CentOS 8.x Cloudstack 4.15 HTTPS configuration
From Notes_Wiki
<yambe:breadcrumb self="Cloudstack 4.15 HTTPS configuration">CentOS 8.x Cloudstack 4.15|Cloudstack 4.15</yambe:breadcrumb>
CentOS 8.x Cloudstack 4.15 HTTPS configuration
To allow access to cloudstack over HTTPS we need to:
- Enable HTTPS for system VMs
- Enable HTTPS for cloudstack
- Allow cloudstack to redirect from http (8080) to https (443) port.
System VM HTTPS configuration
To configure HTTPS for system VMs use:
- In the Global configuration, change below setting value like below
- consoleproxy.url.domain
- (Left Blank)
- consoleproxy.sslEnabled
- Yes
- secstorage.ssl.cert.domain
- (Left Blank)
- secstorage.encrypt.copy
- Yes
- Restart the cloudstack management interface
- systemctl restart cloudstack-management
- Get required commercial certificate chain in PKCS#8 format.
- Other option is to generate self-signed certificate using one of the following:
- Example steps using openssl
- #Create Root certificate
- cd /home/user/sslcerts
- openssl genrsa -des3 -out rootCA.key 4096
- openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
- #Create domain certificate
- openssl genrsa -out mydomain.com.key 2048
- openssl req -new -key mydomain.com.key -out mydomain.com.csr
- openssl req -in mydomain.com.csr -noout -text
- #Convert certificates(Commercial or Free) to cloudstack desired format
- openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
- openssl x509 -in mydomain.com.crt -text -noout
- openssl pkcs8 -topk8 -in mydomain.com.key -out yourprivate.pkcs8.encrypted.key
- openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key
- Configure SSL certificates from Cloudstack dashboard
- Go to Infrastructure
- Click on SSL Certificates (in top menu bar)
- Upload the Root Certificate, Server Certificate, PKCS#8 Certificte
- Enter DNS domain suffix
- Click on Submit
- System VM restart
- Once uploaded the CPVM and SSVM will automatically restart to pick up the new certificates. If the system VMs do not restart cleanly they can be destroyed and will come back online with the TLS configuration in place.
Securing the CloudStack management server GUI with HTTPS and Enabling redirect
In cloudstack global configuration
- Obtain certificate chain in PKCS#12 format.
- Other option is to generate self-signed certificate using one of the following:
- Example steps using openssl
- #Convert certificates(Commercial or Free) to cloudstack desired format
- cd /home/user/sslcerts
- cat mydomain.com.key mydomain.com.crt > selfsignedcombined.crt
- openssl pkcs12 -in selfsignedcombined.crt -export -out selfsignedcombined.pkcs12
- keytool -importkeystore -srckeystore selfsignedcombined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/selfsignedcombined.pkcs12 -deststoretype pkcs122
- Update '/etc/cloudstack/management/server.properties' file with below values
- https.enable=true
- https.keystore=/etc/cloudstack/management/selfsignedcombined.pkcs12
- https.keystore.password=<enter the same password as used for conversion>
- For auto redirection from 8080 to 8443, Add below content in '/usr/share/cloudstack-management/webapp/WEB-INF/web.xml' file at line 22
- <security-constraint>
- <web-resource-collection>
- <web-resource-name>Everything in the webapp</web-resource-name>
- <url-pattern>/*</url-pattern>
- </web-resource-collection>
- <user-data-constraint>
- <transport-guarantee>CONFIDENTIAL</transport-guarantee>
- </user-data-constraint>
- </security-constraint>
- <Call name="addConnector">
- <Arg>
- <New class="org.eclipse.jetty.nio.SelectChannelConnector">
- ...
- <Set name="confidentialPort">443</Set>
- </New>
- </Arg>
- </Call>
- Restart the management service
- systemctl restart cloudstack-management
Ref:
- Open SSL certificates generation - https://github.com/apache/cloudstack/issues/4199
- Server.properties - https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/
- For auto redirection - http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty
<yambe:breadcrumb self="Cloudstack 4.15 HTTPS configuration">CentOS 8.x Cloudstack 4.15|Cloudstack 4.15</yambe:breadcrumb>
