Certificates: Replacing CloudCenter's default component X.509 certificates

tuanngu4 — Wed, 12 Apr 2017 14:27:27 GMT

Summary:

Since the v4.2 release of CloudCenter (CC), the CC platform has adopted Spring X.509 Authentication, which requires the various roles of the CC architecture to communicate via mutual SSL authentication methods. These certificates are component-based and are different than the client-based certificate described in this article. For a summarized explanation of the differences between the two types and instructions to obtain custom certificates to use for SSL authentication, refer to this article. During the communication between the CloudCenter Manager, the Orchestrator, the Guacamole server, etc., the CloudCenter appliances request a valid certificate from each other as part of the SSL handshake. Once the certificate is offered it will be verified to ensure that it has been signed by a trusted authority. Each CloudCenter deployment needs a unique CloudCenter ID (CCID). The CloudCenter support team uses a known private Certificate Authority (CA) to generate the default certificates, which contain the values for the CCID; it can also be used to generate custom certificates for your deployments upon request. There is an option to request Certificate Signing Request (CSR) files from the CloudCenter support team so that your private CA can generate custom certificates. These component certificates (*.crt) files are stored on each appliance in the /usr/local/tomcat/conf/ssl directory and are specifically named mgmtserver.crt (CCM), cco.crt (CCO), gateway.crt (Docker container), monitor.crt (Health Monitor), guac.crt (Guacamole), and esb.crt (ESB). The goal of this document is to demonstrate how custom certificates can be used in place of the default certificates employed by the CC platform.

NOTE: Assuming that you have a valid certificate signed by a trusted authority, either private or public, you can use one certificate and rename it appropriately to befit to the server role. So a custom.crt file can be renamed to mgmtserver.crt file and placed onto the CCM appliance.

Placing the certificates

On the CloudCenter Manager (CCM)
- Replace the default ca_root.crt, ca_truststore.jks, ccm_keystore.jks, ccm.crt, and ccm.key files in the /usr/local/osmosix/ssl/ccm directory
- Replace the default ca_root.crt, ca_truststore.jks, esb_keystore.jks, esb.crt, and esb.key files in the /usr/local/osmosix/ssl/esb directory (if ESB is enabled)
- Place the ca_root.crt, ca_truststore.jks, esb_keystore.jks, esb.crt, and esb.key files into the /etc/rabbitmq/certs directory (if ESB is enabled)
- Ensure that the files are owned by the user named cliqruser
  - chown -R /usr/local/osmosix/ssl
- Remove existing and add new symbolic links
  - cd /usr/local/tomcat/conf/ssl
  - rm -f .keystore
  - rm -f .truststore
  - rm -f gateway.crt
  - rm -f gateway.key
  - rm -f ca.crt
  - ln -s /usr/local/osmosix/ssl/cco/cco_keystore.jks .keystore
  - ln -s /usr/local/osmosix/ssl/cco/ca_truststore.jks .truststore
  - ln -s /usr/local/osmosix/ssl/cco/cco.crt gateway.crt
  - ln -s /usr/local/osmosix/ssl/cco/cco.key gateway.key
  - ln -s /usr/local/osmosix/ssl/cco/ca_root.crt ca.crt

Optional steps to verify the certificates in the keystore (assuming the working directory of /usr/local/osmosix/ssl/ccm)

To view the certificate in detail
- keytool -printcert -v -file ccm.crt
To verify that the certificate is in the truststore (this requires a call to support as they will provide the passphrase for the store)
- keytool -list -v -keystore ccm_keystore.jks
To verify that the certificate is in the truststore (this requires a call to support as they will provide the passphrase for the store)
- keytool -list -v -keystore ca_truststore.jks
- To import a certificate into the keystore

keytool -import -alias sandbox -keystore ccm_keystore.jks -file ccm.crt

On the CloudCenter Orchestrator (CCO)

Replace the default ca_root.crt, ca_truststore.jks, cco_keystore.jks, cco.crt, and cco.key files in the /usr/local/osmosix/ssl/cco directory
Replace the default gateway.crt, and gateway.key files in the /usr/local/osmosix/ssl/docker directory
Ensure that the files are owned by the user named cliqruser
- chown -R /usr/local/osmosix/ssl
Remove existing and add new symbolic links
- cd /usr/local/tomcat/conf/ssl
- rm -f .keystore
- rm -f .truststore
- rm -f gateway.crt
- rm -f gateway.key
- rm -f ca.crt
- ln -s /usr/local/osmosix/ssl/cco/cco_keystore.jks .keystore
- ln -s /usr/local/osmosix/ssl/cco/ca_truststore.jks .truststore
- ln -s /usr/local/osmosix/ssl/cco/cco.crt gateway.crt
- ln -s /usr/local/osmosix/ssl/cco/cco.key gateway.key
- ln -s /usr/local/osmosix/ssl/cco/ca_root.crt ca.crt

On the CloudCenter Guacamole appliance (Guac)

Replace the default ca_root.crt, ca_truststore.jks, gua_keystore.jks, gua.crt, and gua.key files in the /usr/local/osmosix/ssl/gua directory
Ensure that the files are owned by the user named cliqruser
- chown -R /usr/local/osmosix/ssl
Remove existing and add new symbolic links
- cd /usr/local/tomcatgua/conf/ssl
- rm -f .keystore
- rm -f .truststore
- rm -f gateway.crt
- rm -f gateway.key
- rm -f ca.crt
- ln -s /usr/local/osmosix/ssl/gua/gua_keystore.jks .keystore
- ln -s /usr/local/osmosix/ssl/gua/ca_truststore.jks .truststore
- ln -s /usr/local/osmosix/ssl/gua/gua.crt gateway.crt
- ln -s /usr/local/osmosix/ssl/gua/gua.key gateway.key
- ln -s /usr/local/osmosix/ssl/gua/ca_root.crt ca.crt

On the CloudCenter Health Monitor (Health Monitor)

Replace the default ca_root.crt, ca_truststore.jks, mon_keystore.jks, mon.crt, and mon.key files in the /usr/local/osmosix/ssl/mon directory
Ensure that the files are owned by the user named cliqruser
- chown -R /usr/local/osmosix/ssl
Remove existing and add new symbolic links
- cd /usr/local/tomcat/conf/ssl
- rm -f .keystore
- rm -f .truststore
- rm -f monitor.crt
- rm -f monitor.key
- rm -f ca.crt
- ln -s /usr/local/osmosix/ssl/mon/mon_keystore.jks .keystore
- ln -s /usr/local/osmosix/ssl/mon/ca_truststore.jks .truststore
- ln -s /usr/local/osmosix/ssl/mon/mon.crt monitor.crt
- ln -s /usr/local/osmosix/ssl/mon/mon.key monitor.key
- ln -s /usr/local/osmosix/ssl/mon/ca_root.crt ca.crt

article Certificates: Replacing CloudCenter's default component X.509 certificates in Data Center and Cloud Knowledge Base

Certificates: Replacing CloudCenter's default component X.509 certificates