Watchtower TLS guide
The aim of this guide is to explain how to configure the Watchtower server and Abiquo as client with TLS enabled.
Watchtower configuration
Properties
Property name | Description | Default |
emmett.service.ssl | True if TLS is enabled | false |
emmett.service.certfile | Path of the certificate to use | "" |
emmett.service.keyfile | Path of the key to use in PKCS8 syntax | "" |
emmett.service.keypassword | Passphrase that encrypts the key | "" |
Key format
The key should be stored in PKCS8 syntax. You can use the openssl command to convert the key:
openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 \
-in /etc/pki/abiquo/monitoring-c7.key \
-out /etc/pki/abiquo/monitoring-c7.key.netty \
-passout pass:
Abiquo configuration
Properties
The properties below only apply if the value of the system property abiquo.rabbitmq.tls is true.
Property name | Description | Default |
abiquo.watchtower.tls | True if TLS is enabled. | False |
abiquo.watchtower.tls.trustallcertificates | If true, abiquo will not enforce any server certificate authentication. | False |
Possible configurations
Plain TCP
This is the default configuration with no TLS enabled. The default values match this configuration but you should check that the value of abiquo.watchtower.tls is false.
Property name | Value |
abiquo.watchtower.tls | false |
Trust all certificates
In this configuration, Abiquo will connect without validating the server certificate and without presenting any client certificates.
Property name | Value |
abiquo.watchtower.tls | true |
abiquo.watchtower.tls.trustallcertificates | true |
Use trust manager to validate server certificates
In this configuration, Abiquo will connect and validate the server certificate without presenting any client certificates.
Property name | Value |
abiquo.watchtower.tls | true |
abiquo.watchtower.tls.trustallcertificates | false |
Apache Tomcat boot classpath configuration for Abiquo <= 6.2
Abiquo watchtower-emmett is a Netty HTTP2 service, so Tomcat should be run with an APLN agent to negotiate the TLS connection.
Read more about it in https://www.eclipse.org/jetty/documentation/jetty-9/index.html#alpn-chapter
The APLN agent should be installed on the API and RS appliances.
And you should modify the Tomcat boot parameters accordingly:
-Xbootclasspath/p:/path/to/alpn-boot-8.1.7.v20160121.jarYou can download the agent from https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-alpn-server
Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved