Update certificates in your Abiquo environment
- 1 Changing certificates in Abiquo
- 2 Certificates in the Abiquo environment
- 3 Create a self-signed certificate for a test environment
- 4 Check and update API server certificates
- 5 Check the certificate configuration of the Apache web server
- 6 Check and restore TLS configuration for remote services
- 7 Check the Tomcat connector on the Remote services
- 8 Apply and verify your configuration
This section describes how to make changes to certificates in your Abiquo environment
Changing certificates in Abiquo
When your certificates expire, then you will need to replace them with new certificate files.
You may also need to replace your certificates for other reasons, or you may wish to change to wildcard certificates for your whole Abiquo environment.
In addition, you may need to replace configuration if an upgrade or accident overwrites files, such as:
Java → default
cacerts
registry on Abiquo serverTomcat server →
server.xml
file on Abiquo serverJava → keystore (
.jks
) file on Remote services serverApache server →
abiquo.conf
file on Remote services file with TLS
Certificates in the Abiquo environment
This is the typical configuration of certificates in an Abiquo environment
In a monolithic environment
On the server, there is a certificate in the
cacerts
registryThe user connection to the Appliance manager remote service uses HTTPS
In a distributed environment
By default, on the API UI server, there is a certificate in the
cacerts
registryFor HTTPS connections to Remote services servers, you add certificates to a Java keystore and to
cacerts
on the API server
The following sections describe how to check and update these configurations.
Create a self-signed certificate for a test environment
If the certificates in your test environment have expired, you can create a self-signed certificate following instructions from how-to guides, such as the following:
Create a Self-Signed Wildcard SSL Certificate with OpenSSL
The important step to create a wildcard certificate is to add the
subjectAltName
for DNS as a required extension for your domain, for example, for the domainexample.com
subjectAltName=DNS:*.example.com
. Depending on your version of OpenSSL, you may be able to add this as part of the commands or you may need to add it to a separate file.
Check and update API server certificates
The API server should contain a certificate for UI server and a certificate for any remote services servers that use TLS.
List certificates and search for your environment name with
grep
using the following command. Replace${ENV_NAME}
with your environment name, such asabiquo
. The default password for a test system ischangeit
.[root@abiquo ~]# keytool -v -list -cacerts | grep ${ENV_NAME} Enter keystore password: Alias Name: abiquo-api-ui.lab.abiquo.com Alias Name: abiquo-remoteservices.lab.abiquo.com
For each certificate, obtain the full details with the following command, and replace
${SERVER_ENV_FQDN}
with the alias name, which is usually the FQDN of the Abiquo server or the Remote services server.keytool -v -list -cacerts -alias ${SERVER_ENV_FQDN}
To delete certificates expired or unwanted certificates, use this command and replace
${SERVER_ENV_FQDN}
with the alias name, which is usually a server FQDN.keytool -delete -alias ${SERVER_ENV_FQDN} -cacerts
Add new certificates for the API server with the following command, and replace
${SERVER_ENV_FQDN}
with the FQDN of your API server and${CERT_NAME}
with the name of your certificate file.
Check the certificate configuration of the Apache web server
If you have upgraded the Apache web server, the upgrade could overwrite the certificate configuration. To check this configuration for the Apache web server:
Log in the Abiquo server (or separate UI server)
Edit the
/etc/httpd/conf.d/abiquo.conf
file, which contains the configuration for the Abiquo websiteVirtualHost
.Check the configuration at the end of this file, which by default should be similar to the following configuration.
Optionally, replace the
abiquo
certificate name and key name with the name for your own certificate, which can be a wildcard certificate for your whole environment.Check that the Apache virtual host connection also contains the following configuration.
Check and restore TLS configuration for remote services
On a Remote services server with TLS connections, the Java keystore should contain the Remote services and Abiquo Server certificates.
Log in to the Remote services server
Go the
/opt/abiquo/tomcat/conf
folder. This is default keystore location and the default name is the name of the Remote services serverCheck the certificates with this command, replacing
${KEYSTORE_NAME}
with the name of your key storeTo delete a certificate, use the following command
If you wish to add new certificates to replace old ones
Go to the
/etc/pki/tls/
folder. Your self-signed certificate(s) should be in thecerts
folder and the private key(s) should be in theprivate
folderConvert a Remote Services certificate to PCKS12 format, using the domain name of your Remote services server.
Convert an Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.
Go the
/opt/abiquo/tomcat/conf
folderIf you do not have a
.jks
keystore, create one using the following command. Replace${REMOTE_SERVICES_HOST}
with the hostname of your Remote services serverImport a Remote services certificate into the RS keystore.
Import an Abiquo Server certificate into the RS keystore.
After you import the certificates, you should be able to list them to check their details.
Check the Tomcat connector on the Remote services
To check that the Tomcat connector on the Remote services server is using TLS, do these steps.
Log in to the Remote services server
Edit the Tomcat server configuration file at:
Check that the Catalina Connector for port
8009
is like the following one.
This example is a guide only, use the correct connector for your version of Tomcat.The important values are:
keystoreFile
- e.g. use the host name of your remote RS serverkeystorePass
- use a secure passwordkeyAlias
- you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.
Apply and verify your configuration
Apply and verify the certificate configuration.
On the Abiquo Server restart the Tomcat and the Apache web server
On the Remote Services server, restart the Tomcat server
If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.
In your browser, open a connection to the remote RS server using the port. In our example, this would be:
https://remoters.bcn.abiquo.com:8009/
On the certificate warning, go to Advanced and accept the risk.
Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved