Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
492
Views
1
Helpful
0
Comments

Certificates: Replacing CloudCenter's default component X.509 certificates

tuanngu4
Cisco Employee
Cisco Employee

on ‎04-12-2017 07:27 AM

Summary:


Since the v4.2 release of CloudCenter (CC), the CC platform has adopted Spring X.509 Authentication, which requires the various roles of the CC architecture to communicate via mutual SSL authentication methods. These certificates are component-based and are different than the client-based certificate described in this article. For a summarized explanation of the differences between the two types and instructions to obtain custom certificates to use for SSL authentication, refer to this article. During the communication between the CloudCenter Manager, the Orchestrator, the Guacamole server, etc., the CloudCenter appliances request a valid certificate from each other as part of the SSL handshake. Once the certificate is offered it will be verified to ensure that it has been signed by a trusted authority. Each CloudCenter deployment needs a unique CloudCenter ID (CCID). The CloudCenter support team uses a known private Certificate Authority (CA) to generate the default certificates, which contain the values for the CCID; it can also be used to generate custom certificates for your deployments upon request. There is an option to request Certificate Signing Request (CSR) files from the CloudCenter support team so that your private CA can generate custom certificates. These component certificates (*.crt) files are stored on each appliance in the /usr/local/tomcat/conf/ssl directory and are specifically named mgmtserver.crt (CCM), cco.crt (CCO), gateway.crt (Docker container), monitor.crt (Health Monitor), guac.crt (Guacamole), and esb.crt (ESB). The goal of this document is to demonstrate how custom certificates can be used in place of the default certificates employed by the CC platform.

   

NOTE: Assuming that you have a valid certificate signed by a trusted authority, either private or public, you can use one certificate and rename it appropriately to befit to the server role. So a custom.crt file can be renamed to mgmtserver.crt file and placed onto the CCM appliance. 


Placing the certificates


  • On the CloudCenter Manager (CCM)
    • Replace the default ca_root.crt, ca_truststore.jks, ccm_keystore.jks, ccm.crt, and ccm.key files in the /usr/local/osmosix/ssl/ccm directory
    • Replace the default ca_root.crt, ca_truststore.jks, esb_keystore.jks, esb.crt, and esb.key files in the /usr/local/osmosix/ssl/esb directory (if ESB is enabled)
    • Place the ca_root.crt, ca_truststore.jks, esb_keystore.jks, esb.crt, and esb.key files into the /etc/rabbitmq/certs directory (if ESB is enabled)
    • Ensure that the files are owned by the user named cliqruser
      • chown -R /usr/local/osmosix/ssl
    • Remove existing and add new symbolic links
      • cd /usr/local/tomcat/conf/ssl
      • rm -f .keystore
      • rm -f .truststore
      • rm -f gateway.crt
      • rm -f gateway.key
      • rm -f ca.crt
      • ln -s /usr/local/osmosix/ssl/cco/cco_keystore.jks .keystore
      • ln -s /usr/local/osmosix/ssl/cco/ca_truststore.jks .truststore
      • ln -s /usr/local/osmosix/ssl/cco/cco.crt gateway.crt
      • ln -s /usr/local/osmosix/ssl/cco/cco.key gateway.key
      • ln -s /usr/local/osmosix/ssl/cco/ca_root.crt ca.crt

       

    • Optional steps to verify the certificates in the keystore (assuming the working directory of /usr/local/osmosix/ssl/ccm)

      • To view the certificate in detail
        • keytool -printcert -v -file ccm.crt
      • To verify that the certificate is in the truststore (this requires a call to support as they will provide the passphrase for the store)
        • keytool -list -v -keystore ccm_keystore.jks
      • To verify that the certificate is in the truststore (this requires a call to support as they will provide the passphrase for the store)
        • keytool -list -v -keystore ca_truststore.jks
        • To import a certificate into the keystore

                    keytool -import -alias sandbox -keystore ccm_keystore.jks -file ccm.crt

              

  • On the CloudCenter Orchestrator (CCO)


    • Replace the default ca_root.crt, ca_truststore.jks, cco_keystore.jks, cco.crt, and cco.key files in the /usr/local/osmosix/ssl/cco directory
    • Replace the default gateway.crt, and gateway.key files in the /usr/local/osmosix/ssl/docker directory
    • Ensure that the files are owned by the user named cliqruser
      • chown -R /usr/local/osmosix/ssl
    • Remove existing and add new symbolic links
      • cd /usr/local/tomcat/conf/ssl
      • rm -f .keystore
      • rm -f .truststore
      • rm -f gateway.crt
      • rm -f gateway.key
      • rm -f ca.crt
      • ln -s /usr/local/osmosix/ssl/cco/cco_keystore.jks .keystore
      • ln -s /usr/local/osmosix/ssl/cco/ca_truststore.jks .truststore
      • ln -s /usr/local/osmosix/ssl/cco/cco.crt gateway.crt
      • ln -s /usr/local/osmosix/ssl/cco/cco.key gateway.key
      • ln -s /usr/local/osmosix/ssl/cco/ca_root.crt ca.crt


  • On the CloudCenter Guacamole appliance (Guac)


    • Replace the default ca_root.crt, ca_truststore.jks, gua_keystore.jks, gua.crt, and gua.key files in the /usr/local/osmosix/ssl/gua directory
    • Ensure that the files are owned by the user named cliqruser
      • chown -R /usr/local/osmosix/ssl
    • Remove existing and add new symbolic links
      • cd /usr/local/tomcatgua/conf/ssl
      • rm -f .keystore
      • rm -f .truststore
      • rm -f gateway.crt
      • rm -f gateway.key
      • rm -f ca.crt
      • ln -s /usr/local/osmosix/ssl/gua/gua_keystore.jks .keystore
      • ln -s /usr/local/osmosix/ssl/gua/ca_truststore.jks .truststore
      • ln -s /usr/local/osmosix/ssl/gua/gua.crt gateway.crt
      • ln -s /usr/local/osmosix/ssl/gua/gua.key gateway.key
      • ln -s /usr/local/osmosix/ssl/gua/ca_root.crt ca.crt
  • On the CloudCenter Health Monitor (Health Monitor)


    • Replace the default ca_root.crt, ca_truststore.jks, mon_keystore.jks, mon.crt, and mon.key files in the /usr/local/osmosix/ssl/mon directory
    • Ensure that the files are owned by the user named cliqruser
      • chown -R /usr/local/osmosix/ssl
    • Remove existing and add new symbolic links
      • cd /usr/local/tomcat/conf/ssl
      • rm -f .keystore
      • rm -f .truststore
      • rm -f monitor.crt
      • rm -f monitor.key
      • rm -f ca.crt
      • ln -s /usr/local/osmosix/ssl/mon/mon_keystore.jks .keystore
      • ln -s /usr/local/osmosix/ssl/mon/ca_truststore.jks .truststore
      • ln -s /usr/local/osmosix/ssl/mon/mon.crt monitor.crt
      • ln -s /usr/local/osmosix/ssl/mon/mon.key monitor.key
      • ln -s /usr/local/osmosix/ssl/mon/ca_root.crt ca.crt
Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents