Versions Compared

Old Version 26

changes.mady.by.user MS (Unlicensed)

Saved on

compared with

New Version 27

changes.mady.by.user MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Warning

This document section describes how to use TLS self-signed certificates in for a way in an isolated test environment.

When configuring To configure your production environment, you must follow the recommendations of your Security Expert

...

  1. Log in to the Remote services server

  2. Go to the /etc/pki/tls/ folder

  3. For a test environment, create a self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate! (smile)). We recommend that you put the certificate in the certs folder and the key in the private folder

  4. Import the Remote services certificate into the default cacerts keystore

    Code Block
    keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacerts

  5. Check that the Remote services and Abiquo server certificates are imported on the Remote services server.

    Code Block
    [root@abicloud ~]# keytool -list -cacerts -alias {$FQDN}
Enter keystore password:  
remoters.example.com, Dec 12, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

    If the Abiquo server certificate (abiquo.crt) is not present, copy it over, and import it with the value for the Abiquo server FQDN.

    Code Block
    keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts

...

  1. Log in to the Remote services server

  2. Go to /etc/pki/tls/certs

  3. Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.

    Code Block
    openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs

  4. Convert the Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.

    Code Block
    openssl pkcs12 -export -in {$REMOTE$ABIQUO_SERVICESSERVER_FQDN}.crt -inkey {$REMOTE$ABIQUO_SERVICESSERVER_FQDN}.key -name {$REMOTE$ABIQUO_SERVICESSERVER_FQDN} -out import_cert_key_server

  5. Go the /opt/abiquo/tomcat/conf folder

  6. Create a .jks keystore using the following command and replacing {$REMOTE_SERVICES} with the hostname of your Remote services server

    Code Block
    keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048

  7. Import the Remote services certificate into the RS keystore.

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_rs -srcstoretype PKCS12

  8. Import the Server certificate into the RS keystore.

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_server -srcstoretype PKCS12

...

  1. Log in to the Abiquo Server

  2. Go to the /etc/pki/tls/ folder

  3. Copy the Remote services certificate from the Remote services server

  4. Import the Remote services certificate into the default cacerts keystore

    Code Block
    keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$RE$REMOTE_SERVICES}.crt

...

4. Change the Tomcat connector on the Remote services to use TLS

...