Configure TLS for distributed scalable

TLS use cases

Your users will connect to the Abiquo UI over HTTPS with TLS.

You can run Abiquo using HTTP for internal connections between servers within the same infrastructure/datacenter network.

When users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must be made with TLS.

When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should also use TLS.

Abiquo UI certificates

The server OVA has a self-signed certificate called abiquo.crt that you can find in this folder /etc/pki/tls/certs.

The Apache web server (HTTPD) uses the certificate for the Abiquo User Interface (UI) on the Abiquo server. This certificate is in the default cacerts repository.

To quickly check the certificate in the cacerts keystore, use the following command, with the default keystore password for a test system.

[root@abicloud ~]# keytool -list -cacerts -alias {$SERVER_FQDN}
Enter keystore password:  
abicloud.example.com, Dec 11, 2022, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

To check the certificate for the Apache Web Server:

1. Log in the Abiquo server (with the Abiquo UI)

2. Edit the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website/VirtualHost.

3. Check the configuration, which by default should be as follows.

  SSLCertificateFile /etc/pki/tls/certs/abiquo.crt
  SSLCertificateKeyFile /etc/pki/tls/private/abiquo.key
</VirtualHost>

Configure TLS for remote services

To use TLS between the API and remote services, configure the following certificates:

• API server cacerts → RS certificate

• RS server .jks keystore → RS and API certificates

• RS server cacerts → RS and API certificates

1. Add certificates to cacerts on the Remote services server

Add Remote services and Server certificates to cacerts on the Remote services server.

1. Log in to the Remote services server

2. Go to the /etc/pki/tls/ folder

3. For a test environment, create a self-signed certificate for the Remote services server. You can follow the steps at https://devopscube.com/create-self-signed-certificates-openssl/ (there is even a shell script that you can modify and run to automatically create the certificate! ). We recommend that you put the certificate in the certs folder and the key in the private folder

4. Import the Remote services certificate into the default cacerts keystore

   keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES_FQDN}.crt -cacerts

5. Check that the Remote services and Abiquo server certificates are imported on the Remote services server.

   [root@abicloud ~]# keytool -list -cacerts -alias {$FQDN}
   Enter keystore password:  
   remoters.example.com, Dec 12, 2019, trustedCertEntry,
   Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

   If the Abiquo server certificate (abiquo.crt) is not present, copy it over, and import it with the value for the Abiquo server FQDN.

   keytool -import -trustcacerts -alias {$ABIQUO_FQDN} -file /etc/pki/tls/certs/abiquo.crt -cacerts

2. Add certificates to the Java keystore on the Remote services server

Add Remote services and Abiquo Server certificates to the Java keystore on the Remote services server.

1. Log in to the Remote services server

2. Go to /etc/pki/tls/certs

3. Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.

   openssl pkcs12 -export -in {$REMOTE_SERVICES_FQDN}.crt -inkey {$REMOTE_SERVICES_FQDN}.key -name {$REMOTE_SERVICES_FQDN} -out import_cert_key_rs

4. Convert the Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.

   openssl pkcs12 -export -in {$ABIQUO_SERVER_FQDN}.crt -inkey {$ABIQUO_SERVER_FQDN}.key -name {$ABIQUO_SERVER_FQDN} -out import_cert_key_server

5. Go the /opt/abiquo/tomcat/conf folder

6. Create a .jks keystore using the following command and replacing {$REMOTE_SERVICES} with the hostname of your Remote services server

   keytool -genkey -keyalg RSA -keystore {$REMOTE_SERVICES}.jks -keysize 2048

7. Import the Remote services certificate into the RS keystore.

   keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_rs -srcstoretype PKCS12

8. Import the Server certificate into the RS keystore.

   keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore /etc/pki/tls/certs/import_cert_key_server -srcstoretype PKCS12

3. Add the Remote services certificate on the Abiquo server

1. Log in to the Abiquo Server

2. Go to the /etc/pki/tls/ folder

3. Copy the Remote services certificate from the Remote services server

4. Import the Remote services certificate into the default cacerts keystore

   keytool -import -trustcacerts -alias {$REMOTE_SERVICES_FQDN} -file /etc/pki/tls/certs/{$REMOTE_SERVICES}.crt

4. Change the Tomcat connector on the Remote services to use TLS

To change the Tomcat connector on the Remote services server to use TLS, do these steps.

1. Log in to the Remote services server

2. Edit the Tomcat server configuration file at:

   /opt/abiquo/tomcat/conf/server.xml

3. Remove the Catalina Connector for port 8009

4. Replace it with a new Connector like the following one.
   This example is a guide only, use the correct file for your version of Tomcat

   <Service name="Catalina">
   
           <Connector
              protocol="org.apache.coyote.http11.Http11NioProtocol"
              port="8009" maxThreads="200"
              scheme="https" secure="true" SSLEnabled="true"
              keystoreFile="/opt/abiquo/tomcat/conf/{$REMOTE_SERVICES}.jks" keystorePass="changeit" 
              keyAlias="{$REMOTE_SERVICES_FQDN}"
              clientAuth="false" secretrequired="false" 
              sslProtocol="TLS"/>

   The important values to change are:

   • keystoreFile - e.g. use the host name of your remote RS server

   • keystorePass - use a secure password

   • keyAlias - you must use the domain name of your remote RS server

   Also configure the other parameters according to your environment.

5. Enable SSL proxy for Apache

For AM connections to work with TLS (for template upload and download), check or enable SSL proxy for Apache.

1. Log in to the Abiquo server as an administrator.

2. Edit the Apache configuration at /etc/httpd/conf.d/abiquo.conf

3. In the Apache virtual host configuration, add the following.

   ####APACHE SSL PROXY##########
     SSLProxyEngine On
     SSLProxyVerify none
     SSLProxyCheckPeerCN off
     SSLProxyCheckPeerName off
     SSLProxyCheckPeerExpire off
     ##############################

4. Save the file

6. Apply and verify your configuration

Now that you have finished the configuration of your Remote services server

1. Apply your changes by restarting the Tomcat server on all services.

   systemctld restart abiquo-tomcat.service

2. If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.

   1. In your browser, open a connection to the remote RS server using the port. In our example, this would be: https://remoters.bcn.abiquo.com:8009/

   2. On the certificate warning, go to Advanced and accept the risk.

V2V server

You can repeat this configuration for your V2V server.

Next steps

Now you can go back and continue with the next steps of https://abiquo.atlassian.net/wiki/spaces/doc/pages/546308109/Deploy+distributed+scalable+remote+services#Validating-the-remote-services-and-V2V-services-install, which includes following the Quick tutorial to add a datacenter and launch a VM.

.