Certificate Authentication and Management

Overview

CloudCenter uses two kinds of certificates:

  • Client Certificate: To authenticate requests to the CCM UI for client communication through a browser or for REST communication with the CCM server.
  • Component Certificate: To authenticate communication between CloudCenter components (CCO to CCM and GUA to CCM) for component deployments.  

Be aware that you may need to update either certificate.

Client Certificate

Client certificates refer to the example.com.crt or cliqrtech.com.crt files.

All CloudCenter installer and appliance packages contain a default self-signed certificate that is built to work out-of-the-box. Follow the process provided by your favorite browser to add the CCM as a trusted application.

While the default certificates are acceptable for use in dev, test, and staging environments, you must generate unique certificates for your production environment(s). See the Generate and Update the certs.zip File on the CCM section below for additional details.

A trusted authentication indicates that you have set up a trusted relationship between the CCM application and your web server(s). When the CCM application receives requests from a trusted web server, it assumes that your web server has handled the required authentication.

Using Your Own Client Certificates

To use custom Client certificates, follow this procedure:

  1. Procure the certificate.crt and certificate.key and cacertificate.crt files.
    For example, example.com.crt, example.com.key, and gd_bundle.crt files.

  2. Save the certificate file to the /usr/local/tomcat/conf/ssl folder.

  3. Update the /usr/local/tomcat/conf/server.xml file to point to the new certificates.

  4. Restart the CCM server.

Client-Specific Custom Certificates

The CCM server, by default, contains the required certificates to deploy applications and ensures secure communication between components. In some cases, you may want to use your own custom certificates for each component. This section provides details on the requirements and process to use custom certificates.

The installation package include the .jar files required to generate these custom certificates. The wizards for each component provide the required triggers to generate or update the certificates when required. By default, the certificate (ZIP) file is generated in the /tmp folder. This ZIP file must be extracted for each component by running the wizard. The wizard extracts the file to component's .crt file to the /usr/local/osmosix/ssl folder.

Requirements

To update certificates, you must meet the following requirements:

  • Use the CloudCenter platform when generating new certificates for each deployment.

  • Use the CCM server to generate new certificate files.
  • Provide a unique deployment identifier, CloudCenter ID (CCID), when you generate the certificate files in the CCM server.

    You can continue to use existing CCIDs and still generate new certificate files each time.

    Alternately, you can provide an ID of your choice containing alpha or numeric characters and that is descriptive for your environment.

  • Copy the generated certs.zip file from the CCM server to the /tmp folder on the component servers identified above.
  • Launch and run the wizard to update the certificates for the following components:
  • High Availability: Custom certificates, if used, must only be generated from the PRIMARY_CCM and copied to ALL other components (for example, other CCMs, all CCOs, AMQPs, Monitors, and so forth).

Generate and Update the certs.zip File on the CCM

To generate and update the certificate on the CCM server, follow this process:

  1. Invoke the CCM wizard as specified in Configure CCM Wizard Properties.
  2. Access the Config_Certs group to configure certificates.
  3. Select Generate certificates.
  4. Assign the CloudCenter ID and Company name to generate the CCM certificate. Once the CloudCenter platform generates the certificates, they are saved as certs.zip to the /tmp folder.
  5. Return to the Custom Certs Menu and select Update_Certs to update the certificate.
  6. In the Certs Zip Path field, enter the path where the generated certs.zip file resides. The default path is /tmp/certs.zip. The certificates are automatically updated for the CCM server.
  7. Exit the wizard.
  8. Restart the CCM server for the changes to be effective.
  9. Verify that the certificate is updated by issuing the following command:

    cat ca_root.crt

    The updated certificate is displayed in response to this command.

  10. Copy the certs.zip file from the CCM server to your local machine and then execute the following command to copy the file from the /tmp folder of the CCM to the other component servers.

    scp - r -i <yourPemFile>.pem <localMachinePath>/certs.zip centos@component.server.com: /tmp
    
    #For Example:
    scp - r -i cliqrdev.pem /home/CCMCert/certs.zip centos@component.server.com: /tmp

Update the certs.zip File on the CCO, MON, GUA, and ESB

For the CCO, MON, GUA components, follow this process to update certificates:

  1. Invoke the wizard (links provided in the Requirements section above) for each component to extract the certs.zip file that you copied from the CCM server. The component wizard automatically extracts the corresponding .crt file to the /usr/local/osmosix/ssl folder for that component.
  2. cd /etc/rabbitmq/certs
    jar xf <cert-zip-filename> esb_rabbit
    mv ./esb_rabbit/* .
    rm -rf esb_rabbit
    
    
    chown -R rabbitmq:rabbitmq /etc/rabbitmq/certs
    chmod 700 /etc/rabbitmq/certs
    chmod 600 /etc/rabbitmq/certs/*
    
  3. Exit the wizard.
  4. Restart the server for the changes to be effective.

Dedicated Components

If your deployment scenario contains an External Script Executor that is co-located with the CCO (this is the default virtual appliance approach), you do not need to perform this procedure.

To use custom certificates for dedicated Docker installations, follow this process to update certificates:

  1. If your deployment scenario contains an External Script Executor that is in a separate server (and not in the same server as the CCO), invoke the CCO - Configure Wizard and navigate to the Docker CACert URL property.
  2. Enter the Docker External IP address in the Docker CACert URL field and restart the Tomcat on the CCO server.

For any component or scenario not mentioned in this section, contact the CloudCenter Support team.

Verification Process

To verify if your custom certificates were applied successfully, deploy a sample application. If the certificates were accurately applied the application deploys without errors.

 

  • No labels