Versions Compared

Version Old Version 4 New Version 5
Changes made by

MS (Unlicensed)

MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Warning

This document describes how to use TLS certificates in a way that is only suitable for an isolated test environment.

You must follow the recommendations of your Security Expert when configuring your production environment

TLS use cases

Your users will connect to the Abiquo UI over HTTPS with TLS.

You can run Abiquo over HTTP to communicate between its appliances servers when its internal these connections are inside internal within the same infrastructure/datacenter network.

However, your users will connect to the Abiquo UI over HTTPS.

And if you want users to be able to When users upload or download templates, then this requires they need a direct connection to the Appliance Manager remote service, which and this connection must also be made with HTTPS. (Note that TLS with TLS.

Tip

The Abiquo Monolithic Server has a self-signed certificate

...

and the connection to the appliance manager is preconfigured to use TLS

When the Abiquo remote services will connect to the Abiquo Server over the internet.

For details of how to configure remote RS, see Configure Abiquo Tomcat with HTTPS for Remote RS.

The following sections describe how the certificates are configured in Abiquo.

...

, these communications should also use TLS.

...

Distributed scalable server

We recommend that you configure the communications for the API to the remote services of the distributed scalable server with TLS. This means that you can easily upload and download templates.

...

Abiquo UI certificates

The server OVA has a self-signed certificate called abiquo.crt that you can find in this folder /etc/pki/tls/certs.

The Apache web server (HTTPD) uses the certificate for the Abiquo User Interface (UI) on the Abiquo API/UI or UI server.

On the API/UI server, the certificate files would typically be found in this folder /etc/pki/tls/certs.

You configure this certificate for the Apache Web Server in the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website/VirtualHost.This certificate is in the default cacerts repository.

To quickly check this the certificate in the cacerts keystore, use the following command, with the default keystore password for a test system.

Code Block
breakoutModewide
[root@abicloud ~]# keytool -list -keystore /usr/java/default/jre/lib/security/cacerts -alias abicloud.example.com{$SERVER_FQDN}
Enter keystore password:  
abicloud.example.com, Dec 11, 2022, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

To check the certificate for the Apache Web Server:

  1. Log in the Abiquo server (with the Abiquo UI)

  2. Edit the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website/VirtualHost.

  3. Check the configuration, which by default should be as follows.

Code Block
  SSLCertificateFile /etc/pki/tls/certs/abiquo.crt
  SSLCertificateKeyFile /etc/pki/tls/private/abiquo.key
</VirtualHost>

...

Add Server certificates to the Java keystore on the Abiquo Server

If you have remote RS servers ,(which means remote services in remote locations, a different location) or to allow Abiquo users to upload and download templates, you will also need to import this certificate into the Java keystore.

Remote RS

If you have remote datacenters that will communicate over the internet, or require extra security on the application layer, and more secure communications over and above using firewalls at both ends, you can secure connections for the remote services at remote sites (remote RS servers) by implementing TLS over HTTP, and configure the Catalina connector for Tomcat to use TLS/HTTPS.

You will also need to import the remote RS certificate into the Java keystores of the API/UI servers so the API/UI can connect via HTTPS to the RS.

To quickly check this certificate, for example, on the API server, use the following command.

...

breakoutModewide

or to improve security, configure the communications between the Abiquo Server and the Remote services servers using TLS.

For TLS for the Abiquo server, add the server certificate to the Java keystore with these steps.

Note

For a production environment, follow the recommendations of your Security Expert

  1. Log in to the Abiquo server

  2. Go to the /opt/abiquo/tomcat/conf folder

  3. Convert the certificate to PCKS12 format, replacing {$ABIQUO_FQDN} with the domain name of the Abiquo server

    Code Block
    openssl pkcs12 -export -in /etc/pki/tls/certs/abiquo.crt -inkey /etc/pki/tls/private/abiquo.key -name {$SERVER_FQDN} -out import_cert_key_abq

  4. Create a .jks keystore, replacing {$REMOTE_SERVICES} with the host name of your Remote services server

    Code Block
    keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048

  5. Import the certificate into the keystore using your password and keystore name as above

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore {$REMOTE_SERVICES}.jks -srckeystore import_cert_key_abq -srcstoretype pkcs12

You will also need to configure the Remote services server and perform additional configuration on the API server.

...

Add certificates to Remote services server

To add certificates to the Remote services server.

  1. Log in to the Remote services server

  2. Go to the /etc/pki/tls/ folder

  3. For a test environment, create a self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate! (smile)). We recommend that you put the certificate in the certs folder and the key in the private folder

  4. Import the Remote services certificate into the default cacerts keystore

    Code Block
    keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacerts

  5. Check that the Remote services and Abiquo server certificates are imported the Remote services server.

    Code Block
    [root@abicloud ~]# keytool -list -

...

  1. cacerts -alias

...

  1. {$FQDN}
Enter keystore password:  
remoters.example.com, Dec 12, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

...

Adding Remote RS with TLS in Abiquo

Generally, under this configuration, the following remote services should be added to Abiquo:

  • Appliance manager from the API/UI server on port 443/tcp with the connector defined on the UI server

  • Business process manager from remote V2V server on port 8010/tcp

  • Other remote services from the remote RS server on port 8009/tcp

...

  1. If the Abiquo server certificate (abiquo.crt) is not present, copy it over and import it with the value for the Abiquo server FQDN.
     Code Block
    keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts
...
Add certificates to the Java keystore on the Remote services server
To add Remote services and Server certificates to the Java keystore on the Remote services server. 
  1. Log in to the Remote services server
  2. Go to /etc/pki/tls/certs
  3. Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
     Code Block
    openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs
  4. Go the /opt/abiquo/tomcat/conf folder
  5. Create a .jks keystore using the following command and replacing {$REMOTE_SERVICES} with the hostname of your Remote services server
     Code Block
    keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048
  6. Import the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name. (warning) For a production environment, you must configure the keystore according to advice from your Security team
     Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12
...
Add the Remote services certificate on the Abiquo server
  1. Log in to the Abiquo server 
  2. Go to the /etc/pki/tls/ folder 
  3. Copy the Remote services certificate from the Remote services server
  4. Import the Remote services certificate into the default cacerts keystore
     Code Block
    keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$RE
...
Add Remote services certificates to the Java keystore on the Abiquo server
To configure the Tomcat server on the Abiquo to use TLS you will also need to import the Remote services certificates. 
  1. Log in to the Abiquo server
  2. Go to /etc/pki/tls/certs
  3. Copy the certificates from the Remote services server
  4. Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
     Code Block
    openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs
  5. Go the /opt/abiquo/tomcat/conf folder
  6. Import the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name. (warning) For a production environment, you must configure the keystore according to advice from your Security team
     Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore {$REMOTE_SERVICES}.jks -srckeystore import_cert_key_rs
...
Change the Tomcat connector on the Remote services to use TLS
To change the Tomcat connector on the Remote services server to use TLS, do these steps.
  1. Log in to the Remote services server
  2. Edit the Tomcat server configuration file at:
     Code Block
    /opt/abiquo/tomcat/conf/server.xml
  3. Remove the Catalina Connector for port 8009
  4. Replace it with a new Connector like the following one.
    (warning) This example is a guide only, use the correct file for your version of Tomcat
     Code Block
    <Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/{$REMOTE_SERVICES}.jks" keystorePass="changeit" 
           keyAlias="{$REMOTE_SERVICES_FQDN}"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>
    The important values to change are:
    • keystoreFile - e.g. use the host name of your remote RS server
    • keystorePass - use a secure password
    • keyAlias - you must use the domain name of your remote RS server 
    Also configure the other parameters according to your environment.
...
Apply and verify your configuration
Now that you have finished the configuration of your Remote services server
  1. Apply your changes by restarting the Tomcat server on all services.
     Code Block
    systemctld restart abiquo-tomcat.service
  2. If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.
    1. In your browser, open a connection to the remote RS server using the port. In our example, this would be: https://remoters.bcn.abiquo.com:8009/
    2. On the certificate warning, go to Advanced and accept the risk. 
...
V2V server
Now, while it is fresh in your mind, repeat this configuration for your V2V server!
...
Now you can continue with the steps for the distributed scalable install (smile) .
 Tip
Generally, under this configuration, when you create a datacenter, you should add all remote services with https on port 8009/tcp. 
.