Update certificates in your Abiquo environment

1 Changing certificates in Abiquo
2 Certificates in the Abiquo environment
3 Create a self-signed certificate for a test environment
4 Check and update API server certificates
5 Check the certificate configuration of the Apache web server
6 Check and restore TLS configuration for remote services
7 Check the Tomcat connector on the Remote services
8 Apply and verify your configuration

This section describes how to make changes to certificates in your Abiquo environment

Changing certificates in Abiquo

When your certificates expire, then you will need to replace them with new certificate files.

You may also need to replace your certificates for other reasons, or you may wish to change to wildcard certificates for your whole Abiquo environment.

In addition, you may need to replace configuration if an upgrade or accident overwrites files, such as:

Java → default cacerts registry on Abiquo server
Tomcat server → server.xml file on Abiquo server
Java → keystore (.jks) file on Remote services server
Apache server → abiquo.conf file on Remote services file with TLS

Certificates in the Abiquo environment

This is the typical configuration of certificates in an Abiquo environment

In a monolithic environment
- On the server, there is a certificate in the cacerts registry
- The user connection to the Appliance manager remote service uses HTTPS
In a distributed environment
- By default, on the API UI server, there is a certificate in the cacerts registry
- For HTTPS connections to Remote services servers, you add certificates to a Java keystore and to cacerts on the API server

The following sections describe how to check and update these configurations.

Create a self-signed certificate for a test environment

If the certificates in your test environment have expired, you can create a self-signed certificate following instructions from how-to guides, such as the following:

https://devopscube.com/create-self-signed-certificates-openssl/
https://www.brainbytez.nl/tutorials/linux-tutorials/create-a-self-signed-wildcard-ssl-certificate-openssl/
- The important step to create a wildcard certificate is to add the subjectAltName for DNS as a required extension for your domain, for example, for the domain example.com subjectAltName=DNS:*.example.com. Depending on your version of OpenSSL, you may be able to add this as part of the commands or you may need to add it to a separate file.

Check and update API server certificates

The API server should contain a certificate for UI server and a certificate for any remote services servers that use TLS.

List certificates and search for your environment name with grep using the following command. Replace ${ENV_NAME} with your environment name, such as abiquo. The default password for a test system is changeit.
[root@abiquo ~]# keytool -v -list -cacerts | grep ${ENV_NAME} Enter keystore password: Alias Name: abiquo-api-ui.lab.abiquo.com Alias Name: abiquo-remoteservices.lab.abiquo.com
For each certificate, obtain the full details with the following command, and replace ${SERVER_ENV_FQDN} with the alias name, which is usually the FQDN of the Abiquo server or the Remote services server.
keytool -v -list -cacerts -alias ${SERVER_ENV_FQDN}
To delete certificates expired or unwanted certificates, use this command and replace ${SERVER_ENV_FQDN} with the alias name, which is usually a server FQDN.
keytool -delete -alias ${SERVER_ENV_FQDN} -cacerts
Add new certificates for the API server with the following command, and replace ${SERVER_ENV_FQDN} with the FQDN of your API server and ${CERT_NAME} with the name of your certificate file.

Check the certificate configuration of the Apache web server

If you have upgraded the Apache web server, the upgrade could overwrite the certificate configuration. To check this configuration for the Apache web server:

Log in the Abiquo server (or separate UI server)
Edit the /etc/httpd/conf.d/abiquo.conf file, which contains the configuration for the Abiquo website VirtualHost.
Check the configuration at the end of this file, which by default should be similar to the following configuration.
Optionally, replace the abiquo certificate name and key name with the name for your own certificate, which can be a wildcard certificate for your whole environment.
Check that the Apache virtual host connection also contains the following configuration.

Check and restore TLS configuration for remote services

On a Remote services server with TLS connections, the Java keystore should contain the Remote services and Abiquo Server certificates.

Log in to the Remote services server
Go the /opt/abiquo/tomcat/conf folder. This is default keystore location and the default name is the name of the Remote services server
Check the certificates with this command, replacing ${KEYSTORE_NAME} with the name of your key store
To delete a certificate, use the following command
If you wish to add new certificates to replace old ones
1. Go to the /etc/pki/tls/ folder. Your self-signed certificate(s) should be in the certs folder and the private key(s) should be in the private folder
2. Convert a Remote Services certificate to PCKS12 format, using the domain name of your Remote services server.
3. Convert an Abiquo Server cert to PCKS12 format, using the domain name of your Abiquo Server.
Go the /opt/abiquo/tomcat/conf folder
If you do not have a .jks keystore, create one using the following command. Replace ${REMOTE_SERVICES_HOST} with the hostname of your Remote services server
Import a Remote services certificate into the RS keystore.
Import an Abiquo Server certificate into the RS keystore.

After you import the certificates, you should be able to list them to check their details.

Check the Tomcat connector on the Remote services

To check that the Tomcat connector on the Remote services server is using TLS, do these steps.

Log in to the Remote services server
Edit the Tomcat server configuration file at:
Check that the Catalina Connector for port 8009 is like the following one.
This example is a guide only, use the correct connector for your version of Tomcat.
The important values are:
- keystoreFile - e.g. use the host name of your remote RS server
- keystorePass - use a secure password
- keyAlias - you must use the domain name of your remote RS server
Also configure the other parameters according to your environment.

Apply and verify your configuration

Apply and verify the certificate configuration.

On the Abiquo Server restart the Tomcat and the Apache web server
On the Remote Services server, restart the Tomcat server
If you are using a self-signed certificate in a test environment, accept the remote RS certificates with these steps.
1. In your browser, open a connection to the remote RS server using the port. In our example, this would be: https://remoters.bcn.abiquo.com:8009/
2. On the certificate warning, go to Advanced and accept the risk.