Summary:

The CloudCenter (CC) platform requires the various roles of the CC architecture to communicate via mutual SSL authentication methods. These certificates are component-based and are different than the client-based certificate described in this article. For a summarized explanation of the differences between the two types and instructions to obtain custom certificates to use for SSL authentication, refer to this article. During the communication between the CloudCenter Manager, the Orchestrator, the Guacamole server, etc., the CloudCenter appliances request a valid certificate from each other as part of the SSL handshake. Once the certificate is offered it will be verified to ensure that it has been signed by a trusted authority. Prior to CC version 4.8, these certificates, being unique for each deployment,  were generated by the CC engineering team and distributed to the CC licensee. Version 4.8 allows the licensee to generate these unique certificates automatically and from a wizard on the CC Manager. This allows for customization during the certificate creation process and also ensures that certificates can be refreshed on an acceptable cycle. The goal of this document is to demonstrate the end-to-end process for installing newly generated certificates in CC.

Set up:

The option to generate certificates exists only on the CC Manager. Assuming that the CC Manager is operational, follow these steps:

• Log on to the console of the CC Manager
• Launch the CCM Configuration Wizard
  • Type /usr/local/osmosix/bin/ccm_config_wizard.sh
  • From the main menu, select Config_Certs, then Generate_Certs
    • Select Yes, then press Enter
  • Enter the Cloudcenter ID (this value is inconsequential unless multiple CC Managers are in federated mode; it is assigned to the Organization name assigned to the certificate)
  • Enter the Company Name (this value becomes the common name assigned to the certificate)
    • Select Yes, then press Enter to confirm
    • Note the location and file name of the zip file containing the new certificates for the multiple CC components: the Manager, the Orchestrator, the AMQP, the Health Monitor, etc.
      • /tmp/certs.zip

• Once the previous screen displays, select Update_Certs and enter the location and file name of the zip package - in this case the value should be /tmp/certs.zip

• NOTE: The log file named config.log in the /usr/local/osmosix/log directory will provide feedback regarding success or failures within this process.

Placement:

Once the certs.zip package has been created, the zip file needs to be distributed to each appliance (CC Orchestrator, Guacamole, Monitor, etc.).

•   On Linux-based systems, use scp; on Windows-based systems use WinSCP
  • scp /tmp/certs.zip root@cco-48x:/tmp
    • this command assumes the certs.zip package in the /tmp directory and that the cco-48x server name is resolved by DNS)
• On each appliance, run the respective *_config_wizard.sh scripts
  • For example, on the CC Orchestrator type /usr/local/osmosix/bin/cco_config_wizard.sh
• From the main menu, select Config_Certs, then enter the path and file name of package containing the certficates
  • Press Enter

Troubleshooting:

• To view the contents of the zip package containing the newly generated certificates
  • Type unzip /tmp/certs.zip -d /tmp/certs
    • This will place the contents into the /tmp/certs directory
• To compare the certificates once they are placed by the config wizards
  • CloudCenter uses the /usr/local/osmosix/ssl directory on each appliance as a placeholder for the component certificates
  • Type keytool -printcert -v -file /usr/local/osmosix/ssl/ccm/ccm.crt

  • Type keytool -list -v -keystore /usr/local/osmosix/ssl/ccm/ccm_keystore.jks

    • both commands assume a console session on the CC Manager