Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

TLS use cases

You can run Abiquo over HTTP to communicate between its appliances when its internal connections are inside the same infrastructure/datacenter network.

However, your users will connect to the Abiquo UI over HTTPS.

And if you want users to be able to upload or download templates, then this requires a direct connection to the Appliance Manager remote service, which must be made with HTTPS. (Note that TLS with a self-signed certificate is preconfigured on the Abiquo Monolithic Server).

You should also use TLS when the Abiquo remote services will connect to the Abiquo Server over the internet.

For details of how to configure remote RS, see Configure Abiquo Tomcat with HTTPS for Remote RS.

The following sections describe how the certificates are configured in Abiquo.


Abiquo UI

The Apache web server (HTTPD) uses the certificate for the Abiquo User Interface on the Abiquo API/UI or UI server.

On the API/UI server, the certificate files would typically be found in this folder /etc/pki/tls/certs.

You configure this certificate for the Apache Web Server in the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website/VirtualHost.

To quickly check this certificate, use the following command.

[root@abicloud ~]# keytool -list -keystore /usr/java/default/jre/lib/security/cacerts -alias abicloud.example.com
Enter keystore password:  
abicloud.example.com, Dec 11, 2022, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

If you have remote RS servers, which means remote services in remote locations, or to allow Abiquo to upload and download templates, you will also need to import this certificate into the Java keystore.


Remote RS

If you have remote datacenters that will communicate over the internet, or require extra security on the application layer, and more secure communications over and above using firewalls at both ends, you can secure connections for the remote services at remote sites (remote RS servers) by implementing TLS over HTTP, and configure the Catalina connector for Tomcat to use TLS/HTTPS.

You will also need to import the remote RS certificate into the Java keystores of the API/UI servers so the API/UI can connect via HTTPS to the RS.

To quickly check this certificate, for example, on the API server, use the following command.

[root@abicloud ~]# keytool -list -keystore /usr/java/default/jre/lib/security/cacerts -alias remoters.example.com
Enter keystore password:  
remoters.example.com, Dec 12, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA


Adding Remote RS with TLS in Abiquo

Generally, under this configuration, the following remote services should be added to Abiquo:

  • Appliance manager from the API/UI server on port 443/tcp with the connector defined on the UI server

  • Business process manager from remote V2V server on port 8010/tcp

  • Other remote services from the remote RS server on port 8009/tcp

Remote services with TLS

  • No labels