Configure Abiquo Tomcat with HTTPS for Remote RS
This page describes how to use TLS to secure communications between an Abiquo Server a “remote Remote Services” (remote RS) server
You can use this configuration when a Remote Services Server is in a remote datacenter and the Abiquo Server will communicate with it over the internet.
This document explains how to configure a test environment and it gives examples for a test environment.
When configuring your production environment, always follow the advice of your Security team.
Change our example values to the values for your environment.
For example, replace “myremoters.bcn.abiquo.com” with the domain name of your remote RS server.
And remplace “remoters.jks” with the name of your server keystore.
Import certificates on Remote RS
You will need to convert your remote RS cert to PCKS12 format. Remember to use the domain name of your own remote RS server.
openssl pkcs12 -export -in myremoters.bcn.abiquo.com.crt -inkey myremoters.bcn.abiquo.com.key -name myremoters.bcn.abiquo.com -out import_cert_key
Create a .jks keystore. For a basic test environment, you can use the command below and use the name of your remote RS server
keytool -genkey -keyalg RSA -keystore remoters.jks -keysize 2048
Import the certificate into the RS keystore that Tomcat will use. Remember to use your password and keystore name
keytool -importkeystore -deststorepass changeit -destkeystore remoters.jks -srckeystore import_cert_key -srcstoretype PKCS12
Import API server certificate to remote RS server
In the remote RS server’s .jks keystore, there should also be an entry for API server.
Copy the API server certificate to the remote RS server.
Import it in the same way as the RS server certificate in the previous steps.
Convert your certificate to PKCS12 format:
Import it to your .jks keystore file:
Verify API server location path on remote RS server
On remote RS server, check in the abiquo properties file at:
Check the abiquo.server.api.location
property.
The value should contain “https” and no port number.
For example, https://myapiserver.bcn.abiquo.com/api
.
Define a new HTTPS connector in remote RS Catalina
On the remote RS server, edit the Tomcat server configuration file at:
Replace the current remote RS catalina connector with a new connector.
The important values to change are:
keystoreFile - e.g. use the host name of your remote RS server
keystorePass - use a secure password
keyAlias - you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.
Import remote RS certificates on Abiquo server
Log in to the API server that will connect to the remote RS via HTTPS as administrator.
For example, for the default cacerts keystore in a test environment.
If you are using your own keystore on the API server, use the -keystore
option to specify it.
Enable SSL proxy for Apache
For AM connections to work with TLS (for template upload and download), check or enable SSL proxy for Apache.
Log in the API/UI server as an adminstrator.
Edit the Apache configuration at /etc/httpd/conf.d/abiquo.conf
.
In the Apache virtual host configuration, add the following.
Apply and verify
At this point all configurations are done. Restart both abiquo-tomcat services where changes have been made (in this scenario, remote RS and Abiquo Server).
Log in to Abiquo as a cloud administrator and add your remote RS using the HTTPS protocol.
For Tomcat TLS troubleshooting, see Apache Tomcat 9 (9.0.98) - SSL/TLS Configuration How-To
Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved