CentOS 8.x Cloudstack 4.15 HTTPS configuration

From Notes_Wiki

Home > CentOS > CentOS 8.x > Virtualization > Cloudstack 4.15 > HTTPS configuration

To allow access to cloudstack over HTTPS we need to:

  1. Enable HTTPS for system VMs. For this we need a single certificate for both the FQDN or a wildcard certificate for the domain.
  2. Enable HTTPS for cloudstack
  3. Allow cloudstack to redirect from http (8080) to https (443) port.


System VM HTTPS configuration

To configure HTTPS for system VMs use:

  1. In the Global configuration, change below setting value like below
    consoleproxy.url.domain
    <desired-fqdn> For example console.example.com
    consoleproxy.sslEnabled
    Yes
    secstorage.ssl.cert.domain
    <desired-fqdn>. For example ssvm.example.com
    secstorage.encrypt.copy
    Yes
  2. Go to Infrastructure -> "System VMs" and not the IPs for both the system VMs.
  3. Add DNS entries pointing from chosen fqdn (eg console.example.com, ssvm.example.com) to the public IP addresses of the respective system VM.
  4. Restart the cloudstack management interface 
    systemctl restart cloudstack-management
  5. Get required commercial certificate chain in PKCS#8 format.
  6. Other option is to generate self-signed certificate using one of the following:
    Openssl OR
    Easy-rsa OR
    Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in
  7. Example steps using openssl 
    #Create Root certificate
    

    cd /home/user/sslcerts
    

    openssl genrsa -des3 -out rootCA.key 4096
    

    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
    

    

    #Create domain certificate
    

    openssl genrsa -out mydomain.com.key 2048
    

    openssl req -new -key mydomain.com.key -out mydomain.com.csr
    

    openssl req -in mydomain.com.csr -noout -text
    

    

    #Convert certificates(Commercial or Free) to cloudstack desired format
    

    openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
    

    openssl x509 -in mydomain.com.crt -text -noout
    

    openssl pkcs8 -topk8 -in mydomain.com.key -out yourprivate.pkcs8.encrypted.key
    

    openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key
  8. Configure SSL certificates from Cloudstack dashboard
    1. Go to Infrastructure
    2. Click on SSL Certificates (in top menu bar)
    3. Upload the Root Certificate, Server Certificate, PKCS#8 Certificte
    4. Enter DNS domain suffix. In case of wildcard certificate enter suffix as *.example.com
    5. Click on Submit
  9. System VM restart
    Once uploaded the CPVM and SSVM will automatically restart to pick up the new certificates. If the system VMs do not restart cleanly they can be destroyed and will come back online with the TLS configuration in place.
  10. Test the access to console proxy VM and validate that you are able to see console of VM. If self-signed certificate was used you may have to install CA in the web browser for this to work.
    Use "View page source" option in browser after trying to open console of a VM and validate that iframe URL is https://console.example.com and not http://<IP>
  11. Test the access to SSVM via https by trying to download any template or iso file
  12. Finally test by creating a new VM using template


Securing the CloudStack management server GUI with HTTPS and Enabling redirect

In cloudstack global configuration

  1. Obtain certificate chain in PKCS#12 format.
  2. Other option is to generate self-signed certificate using one of the following:
    Openssl OR
    Easy-rsa OR
    Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in
  3. Example steps using openssl 
    #Convert certificates(Commercial or Free) to cloudstack desired format
    

    cd /home/user/sslcerts
    

    cat mydomain.com.key mydomain.com.crt > selfsignedcombined.crt
    

    openssl pkcs12 -in selfsignedcombined.crt -export -out selfsignedcombined.pkcs12
    

    keytool -importkeystore -srckeystore selfsignedcombined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/selfsignedcombined.pkcs12 -deststoretype pkcs122
  4. Update '/etc/cloudstack/management/server.properties' file with below values 
    https.enable=true
    

    https.keystore=/etc/cloudstack/management/selfsignedcombined.pkcs12
    

    https.keystore.password=<enter the same password as used for conversion>
  5. For auto redirection from 8080 to 8443, Add below content in '/usr/share/cloudstack-management/webapp/WEB-INF/web.xml' file at line 22 
    <security-constraint>
    

    <web-resource-collection>
    

    <web-resource-name>Everything in the webapp</web-resource-name>
    

    <url-pattern>/*</url-pattern>
    

    </web-resource-collection>
    

    <user-data-constraint>
    

    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    

    </user-data-constraint>
    

    </security-constraint>
    

    

    <Call name="addConnector">
    

    <Arg>
    

    <New class="org.eclipse.jetty.nio.SelectChannelConnector">
    

    ...
    

    <Set name="confidentialPort">443</Set>
    

    </New>
    

    </Arg>
    

    </Call>
  6. Restart the management service 
    systemctl restart cloudstack-management
  7. Test by logging into cloudstack management
  8. Again validate access to console and secondary storage VMs.


Ref:



Home > CentOS > CentOS 8.x > Virtualization > Cloudstack 4.15 > HTTPS configuration

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=CentOS_8.x_Cloudstack_4.15_HTTPS_configuration&oldid=6153"