Versions Compared

Version Old Version 1 New Version 2
Changes made by

MS (Unlicensed)

MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This guide will show you how to configure an Apache as a front door with SSL protection for Abiquo. The communication between Apache and Tomcat is done with AJP Connector to improve performace.

Install Apache with mod_ssl

Div
classverysmallcode
Code Block
# yum install -y httpd mod_ssl openssl

Generate keys

Generate private key:
Div
classverysmallcode
Code Block
# openssl genrsa -out ca.key 1024

Generate CSR:
Div
classverysmallcode
Code Block
# openssl req -new -key ca.key -out ca.csr
Generate self signed key:
Div
classverysmallcode
Code Block
# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

  • Move files to the correct location:

    Div
    classverysmallcode
    Code Block
    # mv ca.crt /etc/pki/tls/certs
# mv ca.key /etc/pki/tls/private/ca.key
# mv ca.csr /etc/pki/tls/private/ca.csr

Configure Apache

Move default configurations
Div
classverysmallcode
Code Block
# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bck
# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bck
Configure SSL

Edit a new /etc/httpd/conf.d/ssl.conf with the following parameters:

Div
classverysmallcode
Code Block
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Configure AJP Proxy
Info

You can use mod_rewrite to define a different location URI for the client. I.E. <Location /management>

...

Div
classverysmallcode
Code Block
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    RewriteEngine On
    ProxyRequests Off
    ProxyPreserveHost On

    <Directory "/opt/abiquo/tomcat/webapps/client-premium/">
        Options MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    RewriteRule ^/client-premium$ /client-premium/ [R]

   <Location /client-premium>
        ProxyPass ajp://localhost:8010/client-premium/
        ProxyPassReverse ajp://localhost:8010/client-premium/
    </Location>

    <Location /api>
        ProxyPass ajp://localhost:8010/api/
        ProxyPassReverse ajp://localhost:8010/api/
    </Location>

    <Location /legal/>
        ProxyPass ajp://localhost:8010/legal/
        ProxyPassReverse ajp://localhost:8010/legal/
    </Location>


SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

</VirtualHost>

Configure Tomcat

Put this connector configuration in /opt/abiquo/tomcat/conf/server.xml under <Service name="Catalina"> section, deleting all other Connector section:

Div
classverysmallcode
Code Block
<Service name="Catalina">

    <Connector port="8009" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443"
               secure="true"
               />

    <Connector port="8010" protocol="AJP/1.3"
               enableLookups="false"
               tomcatAuthentication="false"
               connectionTimeout="20000" secure="true"
               />

Enable HTTPS in the client

Edit /opt/abiquo/tomcat/webapps/client-premium/config/client-config.xml.jsp and change USE_SECURE_CHANNEL_LOGIN value to 1:

...

Notice that if you enable this option, you will not be able to connect to Abiquo with this client using the HTTP URI, as it only connect to SSL enabled URIs

Change API properties

Edit /opt/abiquo/config/abiquo.properties and add this line (or modify the value if it already exists):

Div
classverysmallcode
Code Block
...
abiquo.server.api.location = http://localhost:8009/api

Restart Services

Div
classverysmallcode
Code Block
service abiquo-tomcat restart
service httpd restart

Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009.

Monolithic Installation

In a monolithic install, when configuring the datacenter, use 8009 port instead of standard HTTP 80 port for remote services. For example, to configure the Appliance Manager you should use the URL:

...