...
Info |
---|
This page describes how to use TLS/HTTPS to secure communications between an Abiquo Server and a “remote Remote Services” (Remote Services server in a remote location, which is called a remote RS) server |
When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should use TLS. When users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must also be made with TLS.
Mermaid | ||||||
---|---|---|---|---|---|---|
| ||||||
{"diagramDefinition":"flowchart LR\nsubgraph API\n P(cacerts)\nend\nsubgraph RS\n A(Java keystore)\nend\nAPI <-- HTTPS --> RS\n\n style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"} |
To use TLS between the API and remote services, configure the following certificates:
API server, default
cacerts
→ API certificate + RS certificate/usr/java/${JAVA_JDK}/lib/security/cacerts
RS server, custom
.jks
keystore → API certificate + RS certificate/opt/abiquo/tomcat/conf/${CERT_NAME}.jks
Warning |
---|
This document explains how to configure a test environment and it gives examples for a test environment. When configuring your production environment, always follow the advice of your Security team. |
Note |
---|
Change our example values to the values for your environment. For example, |
...
replace And replace |
...
Import certificates on Remote RS
For a test environment, create a self-signed certificate for remote RS and import it. You can also use a wildcard certificate for your test environment.
Tip |
---|
https://devopscube.com/create-self-signed-certificates-openssl/ |
Log in to the Remote Services server as an administrator
Go to the
/etc/pki/tls/
folderCopy your self-signed Remote Services certificate (and API certificate(s)), or wildcard certificate to the
certs
folder and your private key to theprivate
folderConvert your certificates to PCKS12 format. For a wildcard certificate, do this for each server and enter its fully qualified domain name.
For the Remote services server, replace
${CERT_NAME}
with your certificate name and replace${REMOTE_SERVICES_FQDN}
with the domain name of your remote RS
...
And remplace “remoters.jks” with the name of your server keystore.
Define a new HTTPS connector in remote RS Catalina
Log in to the remote RS as an administrator.
...
server.
Code Block openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${REMOTE_SERVICES_FQDN} -out import_cert_key_rs
For the API server, replace
${CERT_NAME}
with your certificate name and replace${ABIQUO_SERVER_FQDN}
with the domain name of your Abiquo API server.Code Block openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${API_SERVER_FQDN} -out import_cert_key_server
Go to the
/opt/abiquo/tomcat/conf
folderCreate a
.jks
keystore with the same name as the hostname of your Remote services server. The following keystore configuration is suitable for a test environment only.Code Block keytool -genkey -keyalg RSA -keystore {CERT_NAME}.jks -keysize 2048
Import the Remote services certificate into the keystore for Tomcat to use
Code Block keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_rs -srcstoretype PKCS12
Import the API server certificate into the keystore for Tomcat to use
Code Block keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_server -srcstoretype PKCS12
...
Verify API server location path on remote RS server
Check that your Remote RS server has the correct API path set.
Log in to the Remote RS server as an administrator
View the Abiquo properties file at
Code Block /opt/abiquo/config/abiquo.properties
If the
abiquo.server.api.location
property is not set to a value withhttps
and no port number, then edit the file and update it.
For example,abiquo.server.api.location=https://myapiserver.bcn.abiquo.com/api
.
...
Define a new HTTPS connector in remote RS Catalina
On the Remote RS server, edit the Tomcat server configuration file at:
...
Replace the current remote RS catalina Catalina connector for port 8009
with a new connector.
Note |
---|
The example below is a guide only, use the correct file for your version of Tomcat |
The important values to change are:
keystoreFile
- e.g. use the host name of your remote RS serverkeystorePass
- use a secure passwordkeyAlias
- you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.
Code Block |
---|
<Service name="Catalina"> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8009" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/abiquo/tomcat/conf/remoters${CERTNAME}.jks" keystorePass="changeit" keyAlias="myremoters.bcn.abiquo.com" clientAuthkeystorePass="falsechangeit" secretrequired="false" sslProtocolkeyAlias="TLS"/> |
Import certificates on Remote RS
You will need to convert your remote RS cert to PCKS12 format. Remember to use the domain name of your own remote RS server.
Code Block |
---|
openssl pkcs12 -export -in myremoters.bcn.abiquo.com.crt -inkey myremoters.bcn.abiquo.com.key -name myremoters.bcn.abiquo.com -out import_cert_key |
Create a .jks keystore. For a basic test environment, you can use the command below and use the name of your remote RS server
Note |
---|
For a production environment, you must configure the keystore according to advice from your Security team |
Code Block |
---|
keytool -genkey -keyalg RSA -keystore remoters.jks -keysize 2048 |
Import the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name
Code Block |
---|
keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12${REMOTE_SERVICES_FQDN}" clientAuth="false" secretrequired="false" sslProtocol="TLS"/> |
...
Import remote RS certificates on Abiquo server
Log in to the API server that will connect to the remote RS via HTTPS as administrator.
For Import the Remote RS certificate, for example, for the default cacerts
keystore in a test environment.
Code Block |
---|
keytool -import -trustcacerts -alias myremoters.bcn.abiquo.com${REMOTE_SERVICES_FQDN} -file /etc/pki/abiquo/myremoters.bcn.abiquo.${CERT_NAME}.crt -cacerts |
If you are using a self-signed certificate, also import your CA certificate.
...
Enable SSL proxy for Apache
For AM connections to work with TLS (for template upload and download), check or enable SSL proxy for Apache.
Log in the API/UI server as an
...
administrator.
Edit the Apache configuration at
/etc/httpd/conf.d/abiquo.conf
.In the Apache virtual host configuration, add the following.
Code Block ####APACHE SSL PROXY########## SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ##############################
...
Import API server certificate to remote RS server
In the remote RS server’s .jks keystore, there should also be an entry for API server.
Copy the API server certificate to the remote RS server.
Import it in the same way as the RS server certificate in the previous steps.
Convert your certificate to PKCS12 format:
Code Block |
---|
openssl pkcs12 -export -in myapiserver.bcn.abiquo.com.crt -inkey myapiserver.bcn.abiquo.com.key -name myapiserver.bcn.abiquo.com -out import_cert_key |
Import it to your .jks keystore file:
Code Block |
---|
keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12 |
Verify API server location path on remote RS server
On remote RS server, check in the abiquo properties file at:
Code Block |
---|
/opt/abiquo/config/abiquo.properties |
Check the abiquo.server.api.location
property.
The value should contain “https” and no port number.
...
...
Apply and verify
At this point all configurations are done.
On the servers where you have made changes (Remote RS and Abiquo server), restart
abiquo-tomcat
servicesOn the Abiquo server, restart the Apache
httpd
serviceIf you are using a self-signed certificate in a test environment, accept the Remote RS certificates.
In your browser, open a connection to the remote RS server using the port. For example, this could be:
https://remoters.bcn.abiquo.com:8009/
...
Apply and verify
...
Go to Advanced and accept the risk.
Log in to Abiquo as a cloud administrator and add your remote RS using the
...
https
protocol
...
and port
8009
For Tomcat TLS troubleshooting, see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
...