Configure TLS for distributed scalable

1 TLS use cases
2 Create a self-signed certificate for a test environment
3 Abiquo UI certificates
4 Configure TLS for remote services
5 V2V server
6 Next steps

This section describes how to use self-signed certificates for a test environment ONLY.
To create self-signed certificates, we recommend that you install and use a current version of OpenSSL and current encryption algorithms.

TLS use cases

Your users will connect to the Abiquo UI over HTTPS with TLS.

You can run Abiquo using HTTP for internal connections between servers within the same infrastructure/datacenter network.

When users upload or download templates, they need a direct connection to the Appliance Manager remote service, and this connection must be made with TLS.

The Abiquo Monolithic Server has a self-signed certificate and the connection to the appliance manager is preconfigured to use TLS

When the Abiquo remote services will connect to the Abiquo Server over the internet, these communications should also use TLS.

Create a self-signed certificate for a test environment

The commands to create a self-signed certificate may vary depending on the version of OpenSSL you are using.

Here are some guides:

How to Create Self-Signed Certificates using OpenSSL
https://www.brainbytez.nl/tutorials/linux-tutorials/create-a-self-signed-wildcard-ssl-certificate-openssl/
- The important step to create a wildcard certificate is to add the subjectAltName for DNS as a required extension for your domain, for example, for the domain example.com subjectAltName=DNS:*.example.com

Abiquo UI certificates

The API server OVA has a default self-signed certificate called abiquo.crt that you can find in this folder /etc/pki/tls/certs.

The Apache web server (HTTPD) uses the certificate for the Abiquo User Interface (UI) on the Abiquo server. This certificate is in the default cacerts repository.

To quickly check the certificate in the cacerts keystore, use the following command, with the default changeit password for a test system.

[root@abicloud ~]# keytool -list -cacerts -alias {$SERVER_FQDN}
Enter keystore password:  
abicloud.example.com, Dec 11, 2022, trustedCertEntry,
Certificate fingerprint (SHA1): AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA

To check the certificate for the Apache Web Server:

Log in the Abiquo server (with the Abiquo UI)
Edit the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website VirtualHost.
Check the configuration at the end of this file, which by default should be as follows.

  ...
  SSLCertificateFile /etc/pki/tls/certs/abiquo.crt
  SSLCertificateKeyFile /etc/pki/tls/private/abiquo.key
</VirtualHost>

For a test system, you can use this certificate or you can replace it with your own self-signed certificate, which can be a wildcard certificate for your whole test environment.

Configure TLS for remote services

To use TLS between the API and remote services, configure the following certificates:

API server cacerts → RS certificate
RS server .jks keystore → RS certificate and API certificate

This section describes this configuration.

1. Add certificates to the Java keystore on the Remote services server

Add Remote services and Abiquo Server certificates to the Java keystore on the Remote services server.

Log in to the Remote services server
Go to the /etc/pki/tls/ folder
Copy your self-signed certificate(s) to the certs folder and your private key to the private folder
Convert the remote RS cert to PCKS12 format, using the domain name of your Remote services server.
openssl pkcs12 -export -in ${DOMAIN}.crt -inkey ${DOMAIN}.key -name ${REMOTE_SERVICES_FQDN} -out import_cert_key_rs
Convert the Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.
Go the /opt/abiquo/tomcat/conf folder
Create a .jks keystore using the following command. Replace ${REMOTE_SERVICES} with the hostname of your Remote services server
Import the Remote services certificate into the RS keystore.
Import the Server certificate into the RS keystore.

Now you should be able to check these certificates with the list command, for example, for a remote services server with a host name of remoters:

2. Change the Tomcat connector on the Remote services to use TLS

To change the Tomcat connector on the Remote services server to use TLS, do these steps.

Log in to the Remote services server
Edit the Tomcat server configuration file at:
Remove the Catalina Connector for port 8009
Replace it with a new Connector like the following one.
This example is a guide only, use the correct file for your version of Tomcat. Abiquo 6.1 uses Tomcat 9.
The important values to change are:
- keystoreFile - e.g. use the host name of your remote RS server
- keystorePass - use a secure password
- keyAlias - you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.

3. Add your certificate to cacerts on the Abiquo server

If you are using a separate certificate for the Remote services server, or a wildcard certificate, add it to cacerts on the Abiquo server.

Log in to the Abiquo server as an administrator
Go to the /etc/pki/tls/ folder
Copy the new certificate to the certs folder.
Copy the new private key to the private folder
Import the certificate into the default cacerts keystore with the name of the Remote services server. For example, for a Remote services server:
If you created a self-signed certificate with your own certificate authority, also import the CA certificate into cacerts

4. Replace the Abiquo certificate for the UI on the Abiquo server - optional

To use a wildcard certificate for Abiquo server and Remote services server, or a different self-signed certificate on Abiquo server, then you should replace the default Abiquo certificate.

To replace the Abiquo certificate with your own certificate:

Delete the default Abiquo certificate from cacerts
Edit the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website VirtualHost.
Change the configuration at the end of this file to point to your new certificate and key. For example, for a key file called mycert.key

Before you save the file, add the Apache SSL proxy options from the next step too!

5. Enable SSL proxy for Apache

For AM connections from users to Remote services to work with TLS (for template upload and download), enable SSL proxy for Apache.

Log in to the Abiquo server as an administrator.
Edit the Apache configuration at /etc/httpd/conf.d/abiquo.conf
In the Apache virtual host configuration, add the following.
Save the file

6. Apply and verify your configuration

Now that you have finished the configuration of your certificates

On the Abiquo Server and the Remote Services servers, restart the Tomcat service.
If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.
1. In your browser, open a connection to the remote RS server using the port. In our example, this would be: https://remoters.bcn.abiquo.com:8009/
2. On the certificate warning, go to Advanced and accept the risk.

V2V server

You can repeat the TLS configuration for your V2V server. Optionally, change the port to 8010.

Next steps

Now you can go back and continue with the next steps of Deploy distributed scalable remote services | Validating the remote services and V2V services install, which includes following the Quick tutorial to add a datacenter and launch a VM.

.