying it on edge servers. You need to resolve returned errors, as they block the activation, but you can activate a property version that yields less severe warnings. For more information, see Rule tree errors and warnings. Both VS code and Eclipse plugins support full rule tree validation.
14 - Update the property's rule tree
Push your updated JSON file back to the property.
15 - Activate the property on staging and production
With brand new setups, you only need to test your configuration on production. But, you can activate your property on both networks at the same time.
16 - Confirm activation
Make sure the activation was successful. The response should contain "status": ACTIVE
.
17 - Check the hostname certificate
After activation, your certificate should be in the DEPLOYED
status.
18 - Test the activated settings
Temporarily set up your local browser to target an edge server to access your property.
-
You need your edge hostname's actual IP address. Get it by running a command for your stored edge hostname. For example, the domain you set in your edge hostname was
example.com
and you're using a Enhanced TLS certificate that adds theedgesuite.net
suffix to your hostname behind the scenes:Windows:
nslookup www.example.com.edgesuite.net
Mac OS, Linux, or Unix:
dig www.example.com.edgesuite.net
dig AAAA www.example.com.edgesuite.net
-
Go to your local hosts file in a text editor.
- Windows. You should be able to find your hosts file in:
C:\Windows\System32\drivers\etc\hosts
- Mac OS, Linux, or Unix. You should be able to find your hosts file in:
/etc/hosts
- Windows. You should be able to find your hosts file in:
-
At the end of the hosts file, add an entry for the actual domain to your website that includes the edge hostname's IP address.
1.23.45.78 example.com
-
Save and close your hosts file. Restart your browser to clear your DNS cache and verify that your site is working the way you expect.
For more details on testing and activation, see Activate a property.
19 - Go live
Start serving live traffic through the Akamai Edge Platform. Replace your existing CNAME record and with a new one, setting its value to the Akamai edge hostname.
Remember to remove any entries from your local hosts file that you may have set up for testing. Now, you can restart your browser and do a smoke test of your website or application.