Versions Compared

Version Old Version 17 New Version Current
Changes made by

MS (Unlicensed)

MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This page describes how to use TLS/HTTPS to secure communications between an Abiquo Server and a Remote Services server in a remote location, which is called a remote RS server. You can use this

...

, for example, when communications are over the internet.

When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should use TLS. When users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must also be made with TLS.

Mermaid
fileNamemermaid_1702463192491
themedefault
version6
{"diagramDefinition":"flowchart LR\nsubgraph API\n    P(cacerts)\nend\nsubgraph RS\n    A(Java keystore)\nend\nAPI <-- HTTPS --> RS\n\n        style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"}

To use TLS between the API and remote services, configure the following certificates:

  • API server, default cacerts → API certificate + RS certificate

    • /usr/java/${JAVA_JDK}/lib/security/cacerts

  • RS server, custom .jks keystore → API certificate + RS certificate

    • /opt/abiquo/tomcat/conf/${CERT_NAME}.jks

Warning

This document explains how to configure a test environment and it gives examples for a test environment.

When configuring your production environment, always follow the advice of your Security team.

Note

Change our example values to the values for your environment.

For example, replace ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

And replace ${CERT_NAME}.jks with the name of your remote RS server keystore.

...

Import certificates on Remote RS

For a test environment, create a self-signed certificate for remote RS and import it. You can also use a wildcard certificate for your test environment.

Tip

https://devopscube.com/create-self-signed-certificates-openssl/

  1. Log in to the Remote Services server as an administrator

  2. Go to the /etc/pki/tls/ folder

  3. Copy your self-signed Remote Services certificate (and API certificate(s)), or wildcard certificate to the certs folder and your private key to the private folder

  4. Convert your certificates to PCKS12 format. For a wildcard certificate, do this for each server and enter its fully qualified domain name.

    1. For the Remote services server, replace ${CERT_NAME} with your certificate name and replace ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${REMOTE_SERVICES_FQDN} -out import_cert_key_rs

    2. For the API server, replace ${CERT_NAME} with your certificate name and replace ${ABIQUO_SERVER_FQDN} with the domain name of your Abiquo API server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${API_SERVER_FQDN} -out import_cert_key_server

  5. Go to the /opt/abiquo/tomcat/conf folder

  6. Create a .jks keystore with the same name as the hostname of your Remote services server. (warning) The following keystore configuration is suitable for a test environment only.

    Code Block
    keytool -genkey -keyalg RSA -keystore {CERT_NAME}.jks -keysize 2048

  7. Import the Remote services certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_rs -srcstoretype PKCS12

  8. Import the API server certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_server -srcstoretype PKCS12

...

Verify API server location path on remote RS server

Check that your Remote RS server has the correct API path set.

  1. Log in to the Remote RS server as an administrator

  2. View the Abiquo properties file at

    Code Block
    /opt/abiquo/config/abiquo.properties

  3. If the abiquo.server.api.location property is not set to a value with https and no port number, then edit the file and update it.
    For example, abiquo.server.api.location=https://myapiserver.bcn.abiquo.com/api.

...

Define a new HTTPS connector in remote RS Catalina

Replace your current remote RS catalina connector On the Remote RS server, edit the Tomcat server configuration file at:

Code Block
/opt/abiquo/tomcat/conf/server.xml

Use your own keystore and configure the parameters in the following connectorReplace the current remote RS Catalina connector for port 8009 with a new connector.

Note

The example below is a guide only, use the correct file for your version of Tomcat

The important values to change are:

  • keystoreFile - e.g. use the host name of your remote RS server

  • keystorePass - use a secure password

  • keyAlias - you must use the domain name of your remote RS server

Also configure the other parameters according to your environment.

Code Block
<Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/remoters.jks" keystorePass="changeit" keyAlias="myremoters.bcn.abiquo.com${CERTNAME}.jks" 
          clientAuth="false" secretrequiredkeystorePass="falsechangeit" 
           sslProtocol="TLS"/>

...

keyAlias

...

Code Block
keystoreFile="/opt/abiquo/tomcat/conf/remoters.jks" keystorePass="changeit" keyAlias="myremoters.bcn.abiquo.com"

Import certificates on Remote RS

You will need to convert your remote RS certs to PCKS12 format.

Code Block
openssl pkcs12 -export -in myremoters.bcn.abiquo.com.crt -inkey myremoters.bcn.abiquo.com.key -name myremoters.bcn.abiquo.com -out import_cert_key

Import it into the RS keystore that Tomcat is going to use:

Code Block
keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12

If you need to create a .jks keystore you can do it easily with the following command.

Code Block
keytool -genkey -keyalg RSA -keystore remoters.jks -keysize 2048

...

="${REMOTE_SERVICES_FQDN}"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>

...

Import remote RS certificates on Abiquo server

On Log in to the API server that will connect to the Remote remote RS via HTTP, import the remote RS certificate. For HTTPS as administrator.

Import the Remote RS certificate, for example, for the default cacerts keystore in a test environment.

Code Block
keytool -import -trustcacerts -alias myremoters.bcn.abiquo.com${REMOTE_SERVICES_FQDN} -file /etc/pki/abiquo/myremoters.bcn.abiquo.${CERT_NAME}.crt -cacerts

If you are using a self-signed certificate, also import your CA certificate.

...

Enable SSL proxy for Apache

For AM connections to work with TLS (for template upload and download), check or enable SSL proxy for Apache
Add the following config to your apache virtualhost config, on .

  1. Log in the API/UI server

...

  1. as an administrator.

  2. Edit the Apache configuration at /etc/httpd/conf.d/abiquo.conf.

  3. In the Apache virtual host configuration, add the following.

    Code Block

...

  1. ####APACHE SSL PROXY##########
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off
  ##############################

...

...
Apply and verify
At this point all configurations are done. Restart both 
  1. On the servers where you have made changes (Remote RS and Abiquo server), restart abiquo-tomcat services 
...
  2. On the Abiquo server, restart the Apache httpd service
  3. If you are using a self-signed certificate in a test environment, accept the Remote RS certificates.
    1. In your browser, open a connection to the remote RS server using the port. For example, this could be: https://remoters.bcn.abiquo.com:8009/
    2. Go to Advanced and accept the risk.
  4.  Log in to Abiquo as a cloud administrator and add your remote RS using 
...
  1. the https protocol and port 8009
For Tomcat TLS troubleshooting, see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html 
...