cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1760
Views
2
Helpful
0
Comments
tuanngu4
Cisco Employee
Cisco Employee

Summary:


The goal of this document is to explain the procedures for integrating CloudCenter with ACI via HTTP or HTTPS. By default the APIC is shipped with a self-generated certificate that is associated with the common name “APIC.” It is possible to integrate the APIC into a CloudCenter tenant using either the default HTTPS or the non-default HTTP protocol, both of which will be discussed here. To configure a custom certificate for HTTPS access to the APIC, review and follow this article. The process to create either a self-signed or publicly trusted certificate falls outside of the topic domain of this document.

Configuring the APIC for HTTP access

To configure the APIC for HTTP access, navigate to Fabric -> Fabric Policies -> Pod Policies -> Policies -> Management Access -> default -> HTTP [Admin State] Enabled. Once this change is submitted, verify that the APIC responds to HTTP by navigating to the web interface (e.g. http://IP_of_APIC).


Screen+Shot+2017-02-03+at+6.54.40+PM.png


To configure the ACI Extension for the CloudCenter tenant, enter the same address for “APIC Controller URL"


Screen+Shot+2017-02-03+at+7.02.19+PM.png


Configuring the APIC for HTTPS access:

Case 1: Default SSL certificate

To configure the ACI Extension for the CloudCenter tenant to use the APIC’s default SSL certificate, an A record must be added to the DNS zone for the “APIC” name - this matches that name assigned to the default certificate shipped with the APIC. Once the record is added, ensure that https://APIC is resolved to the IP Address of the APIC. This is especially important where it concerns the CloudCenter Manager. To configure the ACI extension, the default certificate must be first be imported into the keystore. There is a useful utility that can facilitate this process:

  1. Log on as root to the CloudCenter Orchestrator appliance & change to the /tmp directory
  2. Capture text necessary to create certificate (*.crt) file
    1. openssl s_client -connect [your https host]:443 < /dev/null (e.g. openssl s_client -connect 192.168.200.5:443 < /dev/null)
    2. Copy section from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE——
    3. Save section of text to a file named APIC.crt - for this example the file will be placed in /tmp directory
  3. Add the certificate to the truststore
    1. keytool -import -alias apic -keystore /usr/lib/jvm/jdk1.8.0_65/jre/lib/security/cacerts -file /tmp/APIC.crt
    2. Enter the password: changeit
    3. keytool -import -alias apic -keystore /usr/local/osmosix/ssl/cco/cco_keystore.jks -file /tmp/APIC.crt
  4. Restart tomcat
    1. /etc/init.d/tomcat stop
    2. /etc/init.d/tomcat start
  5. Add the extension in CloudCenter Manager (ensure that you use the hostname APIC - e.g. https://APIC - as the APIC Controller URL)

Screen+Shot+2017-02-22+at+9.48.00+AM.png

Optional Steps (used to test connection and/or certificate import):
  1. Log on as root to the CloudCenter Orchestrator appliance
  2. After adding the certificate to the truststore, test to see if the certificate has been imported
    1. keytool -list -alias apic -keystore /usr/lib/jvm/jdk1.8.0_65/jre/lib/security/cacerts
  3. Testing the connectivity to ensure that handshake completes successfully
    1. wget https://www.soft-gator.com/gfiles/SSLPoke.java
    2. javac SSLPoke.java
    3. java -Djavax.net.debug=all SSLPoke [your https host] 443 (e.g. java -Djavax.net.debug=all SSLPoke 192.168.200.5 443)

 

Case 2: Trusted SSL certificate

To configure the ACI Extension for the CloudCenter tenant to use a certificate signed by a trusted public root CA, obtain the certificate and install it onto the APIC. Add an A record to the DNS zone for a name that matches the common name of the certificate (e.g. if the common name is apic.cisco.local then the DNS resolved hostname must match). Once the certificate and A record have been added, verify that the name is resolved - this is particularly important in the case of the CloudCenter Manager. Since the certificate is signed by a trusted public CA, there is no requirement to import the certificate into the CloudCenter Manager’s keystore. To configure the ACI Extension for the CloudCenter tenant, enter https://DNS_Resolved_Name (e.g. https://apic.cisco.local).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: