You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Дикевич Евгений Александрович <ev...@becloud.by> on 2021/06/22 15:26:30 UTC
RE: [!!Mass Mail]RE: Securing CloudStack
HI
Thx for the answer but I stuck on early steps)
I generate private.key:
openssl genrsa -des3 -out private.key 2048
then I generate cert:
openssl req -new -key private.key -out certificate.csr
convert private key to pkcs8:
openssl pkcs8 -topk8 -in private.key -out private.pkcs8.encrypted.key
openssl pkcs8 -in private.pkcs8.encrypted.key -out private.pkcs8.key
and then I try to add key and cert in ACS UI but have error.
Mb I miss smth?
-----Original Message-----
From: Yordan Kostov [mailto:YordanK@NSOGROUP.COM]
Sent: Tuesday, June 22, 2021 12:38 PM
To: users@cloudstack.apache.org
Subject: [!!Mass Mail]RE: Securing CloudStack
Hello Evgeniy,
I can confirm that these are the steps that work in later ACS versions (tested on 4.15).
The only issue with it is the part where it says how to combine the certificate chain:
# order - server_key server_cert CA_cert
cat myprivatekey.key mycertificate.crt gd_bundle-g2-g1.crt > mycombinedcert.crt
Where it actually should be
# order - server_crt, CA_SUB_crt, CA_ROOT_crt cat mycertificate.key gd_bundle-g2-g1.crt CA-ROOT.crt > mycombinedcert.crt
ACS is using Jetty as certificate management platform.
You can take a look at this article how to handle self-signed certs - http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty
I have not done it and to be fair features like ISO upload and console proxy will probably not work for the user even if ACS is properly configured.
Certificate should be still verified for the user in some way.
If you make it work please let us know, it is in my to-do plan to migrate the Certificate configuration guide into docs.cloudstack.apache.org
Best regards,
Jordan
-----Original Message-----
From: Дикевич Евгений Александрович <ev...@becloud.by>
Sent: Tuesday, June 22, 2021 12:19 PM
To: users@cloudstack.apache.org
Subject: Securing CloudStack
[X] This message came from outside your organization
Hi All!
ACS 4.14.1
Mb someone use self-signed certificates with ACS?
I saw article from Shapeblue: https://urldefense.com/v3/__https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/__;!!A6UyJA!3VgftDioHyHM0Te2quEsb7s7sQHP_WSi6NH7cdycSZcumZtsRg2i6RKYYxU-vHNQW6_LCFLA5l1e$ but they use wildcard certificate.
Mb someone have valid instructions?
Внимание!
Это электронное письмо и все прикрепленные к нему файлы являются конфиденциальными и предназначены исключительно для использования лицом (лицами), которому (которым) оно предназначено. Если Вы не являетесь лицом (лицами), которому (которым) предназначено это письмо, не копируйте и не разглашайте его содержимое и удалите это сообщение и все вложения из Вашей почтовой системы. Любое несанкционированное использование, распространение, раскрытие, печать или копирование этого электронного письма и прикрепленных к нему файлов, кроме как лицом (лицами) которому (которым) они предназначены, является незаконным и запрещено. Принимая во внимание, что передача данных посредством Интернет не является безопасной, мы не несем никакой ответственности за любой потенциальный ущерб, причиненный в результате ошибок при передаче данных или этим сообщением и прикрепленными к нему файлами.
Attention!
This email and all attachments to it are confidential and are intended solely for use by the person (or persons) referred to (mentioned) as the intended recipient (recipients). If you are not the intended recipient of this email, do not copy or disclose its contents and delete the message and any attachments to it from your e-mail system. Any unauthorized use, dissemination, disclosure, printing or copying of this e-mail and files attached to it, except by the intended recipient, is illegal and is prohibited. Taking into account that data transmission via Internet is not secure, we assume no responsibility for any potential damage caused by data transmission errors or this message and the files attached to it.
RE: [!!Mass Mail]RE: Securing CloudStack
Posted by Yordan Kostov <Yo...@NSOGROUP.COM>.
Alright here is what I came up with. This is NOT tested. Let me know if it works or where issues arise if it does not.
Prerequisites:
- URL of choice for our landing page - https://acs.sarifindustries.com
- public network range 10.10.10.10 to 10.10.10.19 for the zone
- Generate a key and certificate where during generation process specify the common name as wildcard *. acs.sarifindustries.com
--- # openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem
### SECURING SYSTEM VM COMMUNICATION VIA SELF-SIGNED CERTIFICATE ###
1. Setup communication between ACS and SSVM and user and SSVM to encrypted channel
In ACS global config;
- set consoleproxy.url.domain to *. acs.sarifindustries.com
- consoleproxy.sslEnabled to true
- secstorage.ssl.cert.domain to *. acs.sarifindustries.com
- secstorage.ssl.cert.domain to true
Restart the management service
# systemctl restart cloudstack-management
Now users will access SSVMs (for console proxy or ISO/template upload purposes) through FQDN instead of IP so put the ip to fqdn matches listed below in your DNS.
This must be the DNS the alternative is to put it in the host file of the ACS and of every-user-that-will-access-it host file.
10.10.10.10 10-10-10-10.acs.sarifindustries.com
10.10.10.11 10-10-10-11.acs.sarifindustries.com
10.10.10.12 10-10-10-12.acs.sarifindustries.com
10.10.10.13 10-10-10-13.acs.sarifindustries.com
10.10.10.14 10-10-10-14.acs.sarifindustries.com
10.10.10.15 10-10-10-15.acs.sarifindustries.com
10.10.10.16 10-10-10-16.acs.sarifindustries.com
10.10.10.17 10-10-10-17.acs.sarifindustries.com
10.10.10.18 10-10-10-18.acs.sarifindustries.com
10.10.10.19 10-10-10-19.acs.sarifindustries.com
2. Upload keys/certificates from step 1 via cloudmonkey:
Here the certificate chain should be uploaded (Server -> SUB-CA -> ROOT-CA) but as this is self-signed certificate use just that.
NOTE: This is the step that I consider the caveat as the first certificate import requires a chain of certificates. If this guide does not work the issue is probably here as if you do this step in the GUI, ROOT certificate must be imported.
cloudmonkey upload customcertificate id=1 name=sarifindustriescert certificate='-----BEGIN CERTIFICATE-----
IIE0DCCsdf8HqjeIHgkqhkiG9w0BAQsF....
-----END CERTIFICATE-----'
domainsuffix='*. acs.sarifindustries.com'
Upload certificate + private key pair:
cloudmonkey upload customcertificate id=2 certificate='-----BEGIN CERTIFICATE-----
MIIGrjCCBZagAwIBAgIJAJ....
...xKjPTkOLfwMVWXc8Ul25t7lkyi0+a9jZxFAuDXFRgkQnbw==
-----END CERTIFICATE-----'
privatekey='-----BEGIN PRIVATE KEY-----
MIIEvEbidvik1gkqhkiG9w0BAQEFAASCBK
.....rEF5Qyuyserre87d234jj/Uddf
-----END PRIVATE KEY-----'
domainsuffix='*. acs.sarifindustries.com'
3. Reboot system VMs
4. Import the Sarrifindustries certificates in the user PC truststore so the browser can acknowledge the connection as secure.
5. Test according to step "Testing the TLS protected system VMs" in this guide - https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/
### SECURING GUI VIA SELF-SIGNED CERTIFICATE ###
1. Convert key/certificate to PKCS12
# openssl pkcs12 -export -inkey sarifindustries.key -in sarifindustries.crt -out sarifindustries.pkcs12
2. Convert the PKCS12 into java keystore
# keytool -importkeystore -srckeystore sarifindustries.pkcs12 -srcstoretype PKCS12 -destkeystore /etc/cloudstack/management/keystore.pkcs12 -deststoretype pkcs12
During the convertions you will be asked to set a password. Keep that around.
3. Enable ACS GUI HTTPS by editing the following rows in /etc/cloudstack/management/server.properties:
https.enable=true
https.keystore=/etc/cloudstack/management/keystore.pkcs12
https.keystore.password=<enter the same password as used for certificate conversion>
4. Restart the management service
# systemctl restart cloudstack-management
5. Import the Sarrifindustries certificates in the user PC truststore (unless done from the first guide) so the browser can acknowledge the connection as secure.
6. Open GUI and verify secure connection.
Best regards,
Jordan
-----Original Message-----
From: Yordan Kostov
Sent: Thursday, June 24, 2021 12:16 PM
To: 'users@cloudstack.apache.org' <us...@cloudstack.apache.org>
Subject: RE: [!!Mass Mail]RE: Securing CloudStack
Sorry for no reply I will check and get back to you.
Regards,
Jordan
-----Original Message-----
From: Дикевич Евгений Александрович <ev...@becloud.by>
Sent: Tuesday, June 22, 2021 6:27 PM
To: users@cloudstack.apache.org
Subject: RE: [!!Mass Mail]RE: Securing CloudStack
[X] This message came from outside your organization
HI
Thx for the answer but I stuck on early steps) I generate private.key:
openssl genrsa -des3 -out private.key 2048 then I generate cert:
openssl req -new -key private.key -out certificate.csr convert private key to pkcs8:
openssl pkcs8 -topk8 -in private.key -out private.pkcs8.encrypted.key openssl pkcs8 -in private.pkcs8.encrypted.key -out private.pkcs8.key and then I try to add key and cert in ACS UI but have error.
Mb I miss smth?
-----Original Message-----
From: Yordan Kostov [mailto:YordanK@NSOGROUP.COM]
Sent: Tuesday, June 22, 2021 12:38 PM
To: users@cloudstack.apache.org
Subject: [!!Mass Mail]RE: Securing CloudStack
Hello Evgeniy,
I can confirm that these are the steps that work in later ACS versions (tested on 4.15).
The only issue with it is the part where it says how to combine the certificate chain:
# order - server_key server_cert CA_cert cat myprivatekey.key mycertificate.crt gd_bundle-g2-g1.crt > mycombinedcert.crt
Where it actually should be
# order - server_crt, CA_SUB_crt, CA_ROOT_crt cat mycertificate.key gd_bundle-g2-g1.crt CA-ROOT.crt > mycombinedcert.crt
ACS is using Jetty as certificate management platform.
You can take a look at this article how to handle self-signed certs - https://urldefense.com/v3/__http://wiki.eclipse.org/Jetty/Howto/Configure_SSL*Configuring_Jetty__;Iw!!A6UyJA!0CgjfpsBXOaEoCSJ93lin21HvGCNhmthI7yAGXia_grO7Bw4kO1dt3tV99TG0Enl$
I have not done it and to be fair features like ISO upload and console proxy will probably not work for the user even if ACS is properly configured.
Certificate should be still verified for the user in some way.
If you make it work please let us know, it is in my to-do plan to migrate the Certificate configuration guide into docs.cloudstack.apache.org
Best regards,
Jordan
-----Original Message-----
From: Дикевич Евгений Александрович <ev...@becloud.by>
Sent: Tuesday, June 22, 2021 12:19 PM
To: users@cloudstack.apache.org
Subject: Securing CloudStack
[X] This message came from outside your organization
Hi All!
ACS 4.14.1
Mb someone use self-signed certificates with ACS?
I saw article from Shapeblue: https://urldefense.com/v3/__https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/__;!!A6UyJA!3VgftDioHyHM0Te2quEsb7s7sQHP_WSi6NH7cdycSZcumZtsRg2i6RKYYxU-vHNQW6_LCFLA5l1e$ but they use wildcard certificate.
Mb someone have valid instructions?
Внимание!
Это электронное письмо и все прикрепленные к нему файлы являются конфиденциальными и предназначены исключительно для использования лицом (лицами), которому (которым) оно предназначено. Если Вы не являетесь лицом (лицами), которому (которым) предназначено это письмо, не копируйте и не разглашайте его содержимое и удалите это сообщение и все вложения из Вашей почтовой системы. Любое несанкционированное использование, распространение, раскрытие, печать или копирование этого электронного письма и прикрепленных к нему файлов, кроме как лицом (лицами) которому (которым) они предназначены, является незаконным и запрещено. Принимая во внимание, что передача данных посредством Интернет не является безопасной, мы не несем никакой ответственности за любой потенциальный ущерб, причиненный в результате ошибок при передаче данных или этим сообщением и прикрепленными к нему файлами.
Attention!
This email and all attachments to it are confidential and are intended solely for use by the person (or persons) referred to (mentioned) as the intended recipient (recipients). If you are not the intended recipient of this email, do not copy or disclose its contents and delete the message and any attachments to it from your e-mail system. Any unauthorized use, dissemination, disclosure, printing or copying of this e-mail and files attached to it, except by the intended recipient, is illegal and is prohibited. Taking into account that data transmission via Internet is not secure, we assume no responsibility for any potential damage caused by data transmission errors or this message and the files attached to it.
<font size="2"><font color="#D8D8D8">11!</font>
RE: [!!Mass Mail]RE: Securing CloudStack
Posted by Yordan Kostov <Yo...@NSOGROUP.COM>.
Sorry for no reply I will check and get back to you.
Regards,
Jordan
-----Original Message-----
From: Дикевич Евгений Александрович <ev...@becloud.by>
Sent: Tuesday, June 22, 2021 6:27 PM
To: users@cloudstack.apache.org
Subject: RE: [!!Mass Mail]RE: Securing CloudStack
[X] This message came from outside your organization
HI
Thx for the answer but I stuck on early steps) I generate private.key:
openssl genrsa -des3 -out private.key 2048 then I generate cert:
openssl req -new -key private.key -out certificate.csr convert private key to pkcs8:
openssl pkcs8 -topk8 -in private.key -out private.pkcs8.encrypted.key openssl pkcs8 -in private.pkcs8.encrypted.key -out private.pkcs8.key and then I try to add key and cert in ACS UI but have error.
Mb I miss smth?
-----Original Message-----
From: Yordan Kostov [mailto:YordanK@NSOGROUP.COM]
Sent: Tuesday, June 22, 2021 12:38 PM
To: users@cloudstack.apache.org
Subject: [!!Mass Mail]RE: Securing CloudStack
Hello Evgeniy,
I can confirm that these are the steps that work in later ACS versions (tested on 4.15).
The only issue with it is the part where it says how to combine the certificate chain:
# order - server_key server_cert CA_cert cat myprivatekey.key mycertificate.crt gd_bundle-g2-g1.crt > mycombinedcert.crt
Where it actually should be
# order - server_crt, CA_SUB_crt, CA_ROOT_crt cat mycertificate.key gd_bundle-g2-g1.crt CA-ROOT.crt > mycombinedcert.crt
ACS is using Jetty as certificate management platform.
You can take a look at this article how to handle self-signed certs - https://urldefense.com/v3/__http://wiki.eclipse.org/Jetty/Howto/Configure_SSL*Configuring_Jetty__;Iw!!A6UyJA!0CgjfpsBXOaEoCSJ93lin21HvGCNhmthI7yAGXia_grO7Bw4kO1dt3tV99TG0Enl$
I have not done it and to be fair features like ISO upload and console proxy will probably not work for the user even if ACS is properly configured.
Certificate should be still verified for the user in some way.
If you make it work please let us know, it is in my to-do plan to migrate the Certificate configuration guide into docs.cloudstack.apache.org
Best regards,
Jordan
-----Original Message-----
From: Дикевич Евгений Александрович <ev...@becloud.by>
Sent: Tuesday, June 22, 2021 12:19 PM
To: users@cloudstack.apache.org
Subject: Securing CloudStack
[X] This message came from outside your organization
Hi All!
ACS 4.14.1
Mb someone use self-signed certificates with ACS?
I saw article from Shapeblue: https://urldefense.com/v3/__https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/__;!!A6UyJA!3VgftDioHyHM0Te2quEsb7s7sQHP_WSi6NH7cdycSZcumZtsRg2i6RKYYxU-vHNQW6_LCFLA5l1e$ but they use wildcard certificate.
Mb someone have valid instructions?
Внимание!
Это электронное письмо и все прикрепленные к нему файлы являются конфиденциальными и предназначены исключительно для использования лицом (лицами), которому (которым) оно предназначено. Если Вы не являетесь лицом (лицами), которому (которым) предназначено это письмо, не копируйте и не разглашайте его содержимое и удалите это сообщение и все вложения из Вашей почтовой системы. Любое несанкционированное использование, распространение, раскрытие, печать или копирование этого электронного письма и прикрепленных к нему файлов, кроме как лицом (лицами) которому (которым) они предназначены, является незаконным и запрещено. Принимая во внимание, что передача данных посредством Интернет не является безопасной, мы не несем никакой ответственности за любой потенциальный ущерб, причиненный в результате ошибок при передаче данных или этим сообщением и прикрепленными к нему файлами.
Attention!
This email and all attachments to it are confidential and are intended solely for use by the person (or persons) referred to (mentioned) as the intended recipient (recipients). If you are not the intended recipient of this email, do not copy or disclose its contents and delete the message and any attachments to it from your e-mail system. Any unauthorized use, dissemination, disclosure, printing or copying of this e-mail and files attached to it, except by the intended recipient, is illegal and is prohibited. Taking into account that data transmission via Internet is not secure, we assume no responsibility for any potential damage caused by data transmission errors or this message and the files attached to it.
<font size="2"><font color="#D8D8D8">11!</font>