Certificate Authentication and Management
CloudCenter uses two kinds of certificates:
- Client Certificate: To authenticate requests to the CCM UI for client communication through a browser or for REST communication with the CCM server.
- Component Certificate: To authenticate communication between CloudCenter components (CCO to CCM and GUA to CCM) for component deployments.
Be aware that you may need to update either certificate.
Client certificates refer to the example.com.crt or cliqrtech.com.crt files.
All CloudCenter installer and appliance packages contain a default self-signed certificate that is built to work out-of-the-box. Follow the process provided by your favorite browser to add the CCM as a trusted application.
While the default certificates are acceptable for use in dev, test, and staging environments, you must generate unique certificates for your production environment(s). See the Generate and Update the certs.zip File on the CCM section below for additional details.
A trusted authentication indicates that you have set up a trusted relationship between the CCM application and your web server(s). When the CCM application receives requests from a trusted web server, it assumes that your web server has handled the required authentication.
Using Your Own Client Certificates
If using your own certs, replace the certs in the CCM Nginx certs folder in /etc/ssl/certs/ with your certificates after the upgrade to 4.8.2. See the CloudCenter 4.8.2 Release Notes for additional context.
To use custom Client certificates, follow this procedure:
Procure the certificate.crt and certificate.key and cacertificate.crt files.
For example, example.com.crt, example.com.key, and gd_bundle.crt files.
Save the certificate file to the /etc/ssl/certs folder.
Override the existing public.crt and the public.key with the new certificates.
mv example.com.crt public.crt
Restart the Nginx service:
- systemctl restart nginx
Client-Specific Custom Certificates
The CCM server, by default, contains the required certificates to deploy applications and ensures secure communication between components. In some cases, you may want to use your own custom certificates for each component. This section provides details on the requirements and process to use custom certificates.
The installation package include the .jar files required to generate these custom certificates. The wizards for each component provide the required triggers to generate or update the certificates when required. By default, the certificate (ZIP) file is generated in the /tmp folder. This ZIP file must be extracted for each component by running the wizard. The wizard extracts the file to component's .crt file to the /usr/local/osmosix/ssl folder.
To update certificates, you must meet the following requirements:
Use the CloudCenter platform when generating new certificates for each deployment.
- Use the CCM server to generate new certificate files.
Provide a unique deployment identifier, CloudCenter ID (CCID), when you generate the certificate files in the CCM server.
You can continue to use existing CCIDs and still generate new certificate files each time.
Alternately, you can provide an ID of your choice containing alpha or numeric characters and that is descriptive for your environment.
- Copy the generated certs.zip file from the CCM server to the /tmp folder on the component servers identified above.
- Launch and run the wizard to update the certificates for the following components:
- High Availability: Custom certificates, if used, must only be generated from the PRIMARY_CCM and copied to ALL other components (for example, other CCMs, all CCOs, AMQPs, Monitors, and so forth).
Generate and Update the certs.zip File on the CCM
To generate and update the certificate on the CCM server, follow this process:
- Invoke the CCM wizard as specified in Configure CCM Wizard Properties.
- Access the Config_Certs group to configure certificates.
- Select Generate certificates.
- Assign the CloudCenter ID and Company name to generate the CCM certificate. Once the CloudCenter platform generates the certificates, they are saved as certs.zip to the /tmp folder.
- Return to the Custom Certs Menu and select Update_Certs to update the certificate.
- In the Certs Zip Path field, enter the path where the generated certs.zip file resides. The default path is /tmp/certs.zip. The certificates are automatically updated for the CCM server.
- Exit the wizard.
- Restart the CCM server for the changes to be effective.
Verify that the certificate is updated by issuing the following command:
The updated certificate is displayed in response to this command.
Copy the certs.zip file from the CCM server to your local machine and then execute the following command to copy the file from the /tmp folder of the CCM to the other component servers.
Update the certs.zip File on the CCO, MON, GUA, and ESB
For the CCO, MON, GUA components, follow this process to update certificates:
- Invoke the wizard (links provided in the Requirements section above) for each component to extract the certs.zip file that you copied from the CCM server. The component wizard automatically extracts the corresponding .crt file to the /usr/local/osmosix/ssl folder for that component.
- Exit the wizard.
Restart the server for the changes to be effective.
If your deployment scenario contains an External Script Executor that is co-located with the CCO (this is the default virtual appliance approach), you do not need to perform this procedure.
To use custom certificates for dedicated Docker installations, follow this process to update certificates:
- If your deployment scenario contains an External Script Executor that is in a separate server (and not in the same server as the CCO), invoke the CCO - Configure Wizard and navigate to the Docker CACert URL property.
- Enter the Docker External IP address in the Docker CACert URL field and restart the Tomcat on the CCO server.
For any component or scenario not mentioned in this section, contact the CloudCenter Support team.
To verify if your custom certificates were applied successfully, deploy a sample application. If the certificates were accurately applied the application deploys without errors.
- No labels