Since the v4.2 release of CloudCenter (CC), the CC platform has adopted Spring X.509 Authentication, which requires the various roles of the CC architecture to communicate via mutual SSL authentication methods. These certificates are component-based and are different than the client-based certificate described in this article. For a summarized explanation of the differences between the two types and instructions to obtain custom certificates to use for SSL authentication, refer to this article. During the communication between the CloudCenter Manager, the Orchestrator, the Guacamole server, etc., the CloudCenter appliances request a valid certificate from each other as part of the SSL handshake. Once the certificate is offered it will be verified to ensure that it has been signed by a trusted authority. Each CloudCenter deployment needs a unique CloudCenter ID (CCID). The CloudCenter support team uses a known private Certificate Authority (CA) to generate the default certificates, which contain the values for the CCID; it can also be used to generate custom certificates for your deployments upon request. There is an option to request Certificate Signing Request (CSR) files from the CloudCenter support team so that your private CA can generate custom certificates. These component certificates (*.crt) files are stored on each appliance in the /usr/local/tomcat/conf/ssl directory and are specifically named mgmtserver.crt (CCM), cco.crt (CCO), gateway.crt (Docker container), monitor.crt (Health Monitor), guac.crt (Guacamole), and esb.crt (ESB). The goal of this document is to demonstrate how custom certificates can be used in place of the default certificates employed by the CC platform.
NOTE: Assuming that you have a valid certificate signed by a trusted authority, either private or public, you can use one certificate and rename it appropriately to befit to the server role. So a custom.crt file can be renamed to mgmtserver.crt file and placed onto the CCM appliance.
Placing the certificates
On the CloudCenter Manager (CCM)
Replace the default ca_root.crt, ca_truststore.jks, ccm_keystore.jks, ccm.crt, and ccm.key files in the /usr/local/osmosix/ssl/ccm directory
Replace the default ca_root.crt, ca_truststore.jks, esb_keystore.jks, esb.crt, and esb.key files in the /usr/local/osmosix/ssl/esb directory (if ESB is enabled)
Place the ca_root.crt, ca_truststore.jks, esb_keystore.jks, esb.crt, and esb.key files into the /etc/rabbitmq/certs directory (if ESB is enabled)
Ensure that the files are owned by the user named cliqruser
Did you catch the recent announcement from the Linux Foundation about the release of Zephyr 2.0.0?
If you didn't--or if you did but would just like a bit more detail--tune in to this week's episode of the Cloud Unfiltered podcast. In it, Kate Stewar...
Cisco is here to help you with all your cloud-based needs. If you're considering moving your on-premise architecture to the cloud, then look to us for solutions.
If you already utilize the cloud for your IT infrastructure, try Cloud Monitoring to track th...
Hello, I am on CCP Version 4.2.0-x-10-gd73d82c. I am trying to integrate our users in Active Directory with the users in CCP. I have set the followings. 1. Server IP address : IP of our DC (running Windows 2016)2. Port :...
Hi guys,I somehow wonder why I can't find many folks talking about this here, just stumbling upon various docs and not the one (of course did not read them all) that would help, but one thing is driving me crazy about this stuff I actually work on in cour...