Versions Compared

Version Old Version 21 New Version 22
Changes made by

MS

MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updating numbered headings

...

If you have remote RS servers (which means remote services in a different location) or to allow users to upload and download templates, or to improve security, configure the communications between the Abiquo Server and the Remote services servers using TLS.

...

...

1. Add certificates to cacerts on the Remote services server

Add Remote services and Server certificates to cacerts on the Remote services server.

  1. Log in to the Remote services server

  2. Go to the /etc/pki/tls/ folder

  3. For a test environment, create a self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate! (smile)). We recommend that you put the certificate in the certs folder and the key in the private folder

  4. Import the Remote services certificate into the default cacerts keystore

    Code Block
    keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacerts

  5. Check that the Remote services and Abiquo server certificates are imported the Remote services server.

    Code Block
    [root@abicloud ~]# keytool -list -cacerts -alias {$FQDN}
Enter keystore password:  
remoters.example.com, Dec 12, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

    If the Abiquo server certificate (abiquo.crt) is not present, copy it over and import it with the value for the Abiquo server FQDN.

    Code Block
    keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts

...

...

2. Add certificates to the Java keystore on the Remote services server

Add Remote services and Abiquo Server certificates to the Java keystore on the Remote services server.

  1. Log in to the Remote services server

  2. Go to /etc/pki/tls/certs

  3. Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.

    Code Block
    openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs

  4. Convert the Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.

    Code Block
    openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_server

  5. Go the /opt/abiquo/tomcat/conf folder

  6. Create a .jks keystore using the following command and replacing {$REMOTE_SERVICES} with the hostname of your Remote services server

    Code Block
    keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048

  7. Import the Remote services certificate into the RS keystore.

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_rs -srcstoretype PKCS12

  8. Import the Server certificate into the RS keystore.

  9. Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_server -srcstoretype PKCS12

...

3. Add the Remote services certificate on the Abiquo server

  1. Log in to the Abiquo Server

  2. Go to the /etc/pki/tls/ folder

  3. Copy the Remote services certificate from the Remote services server

  4. Import the Remote services certificate into the default cacerts keystore

    Code Block
    keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$RE

...

...

4. Change the Tomcat connector on the Remote services to use TLS

To change the Tomcat connector on the Remote services server to use TLS, do these steps.

  1. Log in to the Remote services server

  2. Edit the Tomcat server configuration file at:

    Code Block
    /opt/abiquo/tomcat/conf/server.xml

  3. Remove the Catalina Connector for port 8009

  4. Replace it with a new Connector like the following one.
    (warning) This example is a guide only, use the correct file for your version of Tomcat

    Code Block
    <Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/{$REMOTE_SERVICES}.jks" keystorePass="changeit" 
           keyAlias="{$REMOTE_SERVICES_FQDN}"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>

    The important values to change are:

    • keystoreFile - e.g. use the host name of your remote RS server

    • keystorePass - use a secure password

    • keyAlias - you must use the domain name of your remote RS server

    Also configure the other parameters according to your environment.

...

...

5. Enable SSL proxy for Apache

For AM connections to work with TLS (for template upload and download), check or enable SSL proxy for Apache.

  1. Log in to the Abiquo server as an administrator.

  2. Edit the Apache configuration at /etc/httpd/conf.d/abiquo.conf

  3. In the Apache virtual host configuration, add the following.

    Code Block
    ####APACHE SSL PROXY##########
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off
  ##############################

  4. Save the file

...

...

6. Apply and verify your configuration

Now that you have finished the configuration of your Remote services server

...