This documentation only applies to Self Hosted Deployments of Panther.
Out of the box, Panther ships with a self-signed certificate generated at deployment time. While this setup is better than not having SSL/TLS enabled at all on the web server, it is still far from best practice; especially for a security tool. Panther strongly recommends you replace this self-signed certificate with a certificate issued by a trusted Certificate Authority (CA) before using Panther in a production environment.
This documentation describes the process of registering a domain through Amazon Web Services (AWS) Route53, but you may use any domain registrar.
Register a domain
Note: If you already have a domain registered, or if you have an internal CA that manages certificates for your organization, you can skip this step
Navigate to the Route53 console and click the Registered domains tab.
Click Register domain, and enter the name of the domain you'd like to register.
Click the checkmark icon to verify that the domain is available. AWS will suggest alternatives if it is unavailable.
Click Add to cart and then Continue.
On the next form, fill in the contact information. Be sure to enter an email address that you have access to so that you can verify the domain in a future step. When you're done, click Continue.
Agree to the terms and conditions, and click Complete order. If you have not registered a domain through Route53 before, you will receive a confirmation email.
The domain will take between 10 minutes and one hour to complete registration. You can continue to the next steps before the domain registration is complete.
Find the Panther master stack (called panther by default), select this stack, and click Update.
Select the Use current template option and click Next.
Find the Parameters section and update the following two parameters:
CertificateArn: Enter the full ARN of the ACM certificate created in step two. This can be retrieved from the ACM console.
CustomDomain: Enter the domain name you registered during the first section of this documentation.
Click Next until you reach the final "Review" step.
On the "Review" step, verify that your configuration is correct. Check the box next to I acknowledge that AWS CloudFormation might..., then click Update stack.
After clicking Update stack, Panther will update with your new certificate. The update should take a few minutes.
Create an alias
Finally, you will need to create an alias or CNAME on your domain pointing to the load balancer's auto generated URL. If you're not using a domain registered within Route53, you should still generally be able to follow along with the steps below through your registrar's web console.
Navigate to the Hosted zones tab of Route53, and click the Hosted zone for your new domain.
Click Create Record Set.
In the popup, fill in the fields as follows:
Name: Leave this field empty.
Type: A - IPv4 address
Alias: Select Yes
Alias Target: Select the name of the ELB load balancer from your Panther deployment. It will be under the ELB Application load balancers section.
You can find this manually in CloudFormation by going to the panther-bootstrap stack and looking for the LoadBalancerUrl output. Note: the name will automatically be prefixed with "dualstack". Do not modify this.
Routing Policy: Select Simple
Evaluate Target Health: Select No
You can now navigate to your new domain and reach the Panther web application over a signed and secure HTTPS connection.