TrainingSupportCommunity

Onboard a secure by default property

This workflow uses the Property Manager API ("PAPI") to create a property that's protected by the default certificate method (also referred to as "secure by default"). ​Akamai​ will automatically generate a new certificate and IPv6 edge hostname to securely deliver your content.

📘

Secure by default is limited availability

This is an additional service that needs to be added to your contract. However, it hasn't been released to general availability yet. Only a select number of customers can use it. Contact your account team to see if you're eligible. Otherwise, you need to onboard a custom cert property.

Before you begin

Make sure you get these things done before you jump into the workflow.

  • Determine the level of security. What level of security do you need to deliver your content to requesting clients? Have a look at Understand the levels of security to figure out if you need Enhanced or Standard TLS security.

  • Set up authentication for PAPI. To make calls through PAPI, you need to authenticate to ​Akamai​ using tokens you generate in your API client tool.

  • Make sure you have write access to your primary DNS servers. You'll need to modify DNS records during the process.

1 - Add the origin layer to your DNS

Get the IP address of your existing origin and create an A record in your DNS.

2 - Get contracts, groups, and products

These identifiers specify what modules and features you'll be able to use in your property.

List contracts
Open Recipe
List groups
Open Recipe
List products
Open Recipe

3 - Create a CP code

CP codes track any web traffic handled by edge servers. Each property’s default rule needs a valid CP code to bill and report for the service.

Create a new CP code
Open Recipe

4 - Create a property

Think of a property as a container for your product configuration. Set one up to control how your content is delivered.

Create a new property
Open Recipe

5 - Set up property hostnames

Here, you map your property to an edge hostname that will take over the client traffic from your origin. With secure by default, you'll specify "certificateProvisioningType": "DEFAULT" using this API operation to have Property Manager automatically secure your HTTPS delivery and create an edge hostname upon activation:

Update a property with a secure by default hostname
Open Recipe

6 - Get the hostname certificate validation challenge

Run this operation and locate your hostname, based on its "cnameFrom": "<your domain>". (It should also include "certProvisioningType": "DEFAULT".)

List hostnames for a property
Open Recipe

Review these values:

  • cnameFrom. Confirm that this is the correct domain for your site or resource.
  • validationCname. Store the hostname and target values from this object.

7 - Add the validation challenge to your DNS

In your DNS configuration, create a CNAME record and map the hostname you stored to the target.

8 - Confirm the hostname certificate deployment

Re-run this operation to check status. If it's still PENDING, that's OK. You'll check again later in this process.

List hostnames for a property
Open Recipe

9 - Get the rule tree

Get the baseline of your property's rule tree. It includes all of the default rules and behaviors that ​Akamai​ adds. So, what you'll get in the response varies based on your ​Akamai​ product.

Get a property rule tree
Open Recipe

10 - Edit the rule tree

Provide necessary details for the top-level default rule. At a minimum, configure these mandatory behaviors in a rule:

You can optionally include any number of your own rules to customize content delivery. Rule trees are maintained in a special form of JSON that you can best edit and validate in the dedicated VS code or Eclipse IDE plugins.

11 - Validate the rule tree changes

Make sure your JSON file is correct and complete before deploying it on edge servers. You need to resolve returned errors, as they block an activation, but you can activate a property version that yields less severe warnings. For more information, see Rule tree errors and warnings. Both VS code and Eclipse plugins support full rule tree validation.

12 - Update the property's rule tree

Push your updated JSON file to the property configuration.

Update a rule tree
Open Recipe

13 - Activate the property on staging and production

With brand new setups, you only need to test your configuration on production. But, you can activate your property on both networks at the same time.

Activate a property version
Open Recipe

14 - Confirm activation

Make sure the activation status is ACTIVE.

List activations
Open Recipe

15 - Check the hostname certificate again

After activation, your certificate should be in the DEPLOYED status.

List hostnames for a property
Open Recipe

16 - Test the activated settings

  1. Look up the IP address of your edge hostname and copy it. For example, assume the domain you set in your edge hostname was "example.com":

    Windows:

    nslookup www.example.com.edgekey.net

    Mac OS, Linux, or Unix:

    dig www.example.com.edgekey.net

  2. Paste the edge hostname IP address to your local hosts file in a text editor.

    • Windows. You should be able to find your hosts file in: C:\Windows\System32\drivers\etc\hosts
    • Mac OS, Linux, or Unix. You should be able to find your hosts file in: /etc/hosts

  3. Restart your browser to clear your DNS cache and verify that your site is working the way you expect.

17 - Go live

Start serving live traffic through the ​Akamai​ Edge Platform. Replace your existing CNAME record and with a new one, setting its value to the ​Akamai​ edge hostname.

Remember to remove any entries from your local hosts file that you may have set up for testing. Now, you can restart your browser and do a smoke test of your website or application.