CentOS 8.x Cloudstack 4.15 HTTPS configuration

From Notes_Wiki
Revision as of 09:29, 21 June 2021 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb self="Cloudstack 4.15 HTTPS configuration">CentOS 8.x Cloudstack 4.15|Cloudstack 4.15</yambe:breadcrumb> =CentOS 8.x Cloudstack 4.15 HTTPS configuration= To...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb self="Cloudstack 4.15 HTTPS configuration">CentOS 8.x Cloudstack 4.15|Cloudstack 4.15</yambe:breadcrumb>

CentOS 8.x Cloudstack 4.15 HTTPS configuration

To allow access to cloudstack over HTTPS we need to:

  1. Enable HTTPS for system VMs
  2. Enable HTTPS for cloudstack
  3. Allow cloudstack to redirect from http (8080) to https (443) port.


System VM HTTPS configuration

To configure HTTPS for system VMs use:

  1. In the Global configuration, change below setting value like below
    consoleproxy.url.domain
    (Left Blank)
    consoleproxy.sslEnabled
    Yes
    secstorage.ssl.cert.domain
    (Left Blank)
    secstorage.encrypt.copy
    Yes
  2. Restart the cloudstack management interface
    systemctl restart cloudstack-management
  3. Get required commercial certificate chain in PKCS#8 format.
  4. Other option is to generate self-signed certificate using one of the following:
    Openssl OR
    Easy-rsa OR
    Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in
  5. Example steps using openssl
    #Create Root certificate
    cd /home/user/sslcerts
    openssl genrsa -des3 -out rootCA.key 4096
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
    #Create domain certificate
    openssl genrsa -out mydomain.com.key 2048
    openssl req -new -key mydomain.com.key -out mydomain.com.csr
    openssl req -in mydomain.com.csr -noout -text
    #Convert certificates(Commercial or Free) to cloudstack desired format
    openssl x509 -req -in mydomain.com.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mydomain.com.crt -days 500 -sha256
    openssl x509 -in mydomain.com.crt -text -noout
    openssl pkcs8 -topk8 -in mydomain.com.key -out yourprivate.pkcs8.encrypted.key
    openssl pkcs8 -in yourprivate.pkcs8.encrypted.key -out yourprivate.pkcs8.key
  6. Configure SSL certificates from Cloudstack dashboard
    1. Go to Infrastructure
    2. Click on SSL Certificates (in top menu bar)
    3. Upload the Root Certificate, Server Certificate, PKCS#8 Certificte
    4. Enter DNS domain suffix
    5. Click on Submit
  7. System VM restart
    Once uploaded the CPVM and SSVM will automatically restart to pick up the new certificates. If the system VMs do not restart cleanly they can be destroyed and will come back online with the TLS configuration in place.



Securing the CloudStack management server GUI with HTTPS and Enabling redirect

In cloudstack global configuration

  1. Obtain certificate chain in PKCS#12 format.
  2. Other option is to generate self-signed certificate using one of the following:
    Openssl OR
    Easy-rsa OR
    Generate SSL certificate request using Microsoft Management Console (MMC) certificates snap-in
  3. Example steps using openssl
    #Convert certificates(Commercial or Free) to cloudstack desired format
    cd /home/user/sslcerts
    cat mydomain.com.key mydomain.com.crt > selfsignedcombined.crt
    openssl pkcs12 -in selfsignedcombined.crt -export -out selfsignedcombined.pkcs12
    keytool -importkeystore -srckeystore selfsignedcombined.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/selfsignedcombined.pkcs12 -deststoretype pkcs122
  4. Update '/etc/cloudstack/management/server.properties' file with below values
    https.enable=true
    https.keystore=/etc/cloudstack/management/selfsignedcombined.pkcs12
    https.keystore.password=<enter the same password as used for conversion>
  5. For auto redirection from 8080 to 8443, Add below content in '/usr/share/cloudstack-management/webapp/WEB-INF/web.xml' file at line 22
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Everything in the webapp</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
    <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <Call name="addConnector">
    <Arg>
    <New class="org.eclipse.jetty.nio.SelectChannelConnector">
    ...
    <Set name="confidentialPort">443</Set>
    </New>
    </Arg>
    </Call>
  6. Restart the management service
    systemctl restart cloudstack-management


Ref:



<yambe:breadcrumb self="Cloudstack 4.15 HTTPS configuration">CentOS 8.x Cloudstack 4.15|Cloudstack 4.15</yambe:breadcrumb>