cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Corey, Mike" <mike.co...@sap.com>
Subject RE: Configuring HTTPS for UI
Date Wed, 05 Aug 2020 14:35:08 GMT
Thanks Andrija, 

I came across that link in my search, but the Jetty link in the instructions takes me to a
page that says the version is End of Life.  I wasn't sure if the Jetty piece had to be configured
or I just had to do the CloudStack portion.  Do I have to modify the Jetty piece as described
in the link in item 1 below?  If so, what is the path to the Jetty configuration files where
the SslSocketConnector is configured?

Just to be clear of the process:
1 - modify the Jetty according to http://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty
2 - Combine key, cert, subroot, root certs into one cert.
3 - Convert cert to pkcs12 format
4 - Create and copy to pkcs12 keystore
5 - modify server.properties with keystore info
6 - modify the 8080 to 8443 redirect
7 - restart cloudstack-management
8 - BOOM hit https://mycloudstack:8443/client without issue


At first, I thought I had ran into the issue described here: https://github.com/apache/cloudstack/issues/4199
 But, maybe I just haven't completed the process if I have to do something to Jetty first.

-----Original Message-----
From: Andrija Panic <andrija.panic@gmail.com> 
Sent: Wednesday, August 5, 2020 5:14 AM
To: users <users@cloudstack.apache.org>
Subject: Re: Configuring HTTPS for UI

Hi Mike,

in production, you might want to do the SSL offloading on the load
balancer, but yes, you can also setup SSL on the Jetty as well - please see
the article
https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/  (skip
the first part which describes securing system VMs with SSL)

Best,
Andrija

On Tue, 4 Aug 2020 at 20:47, Corey, Mike <mike.corey@sap.com> wrote:

> Hi,
>
>
>
> I’m trying to figure out how to use https or 8443 with an internally
> signed certificate and chain for the UI.  The latest documentation only has
> the below snippet.  I’ve created my internally signed certificate, root,
> and intermediary cert and I believe I’ve done all the imports into my
> keystore using keytool correctly.  I’ve also modified the server.properties
> with the correct jks location and password as directed by the documentation.
>
>
>
> Older versions of CloudStack documentation reference doing something with
> Jetty, but the link to the reference is for out of life versions.  I don’t
> see any messages in the logs pertaining to TLS, SSL, 8443, etc.  Is there
> more to this process than documented?
>
>
>
> *SSL (Optional)*
>
> CloudStack provides HTTP access in its default installation. There are a
> number of technologies and sites which choose to implement SSL/TLS. As a
> result, we have left CloudStack to expose HTTP under the assumption that a
> site will implement its typical practice.
>
> CloudStack 4.9 and above uses embedded Jetty as its servlet container. For
> sites that would like CloudStack to terminate the SSL session, HTTPS can be
> enabled by configuring the https-related settings in CloudStack management
> server’s server.properties file at /etc/cloudstack/management/ location:
>
> *# For management server to pickup these configuration settings, the
> configured*
>
> *# keystore file should exists and be readable by the management server.*
>
> https.enable=true
>
> https.port=8443
>
> https.keystore=/etc/cloudstack/management/cloud.jks
>
> https.keystore.password=vmops.com
>
> For storing certificates, admins can create and configure a java keystore
> file and configure the same in the server.properties file as illustrated
> above.
>
>
>
>
>
>
>
> *Mike Corey*
>
>
> Technology Senior Consultant, IT CS CTW Operation & Virtualization Service
> US
>
>
> *SAP AMERICA, INC.* 3999 West Chester Pike, Newtown Square, 19073 United
> States
>
>
> T +1 610 661 0905, M +1 484 274 2658, E mike.corey@sap.com
>
>
>
>
>
>
>


-- 

Andrija Panić
Mime
View raw message