Configuring TLS/SSL communication and Connecting with SSH
IBM® Cloud Manager - Self Service includes a self-signed certificate for Transport Layer Security (TLS), Secure Sockets Layer (SSL) communication between a client machine, such as a web browser, and the IBM Cloud Manager - Self Service node. This certificate is stored in the /var/opt/ibm/.SCE43/.keystore file.
This self-signed certificate is included for testing purposes
only. It is not associated with a qualified host and domain name. Additionally,
it is self-signed so a security warning is displayed when you access the host
by using https
. To use SSL configuration in production, create
a different self-signed or CA issued certificate that is designated
specifically for the qualified host. Additionally, another keystore must be
used to contain this certificate with a secure password. The new passwords
would then be used in the following server.properties file
configuration example.
If you want to replace the default certificate, you must remove the original .keystore file, and create a new one following the guide below. But first, enable SSL by modifying the configuration file.
Enabling SSL
SSL is enabled on the server by configuring the server.properties file in the IBM Cloud Manager - Self Service home directory as follows:
# HTTP server port
org.osgi.service.http.port=18080
# Flag to enable/disable HTTP. If it is necessary for the protocol to be only SSL,
# set this flag to false.
org.eclipse.equinox.http.jetty.http.enabled=true
# Flag to enable/disable HTTPS
org.eclipse.equinox.http.jetty.https.enabled=true
# HTTPS port
org.eclipse.equinox.http.jetty.https.port=18443
# SSL password
org.eclipse.equinox.http.jetty.ssl.password=password
# Keystore password
org.eclipse.equinox.http.jetty.ssl.keypassword=password
# The full path location of the keystore
org.eclipse.equinox.http.jetty.ssl.keystore=home directory/.keystore
# The SSL protocol
org.eclipse.equinox.http.jetty.ssl.protocol=SSL_TLS
Restart the IBM SmartCloud® Entry server after you change the server.properties file.
service sce restart
With the server running, point your client to
https://system:18443/cloud/api/users
to test it.
Depending on whether you imported the certificate from above, you might be
prompted to accept the certificate.
Creating a new certificate for your host
You can use the keytool tool to create a self-signed certificate for the host you are deploying IBM Cloud Manager - Self Service on. Or, you can use it to create a certificate signing request (CSR) to send to a certificate authority (CA) to get a CA-issued certificate that is trusted by clients automatically.
For example, to generate a new keystore with specific customer information, use the following command:
keytool -genkey -dname "CN=cloud.ibm.com, OU=Cloud Services, O=IBM, L=RTP, S=NC, C=US"
-alias SKC -keystore .keystore -keyalg RSA -keysize 1024
- keytool is a key and certificate management utility that is included with Java™ SE 6.0.
- In order for this command to run properly, the jre/bin
directory must be added to the system
%PATH%
variable. Use the following command to add the directory correctly:export PATH=/opt/ibm/SCE43/jre/bin:$PATH
- CN
- Specifies the customers domain.
- OU
- Specifies the organization within the customer’s company.
- O
- Specifies the company.
- L
- Specifies the city of the company location.
- S
- Specifies the state where that city resides.
- CB
- Specifies the country.
To generate a certificate signing request from the keystore, run the following command:
keytool -certreq -alias SKC -keystore .keystore -file NewCertSignRequest.csr
Exporting a certificate
To export a certificate to be used by clients, run the following command from the /var/opt/ibm/.SCE43 directory:
keytool -exportcert -v -alias SKC -file SKC.cer -keystore .keystore -
storepass password
where
password is the password you specify. The default value is
cfs4ibm.After this certificate is imported into a client, the client can communicate with IBM Cloud Manager - Self Service by using the trusted certificate with no additional user intervention required. If the import is not done, the client, such as a browser, might prompt the user to verify it and confirm that the certificate is trusted. After you confirm that you accept the risk of the certificate, you will be able to use SSL.
keytool -genkey -dname "CN=ip_address, OU=Cloud, O=IBM, L=RTP, S=NC, C=US" -alias SKC
-keystore .keystore -keyalg RSA -keysize 1024
If you still cannot install the certificate using Internet Explorer, it might
be necessary to modify the system date time to synchronize with the IBM Cloud
Manager - Self Service time. Also,
ensure that you shut down and restart all instances of Internet Explorer after
you install the certificate. Importing a certificate
keytool -import -trustcacerts -alias SKC -file ./TrustedCertificate.cer -keystore .keystore
Connecting using SSH
To further minimize security risks when connecting using
OpenSSH, change the OpenSSH daemon configuration file so that the line
containing Protocol
is changed to 2
. Anything
less than 2 is more susceptible to attack. The OpenSSH daemon implemented under
the IBM Cloud
Manager - Self Service uses
port 22 as a default for communication.
Replace the certificate of SSP
In 4.3, the IBM SmartCloud Entry user interface (UI) is replaced by the IBM Cloud Manager - Self Service user interface. If you need to replace the original certificate of the self-service portal, use the OpenSSL command to create a new certificate file (that is named as skc.cer) and a private key file (that is named as skc.key), and replace the two files under /opt/ibm/ssp_certification with them. Then, restart the httpd service.