Watchtower TLS guide

ย 

ย 

The aim of this guide is to explain how to configure the Watchtower server and Abiquo as client with TLS enabled.

Watchtower configuration

Properties

Property name

Description

Default

emmett.service.ssl

True if TLS is enabled

false

emmett.service.certfile

Path of the certificate to use

""

emmett.service.keyfile

Path of the key to use in PKCS8 syntax

""

emmett.service.keypassword

Passphrase that encrypts the key

""

Key format

The key should be stored in PKCS8 syntax. You can use the openssl command to convert the key:

openssl pkcs8 -v1 PBE-SHA1-3DES -topk8 \ -in /etc/pki/abiquo/monitoring-c7.key \ -out /etc/pki/abiquo/monitoring-c7.key.netty \ -passout pass:

ย 

Abiquo configuration

Properties

The properties below only apply if the value of the system property abiquo.rabbitmq.tls is true.

Property name

Description

Default

abiquo.watchtower.tls

True if TLS is enabled.

False

abiquo.watchtower.tls.trustallcertificates

If true, abiquo will not enforce any server certificate authentication.

False

Possible configurations

Plain TCP

This is the default configuration with no TLS enabled. The default values match this configuration but you should check that the value of abiquo.watchtower.tls is false.

Property name

Value

abiquo.watchtower.tls

false

Trust all certificates

In this configuration, Abiquo will connect without validating the server certificate and without presenting any client certificates.

Property name

Value

abiquo.watchtower.tls

true

abiquo.watchtower.tls.trustallcertificates

true

Use trust manager to validate server certificates

In this configuration, Abiquo will connect and validate the server certificate without presenting any client certificates.

Property name

Value

abiquo.watchtower.tls

true

abiquo.watchtower.tls.trustallcertificates

false

ย 

Apache Tomcat boot classpath configuration for Abiquo <= 6.2

Abiquo watchtower-emmett is a Netty HTTP2 service, so Tomcat should be run with an APLN agent to negotiate the TLS connection.
Read more about it in https://www.eclipse.org/jetty/documentation/jetty-9/index.html#alpn-chapter
The APLN agent should be installed on the API and RS appliances.
And you should modify the Tomcat boot parameters accordingly:

-Xbootclasspath/p:/path/to/alpn-boot-8.1.7.v20160121.jar

You can download the agent from Maven Repository: org.eclipse.jetty ยป jetty-alpn-server

Copyright ยฉ 2006-2024, Abiquo Holdings SL. All rights reserved