Versions Compared

Version Old Version 19 New Version Current
Changes made by

MS (Unlicensed)

MS (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Warning

This document section describes how to use TLS self-signed certificates in for a way in an isolated test environment ONLY.

When configuring your production environment, you must follow the recommendations of your Security Expert

Note

This document is still subject to a final review To create self-signed certificates, we recommend that you install and use a current version of OpenSSL and current encryption algorithms.

TLS use cases

Your users will connect to the Abiquo UI over HTTPS with TLS.

You can run Abiquo over HTTP to communicate between its servers when these connections are internal using HTTP for internal connections between servers within the same infrastructure/datacenter network.

When users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must also be made with TLS.

Tip

The Abiquo Monolithic Server has a self-signed certificate and the connection to the appliance manager is preconfigured to use TLS

When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should also use TLS.For the distributed scalable server, we recommend that you configure the communications for the API to the remote services with TLS. This also means that you can easily upload and download templates.

Mermaid
fileNamemermaid_1702463192491
themedefault
version3
{"diagramDefinition":"flowchart LR\nA--HTTP-->P(RemoteServices)\nsubgraph Abiquo Platform \n    A\n    P\nend\nX(Cloud User)<--HTTPS-->P\nX(Cloud User)--HTTPS-->A(Abiquo Server)\nY(Remote RS)--HTTPS-->A\nX(Cloud User)<--HTTPS-->Y\n        style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style Y fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"}

...

Create a self-signed certificate for a test environment

The commands to create a self-signed certificate may vary depending on the version of OpenSSL you are using.

Here are some guides:

...

Abiquo UI certificates

The API server OVA has a default self-signed certificate called abiquo.crt that you can find in this folder /etc/pki/tls/certs.

...

To quickly check the certificate in the cacerts keystore, use the following command, with the default keystore changeit password for a test system.

...

  1. Log in the Abiquo server (with the Abiquo UI)

  2. Edit the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website / VirtualHost.

  3. Check the configuration at the end of this file, which by default should be as follows.

Code Block
  ...
  SSLCertificateFile /etc/pki/tls/certs/abiquo.crt
  SSLCertificateKeyFile /etc/pki/tls/private/abiquo.key
</VirtualHost>

For a test system, you can use this certificate or you can replace it with your own self-signed certificate, which can be a wildcard certificate for your whole test environment.

...

Configure TLS for remote services

If you have remote RS servers (which means remote services in a different location) or to allow users to upload and download templates, or to improve security, configure the communications between the Abiquo Server and the Remote services servers using TLS.

1. Add Server certificates to the Java keystore on the Abiquo Server

For TLS for the Abiquo server, add the server certificate to the Java keystore with these steps.

Note

For a production environment, follow the recommendations of your Security Expert

  1. Log in to the Abiquo server

  2. Go to the /opt/abiquo/tomcat/conf folder

  3. Convert the certificate to PCKS12 format, replacing {$ABIQUO_FQDN} with the domain name of the Abiquo server

    Code Block
    openssl pkcs12 -export -in /etc/pki/tls/certs/abiquo.crt -inkey /etc/pki/tls/private/abiquo.key -name {$SERVER_FQDN} -out import_cert_key_abq

  4. Create a .jks keystore, replacing {$REMOTE_SERVICES} with the host name of your Remote services server

    Code Block
    keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048

  5. Import the certificate into the keystore using your password and keystore name as above

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore {$REMOTE_SERVICES}.jks -srckeystore import_cert_key_abq -srcstoretype pkcs12

You will also need to configure the Remote services server and perform additional configuration on the API server.

2. Add certificates to the Remote services server

To add certificates to To use TLS between the API and remote services, configure the following certificates:

  • API server cacerts → RS certificate

  • RS server .jks keystore → RS certificate and API certificate

This section describes this configuration.

...

1. Add certificates to the Java keystore on the Remote services server

Add Remote services and Abiquo Server certificates to the Java keystore on the Remote services server.

  1. Log in to the Remote services server

  2. Go to the /etc/pki/tls/ folder

  3. For a test environment, create a Copy your self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate! (smile)). We recommend that you put the certificate in (s) to the certs folder and the your private key in to the private folderImport the Remote services certificate into the default cacerts keystore

  4. Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.

    Code Block
    keytoolopenssl -importpkcs12 -trustcacertsexport -aliasin {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN${DOMAIN}.crt -cacerts

    Check that the Remote services and Abiquo server certificates are imported the Remote services server.

    Code Block
    [root@abicloud ~]# keytool -list -cacerts -alias {$FQDN}
Enter keystore password:  
remoters.example.com, Dec 12, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

    If the Abiquo server certificate (abiquo.crt) is not present, copy it over and import it with the value for the Abiquo server FQDN.

    Code Block
    keytool -import -trustcacerts -alias {$ABIQUOinkey ${DOMAIN}.key -name ${REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts

3. Add certificates to the Java keystore on the Remote services server

To add Remote services and Server certificates to the Java keystore on the Remote services server.

  1. Log in to the Remote services server

  2. Go to /etc/pki/tls/certs

  3. Convert the remote RS 
    out import_cert_key_rs

  4. Convert the Abiquo Server cert to PCKS12 format, using the domain name of your Remote services serverAbiquo Server.

    Code Block
    openssl pkcs12 -export -in ${$REMOTE_SERVICES_FQDNDOMAIN}.crt -inkey ${$REMOTE_SERVICES_FQDNDOMAIN}.key -name {$REMOTE$ABIQUO_SERVICESSERVER_FQDN} -out import_cert_key_rsserver

  5. Go the /opt/abiquo/tomcat/conf folder

  6. Create a .jks keystore using the following command and replacing {$REMOTE. Replace ${REMOTE_SERVICES} with the hostname of your Remote services server

    Code Block
    keytool -genkey -keyalg RSA -keystore ${$REMOTEREMOTE_SERVICES}.jks -keysize 2048

  7. Import the Remote services certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name. (warning) For a production environment, you must configure the keystore according to advice from your Security team

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore remoters${REMOTE_SERVICES}.jks -srckeystore /etc/pki/tls/certs/import_cert_key_rs -srcstoretype PKCS12

4. Add the Remote services certificate on the Abiquo server

  1. Log in to the Abiquo server

  2. Go to the /etc/pki/tls/ folder

  3. Copy the Remote services certificate from the Remote services server

  4. Import the Remote services certificate into the default cacerts keystoreImport the Server certificate into the RS keystore.

    Code Block
    keytool -importimportkeystore -trustcacertsdeststorepass changeit -aliasdestkeystore ${$REMOTEREMOTE_SERVICES_FQDN}.jks -filesrckeystore /etc/pki/tls/certs/{$RE

5. Add Remote services certificates to the Java keystore on the Abiquo server

To configure the Tomcat server on the Abiquo to use TLS you will also need to import the Remote services certificates.

  1. Log in to the Abiquo server

  2. Go to /etc/pki/tls/certs

  3. Copy the certificates from the Remote services server

  4. Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.

    Code Block
    openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs
  5. Go the 
    import_cert_key_server -srcstoretype PKCS12

Now you should be able to check these certificates with the list command, for example, for a remote services server with a host name of remoters:

Code Block
keytool -v -list -keystore /opt/abiquo/tomcat/conf

...

Import the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name. (warning) For a production environment, you must configure the keystore according to advice from your Security team

Code Block
keytool -importkeystore -deststorepass changeit -destkeystore {$REMOTE_SERVICES}.jks -srckeystore import_cert_key_rs

...

/remoters.jks

...

2. Change the Tomcat connector on the Remote services to use TLS

To change the Tomcat connector on the Remote services server to use TLS, do these steps.

  1. Log in to the Remote services server

  2. Edit the Tomcat server configuration file at:

    Code Block
    /opt/abiquo/tomcat/conf/server.xml

  3. Remove the Catalina Connector for port 8009

  4. Replace it with a new Connector like the following one.
    (warning) This example is a guide only, use the correct file for your version of Tomcat. Abiquo 6.1 uses Tomcat 9.

    Code Block
    <Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/${$REMOTEREMOTE_SERVICES}.jks" keystorePass="changeit" 
           keyAlias="${$REMOTEREMOTE_SERVICES_FQDN}"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>

    The important values to change are:

    • keystoreFile - e.g. use the host name of your remote RS server

    • keystorePass - use a secure password

    • keyAlias - you must use the domain name of your remote RS server

    Also configure the other parameters according to your environment.

...

3. Add your certificate to cacerts on the Abiquo server

If you are using a separate certificate for the Remote services server, or a wildcard certificate, add it to cacerts on the Abiquo server.

  1. Log in to the Abiquo server as an administrator

  2. Go to the /etc/pki/tls/ folder

  3. Copy the new certificate to the certs folder.

  4. Copy the new private key to the private folder

  5. Import the certificate into the default cacerts keystore with the name of the Remote services server. For example, for a Remote services server:

    Code Block
    keytool -import -trustcacerts -alias ${REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/${REMOTE_SERVICES}.crt

  6. If you created a self-signed certificate with your own certificate authority, also import the CA certificate into cacerts

...

4. Replace the Abiquo certificate for the UI on the Abiquo server - optional

To use a wildcard certificate for Abiquo server and Remote services server, or a different self-signed certificate on Abiquo server, then you should replace the default Abiquo certificate.

...

To replace the Abiquo certificate with your own certificate:

  1. Delete the default Abiquo certificate from cacerts

    Code Block
    keytool -delete -alias ${ABIQUO_FQDN} -cacerts

  2. Edit the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website VirtualHost.

  3. Change the configuration at the end of this file to point to your new certificate and key. For example, for a key file called mycert.key

    Code Block
      ...
  SSLCertificateFile /etc/pki/tls/certs/mycert.crt
  SSLCertificateKeyFile /etc/pki/tls/private/mycert.key
</VirtualHost>
Tip

Before you save the file, add the Apache SSL proxy options from the next step too!

...

5. Enable SSL proxy for Apache

For AM connections from users to Remote services to work with TLS (for template upload and download), check or enable SSL proxy for Apache.

  1. Log in to the Abiquo server as an administrator.

  2. Edit the Apache configuration at /etc/httpd/conf.d/abiquo.conf

  3. In the Apache virtual host configuration, add the following.

    Code Block
    ####APACHE SSL PROXY##########
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off
  ##############################

  4. Save the file

...

...

6. Apply and verify your configuration

Now that you have finished the configuration of your Remote services server

...

certificates

  1. On the Abiquo Server and the Remote Services servers, restart the Tomcat service.

    Code Block
    systemctld restart abiquo-tomcat.service

  2. If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.

    1. In your browser, open a connection to the remote RS server using the port. In our example, this would be: https://remoters.bcn.abiquo.com:8009/

    2. On the certificate warning, go to Advanced and accept the risk.

...

V2V server

You can repeat this the TLS configuration for your V2V server. Optionally, change the port to 8010.

...

Next steps

Now you can go back and continue with the next steps of https://abiquo.atlassian.net/wiki/spaces/doc/pages/546308109/Deploy+distributed+scalable+remote+services#Validating-the-remote-services-and-V2V-services-install, which includes following the Quick tutorial to add a datacenter and launch a VM.

Tip

Generally, under For this configuration, when you create a datacenter in Abiquo, you should add all the remote services with https on port 8009/tcp.

...