CentOS 8.x Cloudstack 4.15 HTTPS configuration

From Notes_Wiki
Revision as of 02:59, 23 April 2022 by Saurabh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > CentOS > CentOS 8.x > Virtualization > Cloudstack 4.15 > HTTPS configuration

To allow access to cloudstack over HTTPS we need to:

  1. Enable HTTPS for system VMs. For this we need a single certificate for both the FQDN or a wildcard certificate for the domain.
  2. Enable HTTPS for cloudstack
  3. Allow cloudstack to redirect from http (8080) to https (443) port.


System VM HTTPS configuration

To configure HTTPS for system VMs use:

  1. In the Global configuration, change below setting value like below
    consoleproxy.url.domain
    <desired-fqdn> For example console.example.com
    consoleproxy.sslEnabled
    Yes
    secstorage.ssl.cert.domain
    <desired-fqdn>. For example ssvm.example.com
    secstorage.encrypt.copy
    Yes
  2. Go to Infrastructure -> "System VMs" and not the IPs for both the system VMs.
  3. Add DNS entries pointing from chosen fqdn (eg console.example.com, ssvm.example.com) to the public IP addresses of the respective system VM.
  4. Restart the cloudstack management interface
    systemctl restart cloudstack-management
  5. Get required commercial certificate chain in PKCS#8 format.
  6. Other option is to generate self-signed certificate using one of the following:
    Openssl OR
    Easy-rsa OR
    Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in
  7. Example steps using openssl
    #Create Root certificate
    cd /home/user/sslcerts
    openssl genrsa -des3 -out rootCA.key 4096
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
    #Create domain certificate
    openssl genrsa -out mydomain.com.key 2048
    openssl req -new -key mydomain.com.key -out mydomain.com.csr
    openssl req -in mydomain.com.csr -noout -text
    #Convert certificates(Commercial or Free) to cloudstack desired format
    openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
    openssl x509 -in mydomain.com.crt -text -noout
    openssl pkcs8 -topk8 -in mydomain.com.key -out yourprivate.pkcs8.encrypted.key
    openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key
  8. Configure SSL certificates from Cloudstack dashboard
    1. Go to Infrastructure
    2. Click on SSL Certificates (in top menu bar)
    3. Upload the Root Certificate, Server Certificate, PKCS#8 Certificte
    4. Enter DNS domain suffix. In case of wildcard certificate enter suffix as *.example.com
    5. Click on Submit
  9. System VM restart
    Once uploaded the CPVM and SSVM will automatically restart to pick up the new certificates. If the system VMs do not restart cleanly they can be destroyed and will come back online with the TLS configuration in place.
  10. Test the access to console proxy VM and validate that you are able to see console of VM. If self-signed certificate was used you may have to install CA in the web browser for this to work.
    Use "View page source" option in browser after trying to open console of a VM and validate that iframe URL is https://console.example.com and not http://<IP>
  11. Test the access to SSVM via https by trying to download any template or iso file
  12. Finally test by creating a new VM using template


Securing the CloudStack management server GUI with HTTPS and Enabling redirect

In cloudstack global configuration

  1. Obtain certificate chain in PKCS#12 format.
  2. Other option is to generate self-signed certificate using one of the following:
    Openssl OR
    Easy-rsa OR
    Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in
  3. Example steps using openssl
    #Convert certificates(Commercial or Free) to cloudstack desired format
    cd /home/user/sslcerts
    cat mydomain.com.key mydomain.com.crt > selfsignedcombined.crt
    openssl pkcs12 -in selfsignedcombined.crt -export -out selfsignedcombined.pkcs12
    keytool -importkeystore -srckeystore selfsignedcombined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/selfsignedcombined.pkcs12 -deststoretype pkcs122
  4. Update '/etc/cloudstack/management/server.properties' file with below values
    https.enable=true
    https.keystore=/etc/cloudstack/management/selfsignedcombined.pkcs12
    https.keystore.password=<enter the same password as used for conversion>
  5. For auto redirection from 8080 to 8443, Add below content in '/usr/share/cloudstack-management/webapp/WEB-INF/web.xml' file at line 22
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Everything in the webapp</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <Call name="addConnector">
    <Arg>
    <New class="org.eclipse.jetty.nio.SelectChannelConnector">
    ...
    <Set name="confidentialPort">443</Set>
    </New>
    </Arg>
    </Call>
  6. Restart the management service
    systemctl restart cloudstack-management
  7. Test by logging into cloudstack management
  8. Again validate access to console and secondary storage VMs.


Ref:



Home > CentOS > CentOS 8.x > Virtualization > Cloudstack 4.15 > HTTPS configuration