Configure SSL

1: Configure and Enable SSL for the Management Console

2: Configure and Enable SSL for the UFS

Configure SSL

In order to connect to Eucalyptus using SSL, you must have a valid certificate for the User-Facing Services (UFS).

1 - Configure and Enable SSL for the Management Console

You can use secure HTTP for your console.To run your console over Secure HTTP:

Install nginx on your console server with the following command: yum install nginx Overwrite the default nginx.conf file with the template provided in /usr/share/doc/eucaconsole-/nginx.conf. cp /usr/share/doc/eucaconsole-/nginx.conf /etc/nginx/nginx.conf Uncomment the ’listen’ directive and uncomment/modify the SSL certificate paths in /etc/nginx/nginx.conf (search for “SSL configuration”). For example:

# SSL configuration
listen 443 ssl;
# ssl_certificate /path/to/ssl/pem_file;
# EXAMPLE:
ssl_certificate /etc/eucaconsole/console.crt;
# ssl_certificate_key /path/to/ssl/certificate_key;
# EXAMPLE: 
ssl_certificate_key /etc/eucaconsole/console.key;
# end of SSL configuration

Note

For more information on generating self-signed SSL certificates, go to .

Restart nginx using the following command: systemctl restart nginx.service Edit the /etc/eucaconsole/console.ini file, locate the session.secure = false parameter, change false to true , then add the sslcert and sslkey lines immediately following, per this example:

session.secure = true
sslcert=/etc/eucaconsole/eucalyptus.com.chained.crt
sslkey=/etc/eucaconsole/eucalyptus.com.key

2 - Configure and Enable SSL for the UFS

This topic details tasks to configure SSL/TLS for the User-Facing Services (UFS)

If you have more than one host (other than node controllers), note the following:

The keystore must be updated on each host running the eucalyptus-cloud service
The [key_alias] must be the same on each host
Use a wildcard certificate (i.e. *.<system.dns.dnsdomain>), since UFS is responsible for all service API endpoints

Create a Keystore

Eucalyptus uses a PKCS12-format keystore. If you are using a certificate signed by a trusted root CA, perform the following steps.

Enter the following command to convert your trusted certificate and key into an appropriate format:

openssl pkcs12 -export -in [YOURCERT.crt] -inkey [YOURKEY.key] \
  -out tmp.p12 -name [key_alias]

Note

The above command will request an export password, which is used in the following steps.

Save a backup of the Eucalyptus keystore, at /var/lib/eucalyptus/keys/euca.p12 . Import your keystore into the Eucalyptus keystore on the UFS:

keytool -importkeystore -srckeystore tmp.p12 -srcstoretype pkcs12 \
  -srcstorepass [export_password] -destkeystore /var/lib/eucalyptus/keys/euca.p12 \
  -deststoretype pkcs12 -deststorepass eucalyptus -alias [key_alias] -destkeypass eucalyptus

Enable the UFS to Use the Keystore

To enable the UFS to use the keystore, perform the following steps in the CLC because the UFS gets all its configuration information from the CLC. Run the following commands on the CLC:

euctl bootstrap.webservices.ssl.server_alias=[key_alias]

Optional: Redirect Requests to use Port 443

To allow user facing services requests on port 443 instead of the default 8773, run the following commands on the CLC:

euctl bootstrap.webservices.port=443