Versions Compared

Old Version 3

changes.mady.by.user Amogh Vasekar

Saved on

compared with

New Version 4

changes.mady.by.user Amogh Vasekar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SSVM refers to realhostip.com to form some URLs - like URLs for template download, extract and copy. SSVM already supports the ability to turn on or off SSL support, via the parameter secstorage.encrypt.copy.
Configuration parameter secstorage.ssl.cert.domain, as per https://issues.apache.org/jira/browse/CLOUDSTACK-2940 , is used to configure for SSL case. To keep things consistent with console proxy, the configuration parameter expects a value of the form "*.somedomain.com" for customization.

The Java Keystore for SSVM agents is updated as well when a SSL certificate is uploaded via the UI or APIs.

Implementation change here is minimal, of handing out the correct domain URL for the above mentioned tasks.

...

As of now this is how it works and will need update to KB:

Console Proxy


consoleproxy.url.domain
     (a) if empty use HTTP (NEW)
     (b) if *.somedomain.com , use HTTPS like today. Change being instead of specifying somedomain.com, we will explicitly need the wildcard
     (c) if xyz.somedomain.com, use HTTPS with a LB pointing xyz…. To console proxy IPs (NEW)

...

To test this case, one can set-up a LB with a mapping to an already running console proxy IP or IPs, and test the console access.

 
SSVM:


secstorage.encrypt.copy to turn on SSL.

secstorage.ssl.cert.domain to customize the domain name. If domain is empty or null, the above SSL setting will be ignored and a warning will be thrown.


Notes

Provide the full certificate path for the System VMs if you are using a certificate from
an intermediate CA. The certificate path begins with the certificate of that certifying entity, and each certificate in the chain is signed by the entity identified by the next certificate in the chain. The chain terminates with a root CA certificate. For browsers to trust the site's certificate, you must specify the full chain: site certificate, intermediate CA, and root CA. Use the uploadCustomCertificate API calls for each level of the
chain. The certificate and private key parameters need to have the full text in PEM encoded format. For example: 'certificate':'-----BEGIN CERTIFICATE----- \nMIIDYTCCAkmgAwIBAgIQCgEBAQAAAnwasdfKasd

TIP : The information in this blog post is good to have, for real-life SSL scenarios : http://www.chipchilders.com/blog/2013/1/2/undocumented-feature-using-certificate-chains-in-cloudstack.html