You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Indra Pramana <in...@sg.or.id> on 2013/10/29 10:02:44 UTC

Enable SSL (https) for Cloudstack 4.2.0 management server

Dear all,

Any documentation on how to enable SSL (https) for Cloudstack 4.2.0
management server? I am using Ubuntu 12.04.2. I tried to follow the
instruction here, is it still valid?

http://support.citrix.com/article/CTX132008

I have managed to come to the step of creating the PKS12 format keystore:

root@cs-mgmt-01:~/ssl-cert# openssl pkcs12 -export -in server.crt -inkey
server.key -name cloud -passout pass:password > cloud-localhost.pk12
Enter pass phrase for server.key:
root@cs-mgmt-01:~/ssl-cert# ls -la cloud-localhost.pk12
-rw-r--r-- 1 root root 3000 Oct 29 16:11 cloud-localhost.pk12

However, I am not too sure where should I put the file, and how can I
configure Tomcat to use the file? On the above documentation, it says that
I need to put the file on:

/usr/share/cloud/management/conf/

The 4.2 equivalent of the above folder I believe should be

/usr/share/cloudstack-management/conf

I have put the cloud-localhost.pk12 on the folder. What's next? :)

I noted there are these files on the same folder:

-rw-r--r-- 1 root root  10211 Jun  5 02:45 server-nonssl.xml
-rw-r--r-- 1 root root  12094 Sep 24 16:31 server-ssl.xml
lrwxrwxrwx 1 root root     17 Oct 12 23:37 server.xml -> server-nonssl.xml
lrwxrwxrwx 1 root root     19 Oct 12 23:37 tomcat6.conf ->
tomcat6-nonssl.conf
-rw-r--r-- 1 root root   2712 Jun  5 02:45 tomcat6-nonssl.conf
-rw-r--r-- 1 root root   2841 Sep 24 16:31 tomcat6-ssl.conf

I tried to point the symbolic links for server.xml and tomcat6.conf to
server-ssl.xml and tomcat6-ssl.conf respectively, and restarted
cloudstack-management service. But I am not able to access the Cloudstack
GUI, even using https:// in front. It seems that Tomcat is not able to
recognize the pk12 certificate file that I have put?

Looking forward to your reply, thank you.

Cheers.

Re: Enable SSL (https) for Cloudstack 4.2.0 management server

Posted by Andrija Panic <an...@gmail.com>.

I'm using CentOS and making protocol="HTTP/1.1" does not work for some
reason, you need another protoco (check the bold part).

Here is my config (placement of pk12 files is not important in regards to
tomcat configuration, it is up to you to put it maybe in some nice place)

    <Connector port="8843" protocol="*
org.apache.coyote.http11.Http11NioProtocol*" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreType="PKCS12"

 keystoreFile="/etc/cloudstack/management/cloud-localhost.pk12"
               keystorePass="mypasss"
               />


On 29 October 2013 10:12, Erdősi Péter <fa...@niif.hu> wrote:

> Hy,
>
> 2013.10.29. 10:02 keltezéssel, Indra Pramana írta:
>
>  I have put the cloud-localhost.pk12 on the folder. What's next?:)
>>
> I already configured this.
> In my server.xml i definied this:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystoreType="PKCS12"
>                keystoreFile="conf/cloud.**somewhere.com.pk12"
>                keystorePass="PASSWORD"
>                />
>
> The conf directory is there (Ubuntu package installed):
> /usr/share/cloudstack-**management/conf/
> but it's just a symlink to /etc/cloudstack/management, so if You copied
> it, should be good, but need the conf/ path, cause CS search cert on
> /usr/share/...
>
> And  I also put this iptables rule :
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j
> REDIRECT --to-ports 8443
>
> to reach the frontend at 443.
>
> Hope that helps,
>
> Regards,
>  Fazy
>
>


-- 

Andrija Panić
--------------------------------------
  http://admintweets.com
--------------------------------------

Re: Enable SSL (https) for Cloudstack 4.2.0 management server

Posted by Erdősi Péter <fa...@niif.hu>.

Hy,

2013.10.29. 10:02 keltezéssel, Indra Pramana írta:
> I have put the cloud-localhost.pk12 on the folder. What's next?:)
I already configured this.
In my server.xml i definied this:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS"
                keystoreType="PKCS12"
                keystoreFile="conf/cloud.somewhere.com.pk12"
                keystorePass="PASSWORD"
                />

The conf directory is there (Ubuntu package installed): 
/usr/share/cloudstack-management/conf/
but it's just a symlink to /etc/cloudstack/management, so if You copied 
it, should be good, but need the conf/ path, cause CS search cert on 
/usr/share/...

And  I also put this iptables rule :
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j 
REDIRECT --to-ports 8443

to reach the frontend at 443.

Hope that helps,

Regards,
  Fazy

Re: Enable SSL (https) for Cloudstack 4.2.0 management server

Posted by Nux! <nu...@li.nux.ro>.

On 29.10.2013 09:02, Indra Pramana wrote:
> Dear all,
> 
> Any documentation on how to enable SSL (https) for Cloudstack 4.2.0
> management server? I am using Ubuntu 12.04.2. I tried to follow the
> instruction here, is it still valid?
> 
> http://support.citrix.com/article/CTX132008
> 
> I have managed to come to the step of creating the PKS12 format 
> keystore:

Wow, that looks convoluted. Don't know if it would work, but my 
instinct is just "yum install mod_ssl" and proxy requests.

Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro