Versions Compared

Old Version 30

changes.mady.by.user MS

Saved on

compared with

New Version Current

changes.mady.by.user MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should use TLS. When users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must also be made with TLS.

Mermaid
fileNamemermaid_1702463192491
themedefault
version36
{"diagramDefinition":"flowchart LR\nA--HTTP-->P(RemoteServices)\nsubgraph Abiquo Platform API\n     AP(cacerts)\nend\nsubgraph RS\n    PA(Java keystore)\nend\nX(CloudnAPI User)<-- HTTPS-->P\nX(Cloud User)--HTTPS-->A(Abiquo Server)\nY(Remote RS)--HTTPS-->A\nX(Cloud User)<--HTTPS-->Y> RS\n\n        style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style Y fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"}"}

To use TLS between the API and remote services, configure the following certificates:

  • API server, default cacerts → API certificate + RS certificate

    • /usr/java/${JAVA_JDK}/lib/security/cacerts

  • RS server, custom .jks keystore → API certificate + RS certificate

    • /opt/abiquo/tomcat/conf/${CERT_NAME}.jks

Warning

This document explains how to configure a test environment and it gives examples for a test environment.

When configuring your production environment, always follow the advice of your Security team.

Note

Change our example values to the values for your environment.

For example, replace myremoters.bcn.abiquo.com ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

And replace remoters${CERT_NAME}.jks with the name of your remote RS server keystore.

...

Import certificates on Remote RS

...

  1. Log in to the Remote Services server as an administrator

  2. Go to the /etc/pki/tls/ folder

  3. Copy your self-signed Remote Services certificate (and API certificate(s)), or wildcard certificate to the certs folder and your private key to the private folder

  4. Convert your certificates to PCKS12 format. For a wildcard certificate, do this for each server and enter its fully qualified domain name.

    1. For the Remote services server, replace ${CERT_NAME} with your certificate name and replace ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${REMOTE_SERVICES_FQDN} -out import_cert_key_rs

    2. For the API server, replace ${CERT_NAME} with your certificate name and replace ${ABIQUO_SERVER_FQDN} with the domain name of your Abiquo API server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${API_SERVER_FQDN} -out import_cert_key_server

  5. Go to the /opt/abiquo/tomcat/conf folder

  6. Create a .jks keystore with the same name as the hostname of your Remote services server. (warning) This The following keystore configuration is suitable for a test environment only.

    Code Block
    keytool -genkey -keyalg RSA -keystore {REMOTECERT_SERVICESNAME}.jks -keysize 2048

  7. Import the Remote services certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${REMOTECERT_SERVICESNAME}.jks -srckeystore import_cert_key_rs -srcstoretype PKCS12

  8. Import the API server certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${REMOTECERT_SERVICESNAME}.jks -srckeystore import_cert_key_server -srcstoretype PKCS12

...

Code Block
<Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/remoters${CERTNAME}.jks" 
           keystorePass="changeit" 
           keyAlias="myremoters.bcn.abiquo.com${REMOTE_SERVICES_FQDN}"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>

...

  1. On the servers where you have made changes (Remote RS and Abiquo server), restart abiquo-tomcat services

  2. On the Abiquo server, restart the Apache httpd service

  3. If you are using a self-signed certificate in a test environment, accept the Remote RS certificates.

    1. In your browser, open a connection to the remote RS server using the port. In our For example, this would could be: https://remoters.bcn.abiquo.com:8009/

    2. Go to Advanced and accept the risk.

  4. Log in to Abiquo as a cloud administrator and add your remote RS using the HTTPS https protocol on and port 8009

For Tomcat TLS troubleshooting, see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

...