The aim of this guide is to explain how to configure Watchtower server and Abiquo as client with TLS enabled.

Watchtower configuration

Properties

Key format

The key should be stored in PKCS8 syntax. The command openssl can be used to convert the key:

openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 \ 
-in /etc/pki/abiquo/monitoring-c7.key \
-out /etc/pki/abiquo/monitoring-c7.key.netty \
-passout pass:

Abiquo configuration

Properties

The properties below only applies if the value of the system property 'abiquo.rabbitmq.tls' is true.

Possible configurations

Plain TCP

This is the default configuration with no SSL enabled. The default values match this configuration but you should ensure that 'abiquo.watchtower.tls' value is false.

Trust all certificates

In this configuration Abiquo will connect without validating the server certificate and without presenting any client certificates.

Use trust manager to validate server certificates

In this configuration Abiquo will connect validating the server certificate and without presenting any client certificates.

Apache Tomcat boot classpath configuration

As watchtower-emmett is a Netty HTTP2 service, Tomcat should be run with an APLN agent to negotiate the TLS connection. Read more about it in the Jetty documentation.
The APLN agent should be installed in the API and RS appliances. Tomcat boot parameters need to be modified accordingly:

-Xbootclasspath/p:/path/to/alpn-boot-8.1.7.v20160121.jar

The agent can be downloaded from the Jetty Maven repository