# SSL Configuration on AWS

Modern web browsers such as Chrome, Safari, Firefox, and Edge enforce security restrictions that **prevent the use of camera/microphone permissions** and **block playback of unsecured streams** in environments **without SSL (HTTPS)**. In particular, to use WebRTC publishing/playback and HLS playback smoothly, communication between the **server and the client must be encrypted via HTTPS/WSS**.

OvenMediaEngine Enterprise on AWS provides features that make this configuration easy. Completing the security setup described in this guide is a required step to build and operate a stable and secure streaming service.

## Configure and Verify SSL <a href="#configure-and-verify-ssl" id="configure-and-verify-ssl"></a>

{% stepper %}
{% step %}

### Configure SSL in the Web Console <a href="#configure-ssl-in-the-web-console" id="configure-ssl-in-the-web-console"></a>

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/VY9IBaq4hnPS11p6iW8n/image.png" alt=""><figcaption></figcaption></figure>

1. Click the <mark style="color:yellow;">\[Settings]</mark> icon in the upper-right corner of the Web Console to open the Settings page, then select <mark style="color:yellow;">**\[SSL Configuration]**</mark> from the left menu.
2. In the Configuration Method section, click <mark style="color:yellow;">\[Change Configuration]</mark> to switch to edit mode.

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/l4c2qkoKV3ra5FwIaLdM/image.png" alt=""><figcaption></figcaption></figure>

3. Choose an <mark style="color:yellow;">SSL configuration method</mark> that fits your service environment.

{% tabs %}
{% tab title="Option A" %}

#### OvenMediaEngine Enterprise–Provided Subdomain with Auto-Managed SSL Certificate <mark style="color:$primary;">\[Recommended]</mark>

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/T2i30cL1JZqBShTIG3x6/image.png" alt=""><figcaption></figcaption></figure>

* Without any complex setup, OvenMediaEngine Enterprise <mark style="color:yellow;">automatically provisions a dedicated subdomain and SSL certificate</mark> required for SSL configuration, and <mark style="color:yellow;">manages certificate renewals starting 20 days before expiration</mark>.
  {% endtab %}

{% tab title="Option B" %}

#### Your Own Domain with Your Own Certificate

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/CKxDmhh08tU3Nf9vA49z/image.png" alt=""><figcaption></figcaption></figure>

* Register your domain and SSL certificate directly in OvenMediaEngine Enterprise. With this option, the instance IP (Public IPv4 address) is shown <mark style="color:yellow;">\[SSL Configuration]</mark> page on the Web Console. To map your domain to this instance, update your domain’s DNS records in your DNS management console to point to the displayed IP.

* Please ensure that your SSL certificate is renewed manually before it expires.
  {% endtab %}
  {% endtabs %}

* If you choose the *Your Own Domain with Your Own Certificate* option (Option B), please refer to the "[Custom SSL Certificate File Guide](https://ovenmediaengine-enterprise.gitbook.io/guide/exclusive/aws-marketplace/ssl-configuration-on-aws/custom-ssl-certificate-file-guide)" for the required certificate files to upload.

{% hint style="danger" %} <mark style="color:$primary;">**Important: Assign an Elastic IP before configuring SSL.**</mark>

You must first associate an **AWS Elastic IP** (EIP) with the instance to keep its public IP address fixed. If the instance is stopped and started again without an Elastic IP, its public IP may change. This can break your domain mapping and cause service downtime. To ensure stable domain resolution and uninterrupted secure connections, secure a fixed public IP first, then proceed with the SSL configuration.
{% endhint %}
{% endstep %}

{% step %}

### Access via HTTPS <a href="#access-via-https" id="access-via-https"></a>

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/OjaOVlmkD5yzdNkkf1Pj/image.png" alt=""><figcaption></figcaption></figure>

4. Once SSL is applied successfully, you can access the Web Console using the URL shown on the \[SSL Configuration] page.
   * For example, <mark style="color:$primary;">**`https://`**</mark><mark style="color:$primary;">`aws-xxxxxxx.cloud.ovenmedia.io:8443`</mark>.
     {% endstep %}

{% step %}

### Verify SSL playback and check URLs <a href="#verify-ssl-playback-and-check-urls" id="verify-ssl-playback-and-check-urls"></a>

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/Me5QQFQwPqpNUgNuakDx/image.png" alt=""><figcaption></figcaption></figure>

5. Following "[Post-Setup Verification for OvenMediaEngine Enterprise](https://ovenmediaengine-enterprise.gitbook.io/guide/exclusive/getting-started-on-aws#post-setup-verification-for-ovenmediaengine-enterprise)", publish a media source to `rtmp://`<mark style="color:yellow;">`{Domain}`</mark>`:1935/{app}/{stream}`, then confirm Stream List on the Web Console that the stream is being delivered properly.

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/5W5ZShwTWW7DyxiCwgOT/image.png" alt=""><figcaption></figcaption></figure>

6. If playback works normally even after selecting `TLS` in the stream detail view, the SSL setup is complete.

<figure><img src="https://content.gitbook.com/content/xo7moYXTh3yBG01Dy49w/blobs/brSVoq1rdLvkwAxcWKce/image.png" alt=""><figcaption></figcaption></figure>

7. In the <mark style="color:yellow;">\[URLs]</mark> tab, you can view the <mark style="color:yellow;">TLS-enabled Ingress URL</mark> and <mark style="color:yellow;">Egress URL</mark> at a glance. Your service is now ready to deliver stable and secure streaming over encrypted connections.
   {% endstep %}
   {% endstepper %}