The CloudCenter (CC) platform requires the various roles of the CC architecture to communicate via mutual SSL authentication methods. These certificates are component-based and are different than the client-based certificate described in this article. For a summarized explanation of the differences between the two types and instructions to obtain custom certificates to use for SSL authentication, refer to this article. During the communication between the CloudCenter Manager, the Orchestrator, the Guacamole server, etc., the CloudCenter appliances request a valid certificate from each other as part of the SSL handshake. Once the certificate is offered it will be verified to ensure that it has been signed by a trusted authority. Prior to CC version 4.8, these certificates, being unique for each deployment, were generated by the CC engineering team and distributed to the CC licensee. Version 4.8 allows the licensee to generate these unique certificates automatically and from a wizard on the CC Manager. This allows for customization during the certificate creation process and also ensures that certificates can be refreshed on an acceptable cycle. The goal of this document is to demonstrate the end-to-end process for installing newly generated certificates in CC.
The option to generate certificates exists only on the CC Manager. Assuming that the CC Manager is operational, follow these steps:
Log on to the console of the CC Manager
Launch the CCM Configuration Wizard
From the main menu, select Config_Certs, then Generate_Certs
Select Yes, then press Enter
Enter the Cloudcenter ID (this value is inconsequential unless multiple CC Managers are in federated mode; it is assigned to the Organization name assigned to the certificate)
Enter the Company Name (this value becomes the common name assigned to the certificate)
Select Yes, then press Enter to confirm
Note the location and file name of the zip file containing the new certificates for the multiple CC components: the Manager, the Orchestrator, the AMQP, the Health Monitor, etc.
Once the previous screen displays, select Update_Certs and enter the location and file name of the zip package - in this case the value should be /tmp/certs.zip
NOTE:Thelog file named config.log in the /usr/local/osmosix/log directory will provide feedback regarding success or failures within this process.
Once the certs.zip package has been created, the zip file needs to be distributed to each appliance (CC Orchestrator, Guacamole, Monitor, etc.).
On Linux-based systems, use scp; on Windows-based systems use WinSCP
scp /tmp/certs.zip root@cco-48x:/tmp
this command assumes the certs.zip package in the /tmp directory and that the cco-48x server name is resolved by DNS)
On each appliance, run the respective *_config_wizard.sh scripts
For example, on the CC Orchestrator type/usr/local/osmosix/bin/cco_config_wizard.sh
From the main menu, select Config_Certs, then enter the path and file name of package containing the certficates
To view the contents of the zip package containing the newly generated certificates
Type unzip /tmp/certs.zip -d /tmp/certs
This will place the contents into the /tmp/certs directory
To compare the certificates once they are placed by the config wizards
CloudCenter uses the /usr/local/osmosix/ssl directory on each appliance as a placeholder for the component certificates
Type keytool -printcert -v -file /usr/local/osmosix/ssl/ccm/ccm.crt
Type keytool -list -v -keystore /usr/local/osmosix/ssl/ccm/ccm_keystore.jks
both commands assume a console session on the CC Manager
I have deployed an asav on an ec2 instance in aws. When I connect to it there is only 1 interface (management) . Every guide I have read requires me to configure the gig0/0 interface. It doesn't exist. I can't connect via asdm .
Fortunately, Cisco thought about it and made available an ACI simulator for people interested by this technology to simulator a whole ACI environment. This simulator includes Cisco APIC instances with real production software, as its native tools (GUI &am...
Hello Everbody, During my use of Umbrella, which I use to study the traffic of my customers, I was faced with the following information, Cisco does not block (NS, SOA, MX) records/queries, even thought the algorithm considering the domains as 100%(Sc...
We are re-architecting a typical server - agent product for AWS SaaS. The UI and configuration DB will be on the cloud while the agents will be deployed on-prem. The problem is that 100K agents need to periodically poll the server if there are any configu...