Watchtower TLS guide
The aim of this guide is to explain how to configure the Watchtower server and Abiquo as client with TLS enabled.
Watchtower configuration
Properties
Property name | Description | Default |
emmett.service.ssl | True if TLS is enabled | false |
emmett.service.certfile | Path of the certificate to use | "" |
emmett.service.keyfile | Path of the key to use in PKCS8 syntax | "" |
emmett.service.keypassword | Passphrase that encrypts the key | "" |
Key format
The key should be stored in PKCS8 syntax. You can use the openssl
command to convert the key:
openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 \
-in /etc/pki/abiquo/monitoring-c7.key \
-out /etc/pki/abiquo/monitoring-c7.key.netty \
-passout pass:
Abiquo configuration
Properties
The properties below only apply if the value of the system property abiquo.rabbitmq.tls
is true
.
Property name | Description | Default |
abiquo.watchtower.tls | True if TLS is enabled. | False |
abiquo.watchtower.tls.trustallcertificates | If true, abiquo will not enforce any server certificate authentication. | False |
Possible configurations
Plain TCP
This is the default configuration with no TLS enabled. The default values match this configuration but you should check that the value of abiquo.watchtower.tls
is false
.
Property name | Value |
abiquo.watchtower.tls | false |
Trust all certificates
In this configuration, Abiquo will connect without validating the server certificate and without presenting any client certificates.
Property name | Value |
abiquo.watchtower.tls | true |
abiquo.watchtower.tls.trustallcertificates | true |
Use trust manager to validate server certificates
In this configuration, Abiquo will connect and validate the server certificate without presenting any client certificates.
Property name | Value |
abiquo.watchtower.tls | true |
abiquo.watchtower.tls.trustallcertificates | false |
Apache Tomcat boot classpath configuration for Abiquo <= 6.2
Abiquo watchtower-emmett is a Netty HTTP2 service, so Tomcat should be run with an APLN agent to negotiate the TLS connection.
Read more about it in https://www.eclipse.org/jetty/documentation/jetty-9/index.html#alpn-chapter
The APLN agent should be installed on the API and RS appliances.
And you should modify the Tomcat boot parameters accordingly:
-Xbootclasspath/p:/path/to/alpn-boot-8.1.7.v20160121.jar
You can download the agent from https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-alpn-server
Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved