cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrija Panic <andrija.pa...@gmail.com>
Subject Re: Configuring HTTPS for UI
Date Wed, 05 Aug 2020 15:29:26 GMT
Hi Mike,

not sure what to docs say (haven't read that part recently), but the blog
page should suffice (well, I see that github issue with 4.14 and SSL -
haven't tested myself, so can't confirm/deny the issue).

Just follow the blog page (no direct jetty modification needed) - and let
us know if that works (pay attention to the firewall...)

Regards,

On Wed, 5 Aug 2020 at 16:37, Corey, Mike <mike.corey@sap.com> wrote:

> Thanks Andrija,
>
> I came across that link in my search, but the Jetty link in the
> instructions takes me to a page that says the version is End of Life.  I
> wasn't sure if the Jetty piece had to be configured or I just had to do the
> CloudStack portion.  Do I have to modify the Jetty piece as described in
> the link in item 1 below?  If so, what is the path to the Jetty
> configuration files where the SslSocketConnector is configured?
>
> Just to be clear of the process:
> 1 - modify the Jetty according to
> http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty
> 2 - Combine key, cert, subroot, root certs into one cert.
> 3 - Convert cert to pkcs12 format
> 4 - Create and copy to pkcs12 keystore
> 5 - modify server.properties with keystore info
> 6 - modify the 8080 to 8443 redirect
> 7 - restart cloudstack-management
> 8 - BOOM hit https://mycloudstack:8443/client without issue
>
>
> At first, I thought I had ran into the issue described here:
> https://github.com/apache/cloudstack/issues/4199  But, maybe I just
> haven't completed the process if I have to do something to Jetty first.
>
> -----Original Message-----
> From: Andrija Panic <andrija.panic@gmail.com>
> Sent: Wednesday, August 5, 2020 5:14 AM
> To: users <users@cloudstack.apache.org>
> Subject: Re: Configuring HTTPS for UI
>
> Hi Mike,
>
> in production, you might want to do the SSL offloading on the load
> balancer, but yes, you can also setup SSL on the Jetty as well - please see
> the article
> https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/  (skip
> the first part which describes securing system VMs with SSL)
>
> Best,
> Andrija
>
> On Tue, 4 Aug 2020 at 20:47, Corey, Mike <mike.corey@sap.com> wrote:
>
> > Hi,
> >
> >
> >
> > I’m trying to figure out how to use https or 8443 with an internally
> > signed certificate and chain for the UI.  The latest documentation only
> has
> > the below snippet.  I’ve created my internally signed certificate, root,
> > and intermediary cert and I believe I’ve done all the imports into my
> > keystore using keytool correctly.  I’ve also modified the
> server.properties
> > with the correct jks location and password as directed by the
> documentation.
> >
> >
> >
> > Older versions of CloudStack documentation reference doing something with
> > Jetty, but the link to the reference is for out of life versions.  I
> don’t
> > see any messages in the logs pertaining to TLS, SSL, 8443, etc.  Is there
> > more to this process than documented?
> >
> >
> >
> > *SSL (Optional)*
> >
> > CloudStack provides HTTP access in its default installation. There are a
> > number of technologies and sites which choose to implement SSL/TLS. As a
> > result, we have left CloudStack to expose HTTP under the assumption that
> a
> > site will implement its typical practice.
> >
> > CloudStack 4.9 and above uses embedded Jetty as its servlet container.
> For
> > sites that would like CloudStack to terminate the SSL session, HTTPS can
> be
> > enabled by configuring the https-related settings in CloudStack
> management
> > server’s server.properties file at /etc/cloudstack/management/ location:
> >
> > *# For management server to pickup these configuration settings, the
> > configured*
> >
> > *# keystore file should exists and be readable by the management server.*
> >
> > https.enable=true
> >
> > https.port=8443
> >
> > https.keystore=/etc/cloudstack/management/cloud.jks
> >
> > https.keystore.password=vmops.com
> >
> > For storing certificates, admins can create and configure a java keystore
> > file and configure the same in the server.properties file as illustrated
> > above.
> >
> >
> >
> >
> >
> >
> >
> > *Mike Corey*
> >
> >
> > Technology Senior Consultant, IT CS CTW Operation & Virtualization
> Service
> > US
> >
> >
> > *SAP AMERICA, INC.* 3999 West Chester Pike, Newtown Square, 19073 United
> > States
> >
> >
> > T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com
> >
> >
> >
> >
> >
> >
> >
>
>
> --
>
> Andrija Panić
>


-- 

Andrija Panić

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message