You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Indra Pramana <in...@sg.or.id> on 2013/10/29 10:02:44 UTC
Enable SSL (https) for Cloudstack 4.2.0 management server
Dear all,
Any documentation on how to enable SSL (https) for Cloudstack 4.2.0
management server? I am using Ubuntu 12.04.2. I tried to follow the
instruction here, is it still valid?
http://support.citrix.com/article/CTX132008
I have managed to come to the step of creating the PKS12 format keystore:
root@cs-mgmt-01:~/ssl-cert# openssl pkcs12 -export -in server.crt -inkey
server.key -name cloud -passout pass:password > cloud-localhost.pk12
Enter pass phrase for server.key:
root@cs-mgmt-01:~/ssl-cert# ls -la cloud-localhost.pk12
-rw-r--r-- 1 root root 3000 Oct 29 16:11 cloud-localhost.pk12
However, I am not too sure where should I put the file, and how can I
configure Tomcat to use the file? On the above documentation, it says that
I need to put the file on:
/usr/share/cloud/management/conf/
The 4.2 equivalent of the above folder I believe should be
/usr/share/cloudstack-management/conf
I have put the cloud-localhost.pk12 on the folder. What's next? :)
I noted there are these files on the same folder:
-rw-r--r-- 1 root root 10211 Jun 5 02:45 server-nonssl.xml
-rw-r--r-- 1 root root 12094 Sep 24 16:31 server-ssl.xml
lrwxrwxrwx 1 root root 17 Oct 12 23:37 server.xml -> server-nonssl.xml
lrwxrwxrwx 1 root root 19 Oct 12 23:37 tomcat6.conf ->
tomcat6-nonssl.conf
-rw-r--r-- 1 root root 2712 Jun 5 02:45 tomcat6-nonssl.conf
-rw-r--r-- 1 root root 2841 Sep 24 16:31 tomcat6-ssl.conf
I tried to point the symbolic links for server.xml and tomcat6.conf to
server-ssl.xml and tomcat6-ssl.conf respectively, and restarted
cloudstack-management service. But I am not able to access the Cloudstack
GUI, even using https:// in front. It seems that Tomcat is not able to
recognize the pk12 certificate file that I have put?
Looking forward to your reply, thank you.
Cheers.
Re: Enable SSL (https) for Cloudstack 4.2.0 management server
Posted by Andrija Panic <an...@gmail.com>.
I'm using CentOS and making protocol="HTTP/1.1" does not work for some
reason, you need another protoco (check the bold part).
Here is my config (placement of pk12 files is not important in regards to
tomcat configuration, it is up to you to put it maybe in some nice place)
<Connector port="8843" protocol="*
org.apache.coyote.http11.Http11NioProtocol*" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="/etc/cloudstack/management/cloud-localhost.pk12"
keystorePass="mypasss"
/>
On 29 October 2013 10:12, Erdősi Péter <fa...@niif.hu> wrote:
> Hy,
>
> 2013.10.29. 10:02 keltezéssel, Indra Pramana írta:
>
> I have put the cloud-localhost.pk12 on the folder. What's next?:)
>>
> I already configured this.
> In my server.xml i definied this:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreType="PKCS12"
> keystoreFile="conf/cloud.**somewhere.com.pk12"
> keystorePass="PASSWORD"
> />
>
> The conf directory is there (Ubuntu package installed):
> /usr/share/cloudstack-**management/conf/
> but it's just a symlink to /etc/cloudstack/management, so if You copied
> it, should be good, but need the conf/ path, cause CS search cert on
> /usr/share/...
>
> And I also put this iptables rule :
> iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j
> REDIRECT --to-ports 8443
>
> to reach the frontend at 443.
>
> Hope that helps,
>
> Regards,
> Fazy
>
>
--
Andrija Panić
--------------------------------------
http://admintweets.com
--------------------------------------
Re: Enable SSL (https) for Cloudstack 4.2.0 management server
Posted by Erdősi Péter <fa...@niif.hu>.
Hy,
2013.10.29. 10:02 keltezéssel, Indra Pramana írta:
> I have put the cloud-localhost.pk12 on the folder. What's next?:)
I already configured this.
In my server.xml i definied this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="conf/cloud.somewhere.com.pk12"
keystorePass="PASSWORD"
/>
The conf directory is there (Ubuntu package installed):
/usr/share/cloudstack-management/conf/
but it's just a symlink to /etc/cloudstack/management, so if You copied
it, should be good, but need the conf/ path, cause CS search cert on
/usr/share/...
And I also put this iptables rule :
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j
REDIRECT --to-ports 8443
to reach the frontend at 443.
Hope that helps,
Regards,
Fazy
Re: Enable SSL (https) for Cloudstack 4.2.0 management server
Posted by Nux! <nu...@li.nux.ro>.
On 29.10.2013 09:02, Indra Pramana wrote:
> Dear all,
>
> Any documentation on how to enable SSL (https) for Cloudstack 4.2.0
> management server? I am using Ubuntu 12.04.2. I tried to follow the
> instruction here, is it still valid?
>
> http://support.citrix.com/article/CTX132008
>
> I have managed to come to the step of creating the PKS12 format
> keystore:
Wow, that looks convoluted. Don't know if it would work, but my
instinct is just "yum install mod_ssl" and proxy requests.
Lucian
--
Sent from the Delta quadrant using Borg technology!
Nux!
www.nux.ro