Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Mermaid
fileNamemermaid_1702463192491
themedefault
version56
{"diagramDefinition":"flowchart TD\nA--HTTP-->P(RemoteServices)LR\nsubgraph Main_datacenter API\n    A\n    PP(cacerts)\nend\nsubgraph Remote_datacenter RS\n    Y\nend\nX(Abiquo User\\nwith UI)A(Java keystore)\nend\nAPI <-- HTTPS (templates)-->P\nX--UI with HTTPS-->A(Abiquo Server)\nY(Remote RS)--HTTPS-->A\nX<--HTTPS (templates)-->Y> RS\n\n        style A fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style P fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff\n        style Y fill:#ec9032,stroke:#666,stroke-width:2px,color:#fff"}"}

To use TLS between the API and remote services, configure the following certificates:

  • API server, default cacerts → API certificate + RS certificate

    • /usr/java/${JAVA_JDK}/lib/security/cacerts

  • RS server, custom .jks keystore → API certificate + RS certificate

    • /opt/abiquo/tomcat/conf/${CERT_NAME}.jks

Warning

This document explains how to configure a test environment and it gives examples for a test environment.

When configuring your production environment, always follow the advice of your Security team.

Note

Change our example values to the values for your environment.

For example, replace ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

And replace ${CERT_NAME}.jks with the name of your remote RS server keystore.

...

  1. Log in to the Remote Services server as an administrator

  2. Go to the /etc/pki/tls/ folder

  3. Copy your self-signed Remote Services certificate (and API certificate(s)), or wildcard certificate to the certs folder and your private key to the private folder

  4. Convert your certificates to PCKS12 format. For a wildcard certificate, do this for each server and enter its fully qualified domain name.

    1. For the Remote services server, replace ${CERT_NAME} with your certificate name and replace ${REMOTE_SERVICES_FQDN} with the domain name of your remote RS server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${REMOTE_SERVICES_FQDN} -out import_cert_key_rs
    2. For the API server, replace ${CERT_NAME} with your certificate name and replace ${ABIQUO_SERVER_FQDN} with the domain name of your Abiquo API server.

      Code Block
      openssl pkcs12 -export -in ${CERT_NAME}.crt -inkey ${CERT_NAME}.key -name ${API_SERVER_FQDN} -out import_cert_key_server 
  5. Go to the /opt/abiquo/tomcat/conf folder

  6. Create a .jks keystore with the same name as the hostname of your Remote services server. (warning) This The following keystore configuration is suitable for a test environment only.

    Code Block
    keytool -genkey -keyalg RSA -keystore {CERT_NAME}.jks -keysize 2048
  7. Import the Remote services certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_rs -srcstoretype PKCS12
  8. Import the API server certificate into the keystore for Tomcat to use

    Code Block
    keytool -importkeystore -deststorepass changeit -destkeystore ${CERT_NAME}.jks -srckeystore import_cert_key_server -srcstoretype PKCS12

...