Versions Compared

Old Version 31

changes.mady.by.user MS

Saved on

compared with

New Version 32

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should use TLS. When users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must also be made with TLS.

Mermaid
fileNamemermaid_1702463192491
themedefault
version35
{"diagramDefinition":"flowchart LRTD\nA--HTTP-->P(RemoteServices)\nsubgraph Abiquo PlatformMain_datacenter \n    A\n    P\nend\nsubgraph Remote_datacenter \n    Y\nend\nX(CloudAbiquo User\\nwith UI)<--HTTPS (templates)-->P\nX(Cloud User)--UI with HTTPS-->A(Abiquo Server)\nY(Remote RS)--HTTPS-->A\nX(Cloud User)<nX<--HTTPS (templates)-->Y\n        style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style Y fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"}

Warning

This document explains how to configure a test environment and it gives examples for a test environment.

When configuring your production environment, always follow the advice of your Security team.

Note

Change our example values to the values for your environment.

For example, replace myremoters.bcn.abiquo.com ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

And replace remoters${CERT_NAME}.jks with the name of your remote RS server keystore.

...

Import certificates on Remote RS

...

  1. Log in to the Remote Services server as an administrator

  2. Go to the /etc/pki/tls/ folder

  3. Copy your self-signed Remote Services certificate (and API certificate(s)), or wildcard certificate to the certs folder and your private key to the private folder

  4. Convert your certificates to PCKS12 format. For a wildcard certificate, do this for each server and enter its fully qualified domain name.

    1. For the Remote services server, replace ${CERT_NAME} with your certificate name and replace ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${REMOTE_SERVICES_FQDN} -out import_cert_key_rs

    2. For the API server, replace ${CERT_NAME} with your certificate name and replace ${ABIQUO_SERVER_FQDN} with the domain name of your Abiquo API server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${API_SERVER_FQDN} -out import_cert_key_server

  5. Go to the /opt/abiquo/tomcat/conf folder

  6. Create a .jks keystore with the same name as the hostname of your Remote services server. (warning) This keystore configuration is suitable for a test environment only

    Code Block
    keytool -genkey -keyalg RSA -keystore {REMOTECERT_SERVICESNAME}.jks -keysize 2048

  7. Import the Remote services certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${REMOTECERT_SERVICESNAME}.jks -srckeystore import_cert_key_rs -srcstoretype PKCS12

  8. Import the API server certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${REMOTECERT_SERVICESNAME}.jks -srckeystore import_cert_key_server -srcstoretype PKCS12

...

Code Block
<Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/remoters${CERTNAME}.jks" 
           keystorePass="changeit" 
           keyAlias="myremoters.bcn.abiquo.com${REMOTE_SERVICES_FQDN}"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>

...

  1. On the servers where you have made changes (Remote RS and Abiquo server), restart abiquo-tomcat services

  2. On the Abiquo server, restart the Apache httpd service

  3. If you are using a self-signed certificate in a test environment, accept the Remote RS certificates.

    1. In your browser, open a connection to the remote RS server using the port. In our For example, this would could be: https://remoters.bcn.abiquo.com:8009/

    2. Go to Advanced and accept the risk.

  4. Log in to Abiquo as a cloud administrator and add your remote RS using the https protocol and port 8009

...