The CloudCenter (CC) platform requires the various roles of the CC architecture to communicate via mutual SSL authentication methods. These certificates are component-based and are different than the client-based certificate described in this article. For a summarized explanation of the differences between the two types and instructions to obtain custom certificates to use for SSL authentication, refer to this article. During the communication between the CloudCenter Manager, the Orchestrator, the Guacamole server, etc., the CloudCenter appliances request a valid certificate from each other as part of the SSL handshake. Once the certificate is offered it will be verified to ensure that it has been signed by a trusted authority. Prior to CC version 4.8, these certificates, being unique for each deployment, were generated by the CC engineering team and distributed to the CC licensee. Version 4.8 allows the licensee to generate these unique certificates automatically and from a wizard on the CC Manager. This allows for customization during the certificate creation process and also ensures that certificates can be refreshed on an acceptable cycle. The goal of this document is to demonstrate the end-to-end process for installing newly generated certificates in CC.
The option to generate certificates exists only on the CC Manager. Assuming that the CC Manager is operational, follow these steps:
Log on to the console of the CC Manager
Launch the CCM Configuration Wizard
From the main menu, select Config_Certs, then Generate_Certs
Select Yes, then press Enter
Enter the Cloudcenter ID (this value is inconsequential unless multiple CC Managers are in federated mode; it is assigned to the Organization name assigned to the certificate)
Enter the Company Name (this value becomes the common name assigned to the certificate)
Select Yes, then press Enter to confirm
Note the location and file name of the zip file containing the new certificates for the multiple CC components: the Manager, the Orchestrator, the AMQP, the Health Monitor, etc.
Once the previous screen displays, select Update_Certs and enter the location and file name of the zip package - in this case the value should be /tmp/certs.zip
NOTE:Thelog file named config.log in the /usr/local/osmosix/log directory will provide feedback regarding success or failures within this process.
Once the certs.zip package has been created, the zip file needs to be distributed to each appliance (CC Orchestrator, Guacamole, Monitor, etc.).
On Linux-based systems, use scp; on Windows-based systems use WinSCP
scp /tmp/certs.zip root@cco-48x:/tmp
this command assumes the certs.zip package in the /tmp directory and that the cco-48x server name is resolved by DNS)
On each appliance, run the respective *_config_wizard.sh scripts
For example, on the CC Orchestrator type/usr/local/osmosix/bin/cco_config_wizard.sh
From the main menu, select Config_Certs, then enter the path and file name of package containing the certficates
To view the contents of the zip package containing the newly generated certificates
Type unzip /tmp/certs.zip -d /tmp/certs
This will place the contents into the /tmp/certs directory
To compare the certificates once they are placed by the config wizards
CloudCenter uses the /usr/local/osmosix/ssl directory on each appliance as a placeholder for the component certificates
Type keytool -printcert -v -file /usr/local/osmosix/ssl/ccm/ccm.crt
Type keytool -list -v -keystore /usr/local/osmosix/ssl/ccm/ccm_keystore.jks
both commands assume a console session on the CC Manager
Did you catch the recent announcement from the Linux Foundation about the release of Zephyr 2.0.0?
If you didn't--or if you did but would just like a bit more detail--tune in to this week's episode of the Cloud Unfiltered podcast. In it, Kate Stewar...
Cisco is here to help you with all your cloud-based needs. If you're considering moving your on-premise architecture to the cloud, then look to us for solutions.
If you already utilize the cloud for your IT infrastructure, try Cloud Monitoring to track th...
Hello, I am on CCP Version 4.2.0-x-10-gd73d82c. I am trying to integrate our users in Active Directory with the users in CCP. I have set the followings. 1. Server IP address : IP of our DC (running Windows 2016)2. Port :...