...
Mermaid | ||||||
---|---|---|---|---|---|---|
| ||||||
{"diagramDefinition":"flowchart TD\nA--HTTP-->P(RemoteServices)LR\nsubgraph Main_datacenter API\n A\n PP(cacerts)\nend\nsubgraph Remote_datacenter RS\n Y\nend\nX(Abiquo User\\nwith UI)A(Java keystore)\nend\nAPI <-- HTTPS (templates)-->P\nX--UI with HTTPS-->A(Abiquo Server)\nY(Remote RS)--HTTPS-->A\nX<--HTTPS (templates)-->Y> RS\n\n style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n style Y fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"}"} |
To use TLS between the API and remote services, configure the following certificates:
API server, default
cacerts
→ API certificate + RS certificate/usr/java/${JAVA_JDK}/lib/security/cacerts
RS server, custom
.jks
keystore → API certificate + RS certificate/opt/abiquo/tomcat/conf/${CERT_NAME}.jks
Warning |
---|
This document explains how to configure a test environment and it gives examples for a test environment. When configuring your production environment, always follow the advice of your Security team. |
Note |
---|
Change our example values to the values for your environment. For example, replace And replace |
...
Log in to the Remote Services server as an administrator
Go to the
/etc/pki/tls/
folderCopy your self-signed Remote Services certificate (and API certificate(s)), or wildcard certificate to the
certs
folder and your private key to theprivate
folderConvert your certificates to PCKS12 format. For a wildcard certificate, do this for each server and enter its fully qualified domain name.
For the Remote services server, replace
${CERT_NAME}
with your certificate name and replace${REMOTE_SERVICES_FQDN}
with the domain name of your remote RS server.Code Block openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${REMOTE_SERVICES_FQDN} -out import_cert_key_rs
For the API server, replace
${CERT_NAME}
with your certificate name and replace${ABIQUO_SERVER_FQDN}
with the domain name of your Abiquo API server.Code Block openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${API_SERVER_FQDN} -out import_cert_key_server
Go to the
/opt/abiquo/tomcat/conf
folderCreate a
.jks
keystore with the same name as the hostname of your Remote services server. This The following keystore configuration is suitable for a test environment only.Code Block keytool -genkey -keyalg RSA -keystore {CERT_NAME}.jks -keysize 2048
Import the Remote services certificate into the keystore for Tomcat to use
Code Block keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_rs -srcstoretype PKCS12
Import the API server certificate into the keystore for Tomcat to use
Code Block keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_server -srcstoretype PKCS12
...