Configure Abiquo Tomcat with HTTPS for Remote RS

Owned by MS (Unlicensed)
May 03, 2022
2 min read


In some scenarios you might want to use secure communications between an Abiquo Server and a remote datacenter running an Abiquo Remote Services appliance (for instance they might communicate over the Internet). In this case it's advisable to secure your Tomcat communications.

Define a new HTTPS connector in remote RS Catalina

Replace your current remote RS catalina connector in:

/opt/abiquo/tomcat/conf/server.xml
<Service name="Catalina">

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8009" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/opt/abiquo/tomcat/conf/remoters.jks" keystorePass="changeit" keyAlias="myremoters.bcn.abiquo.com"
           clientAuth="false" secretrequired="false" 
           sslProtocol="TLS"/>

Have in mind you will have to point to a keystore and also configure the rest of parameters accordingly.

Import certificates on Remote RS

You will need to convert your remote RS certs to PCKS12 format

openssl pkcs12 -export -in myremoters.bcn.abiquo.com.crt -inkey myremoters.bcn.abiquo.com.key -name myremoters.bcn.abiquo.com -out import_cert_key

Import it into the RS keystore Tomcat is going to use:

keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12

If you need to create a .jks keystore you can do it easily:

keytool -genkey -keyalg RSA -keystore remoters.jks -keysize 2048

Import Remote RS certificates on Abiquo Server

Import the remote RS certificate into API server that is going to connect to the remote RS via HTTPS:

keytool -import -trustcacerts -alias myremoters.bcn.abiquo.com -file /etc/pki/abiquo/myremoters.bcn.abiquo.crt -keystore cacerts

Enable SSL proxy for Apache

You might need to enable SSL proxy for Apache, for AM connections to work with TLS for template upload and download. To do this, add this config in your apache virtualhost config:

  ####APACHE SSL PROXY##########
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off
  ##############################

Apply and verify

At this point all configurations are done. You should restart both abiquo-tomcat services where changes have been made (in this scenario, remote RS and Abiquo Server).

You should be able now to add your remote RS using HTTPS protocol.

Copyright © 2006-2022, Abiquo Holdings SL. All rights reserved