This document describes how to use TLS self-signed certificates in a way in an isolated test environment.
When configuring your production environment, you must follow the recommendations of your Security Expert
TLS use cases
Your users will connect to the Abiquo UI over HTTPS with TLS.
You can run Abiquo using HTTP for internal connections between servers within the same infrastructure/datacenter network.
But when users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must be made with TLS.
The Abiquo Monolithic Server has a self-signed certificate and the connection to the appliance manager is preconfigured to use TLS
When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should also use TLS.
TLS for distributed scalable server
For the distributed scalable server, we recommend that you configure the communications for the API to the remote services with TLS. This also means that you have the configuration to upload and download templates.
To use TLS between the API and remote services, configure the following certificates:
API server cacerts → RS certificate
RS server .jks keystore → RS and API certificates
RS server cacerts → RS and API certificates
Abiquo UI certificates
The server
OVA has a self-signed certificate called abiquo.crt
that you can find in this folder /etc/pki/tls/certs
.
The Apache web server (HTTPD) uses the certificate for the Abiquo User Interface (UI) on the Abiquo server. This certificate is in the default cacerts
repository.
To quickly check the certificate in the cacerts
keystore, use the following command, with the default keystore password for a test system.
[root@abicloud ~]# keytool -list -cacerts -alias {$SERVER_FQDN} Enter keystore password: abicloud.example.com, Dec 11, 2022, trustedCertEntry, Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
To check the certificate for the Apache Web Server:
Log in the Abiquo server (with the Abiquo UI)
Edit the
/etc/httpd/conf.d/abiquo.conf
file, which contains the configuration for the Abiquo website/VirtualHost.Check the configuration, which by default should be as follows.
SSLCertificateFile /etc/pki/tls/certs/abiquo.crt SSLCertificateKeyFile /etc/pki/tls/private/abiquo.key </VirtualHost>
Configure TLS for remote services
If you have remote RS servers (which means remote services in a different location) or to allow users to upload and download templates, or to improve security, configure the communications between the Abiquo Server and the Remote services servers using TLS.
1. Add certificates to cacerts on the Remote services server
Add Remote services and Server certificates to cacerts on the Remote services server.
Log in to the Remote services server
Go to the
/etc/pki/tls/
folderFor a test environment, create a self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate! ). We recommend that you put the certificate in the certs folder and the key in the private folder
Import the Remote services certificate into the default
cacerts
keystorekeytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacerts
Check that the Remote services and Abiquo server certificates are imported the Remote services server.
[root@abicloud ~]# keytool -list -cacerts -alias {$FQDN} Enter keystore password: remoters.example.com, Dec 12, 2019, trustedCertEntry, Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA
If the Abiquo server certificate (
abiquo.crt
) is not present, copy it over and import it with the value for the Abiquo server FQDN.keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts
2. Add certificates to the Java keystore on the Remote services server
Add Remote services and Abiquo Server certificates to the Java keystore on the Remote services server.
Log in to the Remote services server
Go to
/etc/pki/tls/certs
Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs
Convert the Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.
openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_server
Go the
/opt/abiquo/tomcat/conf
folderCreate a
.jks
keystore using the following command and replacing{$REMOTE_SERVICES}
with the hostname of your Remote services serverkeytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048
Import the Remote services certificate into the RS keystore.
keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_rs -srcstoretype PKCS12
Import the Server certificate into the RS keystore.
keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_server -srcstoretype PKCS12
3. Add the Remote services certificate on the Abiquo server
Log in to the Abiquo Server
Go to the
/etc/pki/tls/
folderCopy the Remote services certificate from the Remote services server
Import the Remote services certificate into the default
cacerts
keystorekeytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$RE
4. Change the Tomcat connector on the Remote services to use TLS
To change the Tomcat connector on the Remote services server to use TLS, do these steps.
Log in to the Remote services server
Edit the Tomcat server configuration file at:
/opt/abiquo/tomcat/conf/server.xml
Remove the Catalina Connector for port
8009
Replace it with a new Connector like the following one.
This example is a guide only, use the correct file for your version of Tomcat<Service name="Catalina"> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8009" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/abiquo/tomcat/conf/{$REMOTE_SERVICES}.jks" keystorePass="changeit" keyAlias="{$REMOTE_SERVICES_FQDN}" clientAuth="false" secretrequired="false" sslProtocol="TLS"/>
The important values to change are:
keystoreFile
- e.g. use the host name of your remote RS serverkeystorePass
- use a secure passwordkeyAlias
- you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.
5. Enable SSL proxy for Apache
For AM connections to work with TLS (for template upload and download), check or enable SSL proxy for Apache.
Log in to the Abiquo server as an administrator.
Edit the Apache configuration at
/etc/httpd/conf.d/abiquo.conf
In the Apache virtual host configuration, add the following.
####APACHE SSL PROXY########## SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ##############################
Save the file
6. Apply and verify your configuration
Now that you have finished the configuration of your Remote services server
Apply your changes by restarting the Tomcat server on all services.
systemctld restart abiquo-tomcat.service
If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.
In your browser, open a connection to the remote RS server using the port. In our example, this would be:
https://remoters.bcn.abiquo.com:8009/
On the certificate warning, go to Advanced and accept the risk.
V2V server
You can repeat this configuration for your V2V server.
Next steps
Now you can go back and continue with the next steps of https://abiquo.atlassian.net/wiki/spaces/doc/pages/546308109/Deploy+distributed+scalable+remote+services#Validating-the-remote-services-and-V2V-services-install, which includes following the Quick tutorial to add a datacenter and launch a VM.
Generally, under this configuration, when you create a datacenter, you should add all remote services with https
on port 8009/tcp
.
.