Difference between revisions of "CentOS 8.x Cloudstack 4.15 HTTPS configuration"
From Notes_Wiki
m |
m |
||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 8.x]] > [[CentOS 8.x virtualization|Virtualization]] > [[CentOS 8.x Cloudstack 4.15|Cloudstack 4.15]] > [[CentOS 8.x Cloudstack 4.15 HTTPS configuration|HTTPS configuration]] | |||
To allow access to cloudstack over HTTPS we need to: | To allow access to cloudstack over HTTPS we need to: | ||
Line 119: | Line 118: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 8.x]] > [[CentOS 8.x virtualization|Virtualization]] > [[CentOS 8.x Cloudstack 4.15|Cloudstack 4.15]] > [[CentOS 8.x Cloudstack 4.15 HTTPS configuration|HTTPS configuration]] |
Latest revision as of 02:59, 23 April 2022
Home > CentOS > CentOS 8.x > Virtualization > Cloudstack 4.15 > HTTPS configuration
To allow access to cloudstack over HTTPS we need to:
- Enable HTTPS for system VMs. For this we need a single certificate for both the FQDN or a wildcard certificate for the domain.
- Enable HTTPS for cloudstack
- Allow cloudstack to redirect from http (8080) to https (443) port.
System VM HTTPS configuration
To configure HTTPS for system VMs use:
- In the Global configuration, change below setting value like below
- consoleproxy.url.domain
- <desired-fqdn> For example console.example.com
- consoleproxy.sslEnabled
- Yes
- secstorage.ssl.cert.domain
- <desired-fqdn>. For example ssvm.example.com
- secstorage.encrypt.copy
- Yes
- Go to Infrastructure -> "System VMs" and not the IPs for both the system VMs.
- Add DNS entries pointing from chosen fqdn (eg console.example.com, ssvm.example.com) to the public IP addresses of the respective system VM.
- Restart the cloudstack management interface
- systemctl restart cloudstack-management
- Get required commercial certificate chain in PKCS#8 format.
- Other option is to generate self-signed certificate using one of the following:
- Example steps using openssl
- #Create Root certificate
- cd /home/user/sslcerts
- openssl genrsa -des3 -out rootCA.key 4096
- openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
- #Create domain certificate
- openssl genrsa -out mydomain.com.key 2048
- openssl req -new -key mydomain.com.key -out mydomain.com.csr
- openssl req -in mydomain.com.csr -noout -text
- #Convert certificates(Commercial or Free) to cloudstack desired format
- openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
- openssl x509 -in mydomain.com.crt -text -noout
- openssl pkcs8 -topk8 -in mydomain.com.key -out yourprivate.pkcs8.encrypted.key
- openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key
- Configure SSL certificates from Cloudstack dashboard
- Go to Infrastructure
- Click on SSL Certificates (in top menu bar)
- Upload the Root Certificate, Server Certificate, PKCS#8 Certificte
- Enter DNS domain suffix. In case of wildcard certificate enter suffix as *.example.com
- Click on Submit
- System VM restart
- Once uploaded the CPVM and SSVM will automatically restart to pick up the new certificates. If the system VMs do not restart cleanly they can be destroyed and will come back online with the TLS configuration in place.
- Test the access to console proxy VM and validate that you are able to see console of VM. If self-signed certificate was used you may have to install CA in the web browser for this to work.
- Use "View page source" option in browser after trying to open console of a VM and validate that iframe URL is https://console.example.com and not http://<IP>
- Test the access to SSVM via https by trying to download any template or iso file
- Finally test by creating a new VM using template
Securing the CloudStack management server GUI with HTTPS and Enabling redirect
In cloudstack global configuration
- Obtain certificate chain in PKCS#12 format.
- Other option is to generate self-signed certificate using one of the following:
- Example steps using openssl
- #Convert certificates(Commercial or Free) to cloudstack desired format
- cd /home/user/sslcerts
- cat mydomain.com.key mydomain.com.crt > selfsignedcombined.crt
- openssl pkcs12 -in selfsignedcombined.crt -export -out selfsignedcombined.pkcs12
- keytool -importkeystore -srckeystore selfsignedcombined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/selfsignedcombined.pkcs12 -deststoretype pkcs122
- Update '/etc/cloudstack/management/server.properties' file with below values
- https.enable=true
- https.keystore=/etc/cloudstack/management/selfsignedcombined.pkcs12
- https.keystore.password=<enter the same password as used for conversion>
- For auto redirection from 8080 to 8443, Add below content in '/usr/share/cloudstack-management/webapp/WEB-INF/web.xml' file at line 22
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Everything in the webapp</web-resource-name>
- <url-pattern>/*</url-pattern>
- </web-resource-collection>
- <user-data-constraint>
- <transport-guarantee>CONFIDENTIAL</transport-guarantee>
- </user-data-constraint>
- </security-constraint>
- <Call name="addConnector">
- <Arg>
- <New class="org.eclipse.jetty.nio.SelectChannelConnector">
- ...
- <Set name="confidentialPort">443</Set>
- </New>
- </Arg>
- </Call>
- Restart the management service
- systemctl restart cloudstack-management
- Test by logging into cloudstack management
- Again validate access to console and secondary storage VMs.
Ref:
- Open SSL certificates generation - https://github.com/apache/cloudstack/issues/4199
- Server.properties - https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/
- For auto redirection - http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty
Home > CentOS > CentOS 8.x > Virtualization > Cloudstack 4.15 > HTTPS configuration