Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Next »


This page describes how to use TLS/HTTPS to secure communications between an Abiquo Server and a Remote Services server in a remote location, which is called a remote RS server. You can use this, for example, when communications are over the internet.

This document explains how to configure a test environment and it gives examples for a test environment.

When configuring your production environment, always follow the advice of your Security team.

Change our example values to the values for your environment.

For example, replace myremoters.bcn.abiquo.com with the domain name of your remote RS server.

And replace remoters.jks with the name of your server keystore.


Import certificates on Remote RS

For a test environment, create a self-signed certificate for remote RS and import it.

You will need to convert your remote RS cert to PCKS12 format. Remember to use the domain name of your own remote RS server.

openssl pkcs12 -export -in myremoters.bcn.abiquo.com.crt -inkey myremoters.bcn.abiquo.com.key -name myremoters.bcn.abiquo.com -out import_cert_key

Create a .jks keystore. For a basic test environment, you can use the command below and use the name of your remote RS server.

For a production environment, you must configure the keystore according to advice from your Security team

keytool -genkey -keyalg RSA -keystore remoters.jks -keysize 2048

Import the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name.

keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12


Import API server certificate to remote RS server

In the remote RS server’s .jks keystore, there should also be an entry for API server.

In a test environment, you can use a self-signed certificate for your API server as we did for the Remote RS certificate in the previous section

Copy the API server certificate to the remote RS server.

Import it in the same way as the RS server certificate in the previous steps.

Convert your certificate to PKCS12 format:

openssl pkcs12 -export -in myapiserver.bcn.abiquo.com.crt -inkey myapiserver.bcn.abiquo.com.key -name myapiserver.bcn.abiquo.com -out import_cert_key

Import it to your .jks keystore file:

keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12


Verify API server location path on remote RS server

On remote RS server, check in the abiquo.properties file at:

/opt/abiquo/config/abiquo.properties

Check the abiquo.server.api.location property.

The value should contain https and no port number.

For example, https://myapiserver.bcn.abiquo.com/api.


Define a new HTTPS connector in remote RS Catalina

On the remote RS server, edit the Tomcat server configuration file at:

/opt/abiquo/tomcat/conf/server.xml

Replace the current remote RS catalina connector with a new connector.

The example below is a guide only, use the correct file for your version of Tomcat

The important values to change are:

  • keystoreFile - e.g. use the host name of your remote RS server

  • keystorePass - use a secure password

  • keyAlias - you must use the domain name of your remote RS server

Also configure the other parameters according to your environment.

<Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/remoters.jks" keystorePass="changeit" keyAlias="myremoters.bcn.abiquo.com"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>


Import remote RS certificates on Abiquo server

Log in to the API server that will connect to the remote RS via HTTPS as administrator.

For example, for the default cacerts keystore in a test environment.

keytool -import -trustcacerts -alias myremoters.bcn.abiquo.com -file /etc/pki/abiquo/myremoters.bcn.abiquo.crt -cacerts

If you are using your own keystore on the API server, use the -keystore option to specify it.


Enable SSL proxy for Apache

For AM connections to work with TLS (for template upload and download), check or enable SSL proxy for Apache.

Log in the API/UI server as an administrator.

Edit the Apache configuration at /etc/httpd/conf.d/abiquo.conf.

In the Apache virtual host configuration, add the following.

####APACHE SSL PROXY##########
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off
  ##############################


Apply and verify

At this point all configurations are done. Restart both abiquo-tomcat services where changes have been made (in this scenario, remote RS and Abiquo Server).

If you are using a self-signed certificate in a test environment, accept the remote RS certificates.
In your browser, open a connection to the remote RS server using the port. In our example, this would be: https://remoters.bcn.abiquo.com:8009/
Then go to Advanced and accept the risk.

Log in to Abiquo as a cloud administrator and add your remote RS using the HTTPS protocol.

For Tomcat TLS troubleshooting, see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

  • No labels