...
For the distributed scalable server, we recommend that you configure the communications for the API to the remote services with TLS. This also means that you can easily have the configuration to upload and download templates.
...
If you have remote RS servers (which means remote services in a different location) or to allow users to upload and download templates, or to improve security, configure the communications between the Abiquo Server and the Remote services servers using TLS.
...
...
2. Add
...
certificates to
...
For TLS for the Abiquo server, add the server certificate to the Java keystore with these steps.
| Note |
|---|
For a production environment, follow the recommendations of your Security Expert |
Log in to the Abiquo server
Go to the
/opt/abiquo/tomcat/conffolderConvert the certificate to PCKS12 format, replacing
{$ABIQUO_FQDN}with the domain name of the Abiquo serverCode Block openssl pkcs12 -export -in /etc/pki/tls/certs/abiquo.crt -inkey /etc/pki/tls/private/abiquo.key -name {$SERVER_FQDN} -out import_cert_key_abqCreate a
.jkskeystore, replacing{$REMOTE_SERVICES}with the host name of your Remote services serverCode Block keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048Import the certificate into the keystore using your password and keystore name as above
Code Block keytool -importkeystore -deststorepass changeit -destkeystore {$REMOTE_SERVICES}.jks -srckeystore import_cert_key_abq -srcstoretype pkcs12
You will also need to configure the Remote services server and perform additional configuration on the API server.
2. Add certificates to the Remote services server
...
cacerts on the Remote services server
Add Remote services and Server certificates to cacerts on the Remote services server.
Log in to the Remote services server
Go to the
/etc/pki/tls/folderFor a test environment, create a self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate!
). We recommend that you put the certificate in the certs folder and the key in the private folder Import the Remote services certificate into the default
cacertskeystoreCode Block keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacertsCheck that the Remote services and Abiquo server certificates are imported the Remote services server.
Code Block [root@abicloud ~]# keytool -list -cacerts -alias {$FQDN} Enter keystore password: remoters.example.com, Dec 12, 2019, trustedCertEntry, Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AAIf the Abiquo server certificate (
abiquo.crt) is not present, copy it over and import it with the value for the Abiquo server FQDN.Code Block keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts
...
3. Add certificates to the Java keystore on the Remote services server
To add Add Remote services and Abiquo Server certificates to the Java keystore on the Remote services server.
Log in to the Remote services server
Go to
/etc/pki/tls/certsConvert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
Code Block openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rsConvert the Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.
Code Block openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_serverGo the
/opt/abiquo/tomcat/conffolderCreate a
.jkskeystore using the following command and replacing{$REMOTE_SERVICES}with the hostname of your Remote services serverCode Block keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048Import the Remote services certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name.
For a production environment, you must configure the keystore according to advice from your Security teamCode Block keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_rs -srcstoretype PKCS12
4. Add the Remote services certificate on the Abiquo server
Log in to the Abiquo server
Go to the
/etc/pki/tls/folderCopy the Remote services certificate from the Remote services server
Import the Remote services certificate into the default
cacertskeystoreImport the Server certificate into the RS keystore.Code Block keytool -importimportkeystore -trustcacertsdeststorepass changeit -alias {$REMOTE_SERVICES_FQDN}destkeystore remoters.jks -filesrckeystore /etc/pki/tls/certs/{$RE
...
import_cert_key_server -srcstoretype PKCS12
...
4. Add the Remote services
...
certificate on the Abiquo server
...
Log in to the Abiquo serverServer
Go to the
/etc/pki/tls/certsfolderCopy the certificates Remote services certificate from the Remote services server
Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
Code Block Import the Remote services certificate into the default
cacertskeystoreCode Block keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs
Go the
/opt/abiquo/tomcat/conffolderImport the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name.
For a production environment, you must configure the keystore according to advice from your Security teamCode Block keytool -importkeystore -deststorepass changeit -destkeystore {$REMOTE_SERVICES}.jks -srckeystore import_cert_key_rsfile /etc/pki/tls/certs/{$RE
...
6. Change the Tomcat connector on the Remote services to use TLS
...