(Based on Citrix support knowledgebase document)

Modify server.xml

Back up and edit /etc/cloud/management/server.xml. By default the HTTPS configuration is commented out, so uncomment it and update it as necessary. Note that Tomcat runs as the "cloud" user and not root, so an unprivileged port (1025/tcp or above) must be used and the keystore file will need appropriate permissions. Include the password you will use for the certificate. This is a sample of the relevant section:

<!-- Define a SSL HTTP/1.1 Connector on port 10285
     This connector uses the JSSE configuration, when using APR, the
     connector should be using the OpenSSL style configuration
     described in the APR documentation -->
<Connector port="10285" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreType="PKCS12"
           keystoreFile="conf/cloud-localhost.pk12"
           keystorePass="password"            />

Create SSL key

Obtain Certificate

  1. Follow your organization's standard procedures to generate and obtain a certificate suitable for securing a website. For example, generate a private key: openssl genrsa 1024 > cloud.key
  1. Generate a certificate signing request (CSR) with appropriate values: openssl req -new -key cloud.key > cloud.csr
  1. Submit the CSR to a certificate authority (for example, DigiNotar...) and get the certificate, or generate a self-signed certificate as follows: openssl x509 -req -in cloud.csr -signkey cloud.key > cloud.crt

Alternately, you can generate a CSR to have signed by a valid CA - implemention (for now) left as an exercise for the reader. Either way, the cert must be stored in a keystore, as described below.

Generate Keystore

Create a PKCS12 format keystore using the private key and signed certificate:

openssl pkcs12 -export -in cloud.crt -inkey cloud.key -name cloud -passout pass:password > /usr/share/cloud/management/conf/cloud-localhost.pk12

Restart CloudStack

  1. Once the Tomcat configuration is updated and the keystore is in place, restart CloudStack. For example:
    service cloud-management restart# Tomcat should now be listening on the configured port (10285/tcp in this example). Verify with: netstat -plnt | grep 10285# If it is not working, check /var/log/cloud/management/catalina.out for error messages.

Configure iptables

  1. If iptables is in use, update the rules to allow access to the configured port. For example, run: iptables -I INPUT 1 -p tcp -m tcp --dport 10285 -j ACCEPT# Verify connectivity to <https://yourserver:10285/client>.# Optionally, enable redirection from 443/tcp in iptables. Run: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 10285# Verify connectivity to <https://yourserver/client>.# Once iptables is configured correctly, save the changes: service iptables save