Table of Contents |
---|
Warning |
---|
This document section describes how to use TLS self-signed certificates in for a way in an isolated test environment ONLY. |
TLS use cases
Your users will connect to the Abiquo UI over HTTPS with TLS.
...
Mermaid | ||||||
---|---|---|---|---|---|---|
| ||||||
{"diagramDefinition":"flowchart LR\nA--HTTP-->P(RemoteServices)\nsubgraph Abiquo Platform \n A\n P\nend\nX(Cloud User)<--HTTPS-->P\nX(Cloud User)--HTTPS-->A(Abiquo Server)\nY(Remote RS)--HTTPS-->A\nX(Cloud User)<--HTTPS-->Y\n style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n style Y fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"} |
TLS for distributed scalable server
For the distributed scalable server, we recommend that you configure the communications for the API to the remote services with TLS. This also means that you have the configuration to upload and download templates.
To use TLS between the API and remote services, configure the following certificates:
...
API server cacerts → RS certificate
...
RS server .jks keystore → RS and API certificates
...
Create a self-signed certificate for a test environment
The commands to create a self-signed certificate may vary depending on the version of OpenSSL you are using.
Here are some guides:
https://devopscube.com/create-self-signed-certificates-openssl/
The important step to create a wildcard certificate is to add the subjectAltName for DNS as a required extension for your domain, for example, for the domain
example.com
subjectAltName=DNS:*.example.com
...
Abiquo UI certificates
The API server
OVA has a default self-signed certificate called abiquo.crt
that you can find in this folder /etc/pki/tls/certs
.
...
To quickly check the certificate in the cacerts
keystore, use the following command, with the default keystore changeit
password for a test system.
...
Log in the Abiquo server (with the Abiquo UI)
Edit the
/etc/httpd/conf.d/abiquo.conf
file, which contains the configuration for the Abiquo website /VirtualHost
.Check the configuration at the end of this file, which by default should be as follows.
Code Block |
---|
... SSLCertificateFile /etc/pki/tls/certs/abiquo.crt SSLCertificateKeyFile /etc/pki/tls/private/abiquo.key </VirtualHost> |
Configure TLS for remote services
If you have remote RS servers (which means remote services in a different location) or to allow users to upload and download templates, or to improve security, configure the communications between the Abiquo Server and the Remote services servers using TLS.
1. Add certificates to cacerts on the Remote services server
Add Remote services and Server certificates to cacerts on the Remote services server.
...
Log in to the Remote services server
...
For a test
...
system, you can use this certificate or you can replace it with your own self-signed certificate
...
Import the Remote services certificate into the default cacerts
keystore
Code Block |
---|
keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacerts |
Check that the Remote services and Abiquo server certificates are imported on the Remote services server.
Code Block |
---|
[root@abicloud ~]# keytool -list -cacerts -alias {$FQDN}
Enter keystore password:
remoters.example.com, Dec 12, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA |
If the Abiquo server certificate (abiquo.crt
) is not present, copy it over and import it with the value for the Abiquo server FQDN.
Code Block |
---|
keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts |
...
, which can be a wildcard certificate for your whole test environment.
...
Configure TLS for remote services
To use TLS between the API and remote services, configure the following certificates:
API server
cacerts
→ RS certificateRS server
.jks
keystore → RS certificate and API certificate
This section describes this configuration.
...
1. Add certificates to the Java keystore on the Remote services server
Add Remote services and Abiquo Server certificates to the Java keystore on the Remote services server.
Log in to the Remote services server
Go to the
/etc/pki/tls/
folderCopy your self-signed certificate(s) to the
certs
folder and your private key to theprivate
folderConvert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
Code Block openssl pkcs12 -export -in ${$REMOTE_SERVICES_FQDNDOMAIN}.crt -inkey ${$REMOTE_SERVICES_FQDNDOMAIN}.key -name ${$REMOTEREMOTE_SERVICES_FQDN} -out import_cert_key_rs
Convert the Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.
Code Block openssl pkcs12 -export -in ${$REMOTE_SERVICES_FQDNDOMAIN}.crt -inkey ${$REMOTE_SERVICES_FQDNDOMAIN}.key -name {$REMOTE$ABIQUO_SERVICESSERVER_FQDN} -out import_cert_key_server
Go the
/opt/abiquo/tomcat/conf
folderCreate a
.jks
keystore using the following command and replacing {$REMOTE. Replace${REMOTE_SERVICES}
with the hostname of your Remote services serverCode Block keytool -genkey -keyalg RSA -keystore ${$REMOTEREMOTE_SERVICES}.jks -keysize 2048
Import the Remote services certificate into the RS keystore.
Code Block keytool -importkeystore -deststorepass changeit -destkeystore remoters${REMOTE_SERVICES}.jks -srckeystore /etc/pki/tls/certs/import_cert_key_rs -srcstoretype PKCS12
Import the Server certificate into the RS keystore.
Code Block keytool -importkeystore -deststorepass changeit -destkeystore remoters${REMOTE_SERVICES}.jks -srckeystore /etc/pki/tls/certs/import_cert_key_server -srcstoretype PKCS12
3. Add the Remote services certificate on the Abiquo server
...
Log in to the Abiquo Server
...
Go to the /etc/pki/tls/
folder
...
Copy the Remote services certificate from the Remote services server
...
Now you should be able to check these certificates with the list command, for example, for a remote services server with a host name of remoters
:
Code Block |
---|
keytool - |
...
v - |
...
list - |
...
keystore /opt/abiquo/tomcat/conf/remoters.jks |
...
2. Change the Tomcat connector on the Remote services to use TLS
To change the Tomcat connector on the Remote services server to use TLS, do these steps.
Log in to the Remote services server
Edit the Tomcat server configuration file at:
Code Block /opt/abiquo/tomcat/conf/server.xml
Remove the Catalina Connector for port
8009
Replace it with a new Connector like the following one.
This example is a guide only, use the correct file for your version of Tomcat. Abiquo 6.1 uses Tomcat 9.Code Block <Service name="Catalina"> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8009" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/abiquo/tomcat/conf/${$REMOTEREMOTE_SERVICES}.jks" keystorePass="changeit" keyAlias="${$REMOTEREMOTE_SERVICES_FQDN}" clientAuth="false" secretrequired="false" sslProtocol="TLS"/>
The important values to change are:
keystoreFile
- e.g. use the host name of your remote RS serverkeystorePass
- use a secure passwordkeyAlias
- you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.
...
3. Add your certificate to cacerts on the Abiquo server
If you are using a separate certificate for the Remote services server, or a wildcard certificate, add it to cacerts on the Abiquo server.
Log in to the Abiquo server as an administrator
Go to the
/etc/pki/tls/
folderCopy the new certificate to the
certs
folder.Copy the new private key to the
private
folderImport the certificate into the default
cacerts
keystore with the name of the Remote services server. For example, for a Remote services server:Code Block keytool -import -trustcacerts -alias ${REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/${REMOTE_SERVICES}.crt
If you created a self-signed certificate with your own certificate authority, also import the CA certificate into
cacerts
...
4. Replace the Abiquo certificate for the UI on the Abiquo server - optional
To use a wildcard certificate for Abiquo server and Remote services server, or a different self-signed certificate on Abiquo server, then you should replace the default Abiquo certificate.
To replace the Abiquo certificate with your own certificate:
Delete the default Abiquo certificate from
cacerts
Code Block keytool -delete -alias ${ABIQUO_FQDN} -cacerts
Edit the
/etc/httpd/conf.d/abiquo.conf
file, which contains the configuration for the Abiquo websiteVirtualHost
.Change the configuration at the end of this file to point to your new certificate and key. For example, for a key file called
mycert.key
Code Block ... SSLCertificateFile /etc/pki/tls/certs/mycert.crt SSLCertificateKeyFile /etc/pki/tls/private/mycert.key </VirtualHost>
Tip |
---|
Before you save the file, add the Apache SSL proxy options from the next step too! |
...
5. Enable SSL proxy for Apache
For AM connections from users to Remote services to work with TLS (for template upload and download), check or enable SSL proxy for Apache.
...
Now that you have finished the configuration of your Remote services server
...
certificates
On the Abiquo Server and the Remote Services servers, restart the Tomcat service.
Code Block systemctld restart abiquo-tomcat.service
If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.
In your browser, open a connection to the remote RS server using the port. In our example, this would be:
https://remoters.bcn.abiquo.com:8009/
On the certificate warning, go to Advanced and accept the risk.
...
V2V server
You can repeat this the TLS configuration for your V2V server. Optionally, change the port to 8010
.
...
Next steps
Now you can go back and continue with the next steps of https://abiquo.atlassian.net/wiki/spaces/doc/pages/546308109/Deploy+distributed+scalable+remote+services#Validating-the-remote-services-and-V2V-services-install, which includes following the Quick tutorial to add a datacenter and launch a VM.
Tip |
---|
Generally, under For this configuration, when you create a datacenter in Abiquo, you should add all the remote services with |
...