...
When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should also use TLS.
...
For the distributed scalable server
...
We , we recommend that you configure the communications for the API to the remote services of the distributed scalable server with TLS. This means that you can easily upload and download templates.
...
| Code Block |
|---|
SSLCertificateFile /etc/pki/tls/certs/abiquo.crt SSLCertificateKeyFile /etc/pki/tls/private/abiquo.key </VirtualHost> |
...
...
Remote services configuration
If you have remote RS servers (which means remote services in a different location) or to allow users to upload and download templates, or to improve security, configure the communications between the Abiquo Server and the Remote services servers using TLS.
Add Server certificates to the Java keystore on the Abiquo Server
For TLS for the Abiquo server, add the server certificate to the Java keystore with these steps.
...
You will also need to configure the Remote services server and perform additional configuration on the API server.
...
Add certificates to Remote services server
To add certificates to the Remote services server.
Log in to the Remote services server
Go to the
/etc/pki/tls/folderFor a test environment, create a self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate!
). We recommend that you put the certificate in the certs folder and the key in the private folder Import the Remote services certificate into the default
cacertskeystoreCode Block keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacertsCheck that the Remote services and Abiquo server certificates are imported the Remote services server.
Code Block [root@abicloud ~]# keytool -list -cacerts -alias {$FQDN} Enter keystore password: remoters.example.com, Dec 12, 2019, trustedCertEntry, Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AAIf the Abiquo server certificate (
abiquo.crt) is not present, copy it over and import it with the value for the Abiquo server FQDN.Code Block keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts
...
Add certificates to the Java keystore on the Remote services server
To add Remote services and Server certificates to the Java keystore on the Remote services server.
Log in to the Remote services server
Go to
/etc/pki/tls/certsConvert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
Code Block openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rsGo the
/opt/abiquo/tomcat/conffolderCreate a
.jkskeystore using the following command and replacing{$REMOTE_SERVICES}with the hostname of your Remote services serverCode Block keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048Import the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name.
For a production environment, you must configure the keystore according to advice from your Security teamCode Block keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12
...
Add the Remote services certificate on the Abiquo server
Log in to the Abiquo server
Go to the
/etc/pki/tls/folderCopy the Remote services certificate from the Remote services server
Import the Remote services certificate into the default
cacertskeystoreCode Block keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$RE
...
Add Remote services certificates to the Java keystore on the Abiquo server
To configure the Tomcat server on the Abiquo to use TLS you will also need to import the Remote services certificates.
Log in to the Abiquo server
Go to
/etc/pki/tls/certsCopy the certificates from the Remote services server
Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
Code Block openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rsGo the
/opt/abiquo/tomcat/conffolderImport the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name.
For a production environment, you must configure the keystore according to advice from your Security teamCode Block keytool -importkeystore -deststorepass changeit -destkeystore {$REMOTE_SERVICES}.jks -srckeystore import_cert_key_rs
...
Change the Tomcat connector on the Remote services to use TLS
To change the Tomcat connector on the Remote services server to use TLS, do these steps.
Log in to the Remote services server
Edit the Tomcat server configuration file at:
Code Block /opt/abiquo/tomcat/conf/server.xml
Remove the Catalina Connector for port
8009Replace it with a new Connector like the following one.
This example is a guide only, use the correct file for your version of TomcatCode Block <Service name="Catalina"> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8009" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/abiquo/tomcat/conf/{$REMOTE_SERVICES}.jks" keystorePass="changeit" keyAlias="{$REMOTE_SERVICES_FQDN}" clientAuth="false" secretrequired="false" sslProtocol="TLS"/>The important values to change are:
keystoreFile- e.g. use the host name of your remote RS serverkeystorePass- use a secure passwordkeyAlias- you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.
...
Apply and verify your configuration
Now that you have finished the configuration of your Remote services server
...