Certificate Authentication and Management
CloudCenter uses two kinds of certificates:
- Client Certificate: To authenticate requests to the CCM UI for client communication through a browser or for REST communication with the CCM server.
- Component Certificate: To authenticate communication between CloudCenter components (CCO to CCM and GUA to CCM) for component deployments.
Be aware that you may need to update either certificate.
Client certificates refer to the example.com.crt or cliqrtech.com.crt files.
All CloudCenter installer and appliance packages contain a default self-signed certificate that is built to work out-of-the-box. Follow the process provided by your favorite browser to add the CCM as a trusted application.
A trusted authentication indicates that you have set up a trusted relationship between the CCM application and your web server(s). When the CCM application receives requests from a trusted web server, it assumes that your web server has handled the required authentication.
Using Your Own Certificates
For component certificates you must only use the files provided by CloudCenter Support. You cannot use your own files for this purpose.
To use you own Client certificates, follow this procedure:
Procure the certificate.crt and certificate.key and cacertificate.crt files.
For example, example.com.crt, example.com.key, and gd_bundle.crt files.
Save the certificate file to the /usr/local/tomcat/conf/ssl folder.
Update the /usr/local/tomcat/conf/server.xml file to point to the new certificates.
Restart the CCM server.
Component Certificates refer to the mgmtserver.crt (CCM) or gateway.crt (CCO) or monitor.crt (Monitor) or gua.crt (Guacamole) or esb.crt files in the /usr/local/tomcat/conf/ssl folder (as this folder has a symbolic link to /usr/local/osmosix/ssl/component folder).
The CloudCenter platform requires each enterprise to use the CloudCenter certificate-server to generate new certificates for each deployment.
Contact CloudCenter Support to generate and obtain a certificate set specific to your deployment so CloudCenter components can communicate with each other. You must update these certificates on each component's /usr/local/osmosix/ssl folder.
Some enterprises may prefer to update the client certificates to include their own certificates. If so, see the Using Your Own Certificates section above.
- The new certificate format ensures that certificates carry the deployment identity and thereby allows secure communication between components of a single CloudCenter deployment.
- New deployments must use the CloudCenter certificate-server to generate new certificates for the CCM, CCO, Monitor, Guacamole (GUA), and Enterprise Service Bus (ESB).
- Each CloudCenter deployment must use a certificate that meets the following requirements:
- The unique deployment identifier, CloudCenter ID (CCID) must be auto-generated by CliQr.
- The certificate must be mutually authenticated.
- Each CCID must have its own set of certificates.
If your enterprise requires certificates for deployments, you also need unique CAs for each deployment.
For DEV and TEST environments, use the default self-signed certificate that is built to work out-of-the-box (available in all CloudCenter installer and appliance packages).
CA File Setup Process
These certificates are not generated as part of a standard CloudCenter installation. Contact CloudCenter Support to generate and obtain a certificate set specific to your deployment (as displayed in the following image):
For each of these components (CCM, CCO, GUA, MON, and ESB), execute the following commands:
Copy your generated certificate package (uniqueName_certs.zip file) to the /tmp folder and extract certs for each component respectively.
For Enterprise Service Bus (ESB) servers, you must additionally execute the following commands.
Reboot all components after copying the certificate packages.
- No labels