Versions Compared

Version Old Version 4 New Version Current
Changes made by

Former user

MS

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

classabiheader

...

Table of Contents

This guide will show you how to configure an Apache as a front door with SSL protection for Abiquo. The communication between Apache and Tomcat is done with the AJP Connector to improve performaceperformance.

Install Apache with mod_ssl

...

verysmallcode
Code Block
# yum install -y httpd mod_ssl openssl

Generate keys

Generate private key:

...

classverysmallcode

...

Generate CSR:

...

Code Block
# openssl req -new -key ca.key -out ca.csr
Generate self signed key:

...

verysmallcode
Code Block
# openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

  • Move files to the correct location:


    code
    Div
    classverysmallcode
    Code Block
    # mv ca.crt /etc/pki/tls/certs
# mv ca.key /etc/pki/tls/private/ca.key
# mv ca.csr /etc/pki/tls/private/ca.csr


Configure Apache

Move default configurations

...

verysmallcode
Code Block
# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bck
# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bck
Configure SSL

Edit a new /etc/httpd/conf.d/ssl.conf with the following parameters:

...

verysmallcode
Code Block
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
Configure AJP Proxy
Info

You can use mod_rewrite to define a different location URI for the client. I.E. For example, <Location /management>

Edit /etc/httpd/conf.d/proxy_ajp.conf and add these lines:

...

Code Block
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>

<VirtualHost *:443>
    RewriteEngine On
    ProxyRequests Off
    ProxyPreserveHost On

    <Directory "/opt/abiquo/tomcat/webapps/client-premium/">
        Options MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    RewriteRule ^/client-premium$ /client-premium/ [R]

   <Location /client-premium>
        ProxyPass ajp://localhost:8010/client-premium/
        ProxyPassReverse ajp://localhost:8010/client-premium/
    </Location>

    <Location /api>
        ProxyPass ajp://localhost:8010/api/
        ProxyPassReverse ajp://localhost:8010/api/
    </Location>

    <Location /legal/>
        ProxyPass ajp://localhost:8010/legal/
        ProxyPassReverse ajp://localhost:8010/legal/
    </Location>

	<Location /m/>
        ProxyPass ajp://localhost:8010/m/
        ProxyPassReverse ajp://localhost:8010/m/
    </Location>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

</VirtualHost>

Configure Tomcat

Delete all existing Connector sections.

Put this connector configuration in /opt/abiquo/tomcat/conf/server.xml under <Service name="Catalina"> section, deleting all other Connector section:

...

Code Block
<Service name="Catalina">

    <Connector port="8009" protocol="HTTP/1.1"
               connectionTimeout="20000"
               URIEncoding="UTF-8"
               redirectPort="8443"
               secure="true"
               />

    <Connector port="8010" protocol="AJP/1.3"
               enableLookups="false"
               tomcatAuthentication="false"
               connectionTimeout="20000" secure="true"
               />

Enable HTTPS in the client

Edit /opt/abiquo/tomcat/webapps/client-premium/config/client-config.xml.jsp and change USE_SECURE_CHANNEL_LOGIN value to 1:

Div
classverysmallcode
Code Block
...
<name>USE_SECURE_CHANNEL_LOGIN</name>
<value><%= System.getProperty("client.USE_SECURE_CHANNEL_LOGIN", "0") %></value>
 ...

Notice that if you enable this option, you will not be able to connect to Abiquo with this client using the HTTP URI, as it only connect to SSL enabled URIs

Change API properties

Edit /opt/abiquo/config/abiquo.properties and add this line (or modify the value if it already exists):

Div
classverysmallcode
Code Block
...
abiquo.server.api.location = http://localhost:8009/api

Restart Services

Div
classverysmallcode
Code Block
service abiquo-tomcat restart
service httpd restart

Now all clientNotice that if you enable this option, you will not be able to connect to Abiquo with this client using the HTTP URI, as it only connects to SSL enabled URIs

Change API properties

Edit /opt/abiquo/config/abiquo.properties and add this line (or modify the value if it already exists):

Code Block
...
abiquo.server.api.location = http://localhost:8009/api

Restart Services

Code Block
service abiquo-tomcat restart
service httpd restart

Now all client-server communication will go through a Secure Socket Layer. You can still use HTTP direct connection to Tomcat through port 8009.

...

Code Block
http://<public_ip>:8009/am

...


Adding SSL to AM
In On the machine where the Appliance Manager (AM) is running, we repeat the above steps previously mentioned (Install Apache with mod_ssl, Generate keys, Configure Apache and Configure Tomcat).
We have to declare Declare the hostname of the Server + API machine (10.60.11.24), the AM machine (10.60.11.25) machine and the host which will connect to the client (your own localhost) as well.
For example, in on the API+Server machine:
 Code Block
vim /etc/hosts
...

# Do not remove the following line, or various programs
...

# that require network functionality will fail.
...

127.0.0.1 server263 localhost.localdomain localhost
...

::1 localhost6.localdomain6 localhost6
...

10.60.11.24 server263
...

10.60.11.25 rs263
The same  must  file must be properly configured  in on the AM machine. You can check everything works fine  if after by executing "hostname" and checking the name selected is displayed. If not,  maybe you need to execute "try running the following command:
 Code Block
/etc/init.d/network restart
...
 
Next step, add add the hostname into /etc/httpd/conf/httpd.conf in on the API+Server machine and AM machine:
 Code Block
ServerName server263
...
Now into on the API+Server machine, we configure the /etc/httpd/conf.d/proxy_ajp.conf file and add it the configuration of the AM machine, leaving so the file somethig will be something like this:
 Code Block
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
...

<VirtualHost *:80>
...

RewriteEngine On
...

RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
...

</VirtualHost>
...

<VirtualHost *:443>
...

RewriteEngine On
...

ProxyRequests Off
...

ProxyPreserveHost On
...

<Directory /opt/abiquo/tomcat/webapps/client-premium/>
...

Options MultiViews
...

AllowOverride None
...

Order allow,deny
...

Allow from all
...

</Directory>
...

RewriteRule ^/client-premium$ /client-premium/ [R]
...

<Location /client-premium>
...

ProxyPass ajp://server263:8010/client-premium/
...
<Location /api>
 ProxyPass ajp://server263:8010/api/
 ProxyPassReverse ajp://server263:8010/api/
 </Location>
<Location /m>
 ProxyPass ajp://server263:8010/m/
 ProxyPassReverse ajp://server263:8010/m/
 </Location>
<Location /legal/>
 ProxyPass ajp://server263:8010/legal/
 ProxyPassReverse ajp://server263:8010/legal/
 </Location>
...
<Directory /opt/abiquo/tomcat/webapps/am/>
 Options MultiViews
 AllowOverride None
 Order allow,deny
 Allow from all
 </Directory>
<Location /am>
 ProxyPass ajp://rs263:8010/am
 ProxyPassReverse ajp://rs263:8010/am
</VirtualHost>
 
The next step is to import the keys from the AM machine into the API+Server machine. So from the API+Server machine we execute:
/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias hostname -file PATH_TO_AM_crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit
"Hostname" refers to the AM machine and PATH_TO_AM_crt is where the AM certificate was created, for example:
/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias rs263 -file /etc/pki/tls/certs/ca.crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit
 
To finish the setup, we should:
...

ProxyPassReverse ajp://server263:8010/client-premium/
</Location>
<Location /api>
ProxyPass ajp://server263:8010/api/
ProxyPassReverse ajp://server263:8010/api/
</Location>
<Location /m>
ProxyPass ajp://server263:8010/m/
ProxyPassReverse ajp://server263:8010/m/
</Location>
<Location /legal/>
ProxyPass ajp://server263:8010/legal/
ProxyPassReverse ajp://server263:8010/legal/
</Location>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Directory /opt/abiquo/tomcat/webapps/am/>
Options MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Location /am>
ProxyPass ajp://rs263:8010/am
ProxyPassReverse ajp://rs263:8010/am
</VirtualHost>
The next step is to import the keys from the AM machine into the API+Server machine. So from the API+Server machine we execute:
 Code Block
/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias hostname -file PATH_TO_AM_crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit
"Hostname" refers to the AM machine and PATH_TO_AM_crt is where the AM certificate was created, for example:
 Code Block
/usr/java/jdk1.7.0_21/bin/keytool -import -trustcacerts -noprompt -alias rs263 -file /etc/pki/tls/certs/ca.crt -keystore /usr/java/jdk1.7.0_21/jre/lib/security/cacerts -storepass changeit
To finish the setup, we should:
  1. Stop Apache on the AM (/etc/init.d/httpd stop)
  2. In the database the URI of the Appliance Manager in remote services now points directly to the API, which means the URI should be something like "https://server263:443/am"
  3. Restart the abiquo-tomcat service on both machines. Remember to restart Apache on the API+Server machine as well.

Apache Frontend + SSL to client + SSL to AM in Abiquo 3.x
The following configuration has been performed in order to avoid Cross-Origin (CORS) problems with the new Abiquo client in HTML5 using Apache + SSL.
The best approach is to complete all the previous steps, then make the following modifications:
In the /opt/abiquo/tomcat/conf/server.xml, remove the connector which uses port 8010 and leave the file like this:
 Code Block
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="com.abiquo.listeners.AbiquoConfigurationListener"/>
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8009"
protocol="AJP/1.3"
enableLookups="false"
tomcatAuthentication="false"
redirectPort="8443"
connectionTimeout="20000" secure="true"/>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>

The next step will be to modify /etc/httpd/conf.d/proxy_ajp.conf file and change ports from 8010 to 8009, which is the only connector we will use with the AJP. Remember to leave the AM location with the port 8010 as explained in the previous section (Adding SSL to AM). The file should be as follows:
 Code Block
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
<VirtualHost *:80>
RewriteEngine On
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
</VirtualHost>
<VirtualHost *:443>
RewriteEngine On
ProxyRequests Off
ProxyPreserveHost On
<Directory "/opt/abiquo/tomcat/webapps/ui/">
Options MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
RewriteRule ^/ui$ /ui/ [R]
<Location /ui>
ProxyPass ajp://servermaster:8009/ui/
ProxyPassReverse ajp://servermaster:8009/ui/
</Location>
<Location /api>
ProxyPass ajp://servermaster:8009/api
ProxyPassReverse ajp://servermaster:8009/api
</Location>
<Location /legal/>
ProxyPass ajp://servermaster:8009/legal/
ProxyPassReverse ajp://servermaster:8009/legal/
</Location>

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
<Location /am>
ProxyPass ajp://rsmaster:8010/am
ProxyPassReverse ajp://rsmaster:8010/am
</Location>
</VirtualHost>



The last file to modify is /opt/abiquo/tomcat/webapps/ui/config/client-config.json. Edit it and search for the "config.endpoint" attribute, which should in this format:
 Code Block
"config.endpoint": "https://servermaster:443/api"
Replace "servermaster" with the hostname of the Abiquo server where the API and the client are running.
Then restart the abiquo-tomcat service on the API+client machine and restart the Apache.