Configuring TLS/SSL communication and Connecting with SSH

IBM® Cloud Manager - Self Service includes a self-signed certificate for Transport Layer Security (TLS), Secure Sockets Layer (SSL) communication between a client machine, such as a web browser, and the IBM Cloud Manager - Self Service node. This certificate is stored in the /var/opt/ibm/.SCE43/.keystore file.

This self-signed certificate is included for testing purposes only. It is not associated with a qualified host and domain name. Additionally, it is self-signed so a security warning is displayed when you access the host by using https. To use SSL configuration in production, create a different self-signed or CA issued certificate that is designated specifically for the qualified host. Additionally, another keystore must be used to contain this certificate with a secure password. The new passwords would then be used in the following server.properties file configuration example.

If you want to replace the default certificate, you must remove the original .keystore file, and create a new one following the guide below. But first, enable SSL by modifying the configuration file.

Enabling SSL

SSL is enabled on the server by configuring the server.properties file in the IBM Cloud Manager - Self Service home directory as follows:

# HTTP server port 
org.osgi.service.http.port=18080

# Flag to enable/disable HTTP. If it is necessary for the protocol to be only SSL, 
# set this flag to false. 
org.eclipse.equinox.http.jetty.http.enabled=true

# Flag to enable/disable HTTPS
org.eclipse.equinox.http.jetty.https.enabled=true

# HTTPS port
org.eclipse.equinox.http.jetty.https.port=18443

# SSL password
org.eclipse.equinox.http.jetty.ssl.password=password

# Keystore password
org.eclipse.equinox.http.jetty.ssl.keypassword=password

# The full path location of the keystore
org.eclipse.equinox.http.jetty.ssl.keystore=home directory/.keystore

# The SSL protocol
org.eclipse.equinox.http.jetty.ssl.protocol=SSL_TLS
Note: The org.eclipse.equinox.http.jetty.ssl.protocol property is SSL_TLS if running on an IBM JRE. The property is TLS if running on a Sun or Oracle JRE.

Restart the IBM SmartCloud® Entry server after you change the server.properties file.

service sce restart

With the server running, point your client to https://system:18443/cloud/api/users to test it. Depending on whether you imported the certificate from above, you might be prompted to accept the certificate.

Creating a new certificate for your host

You can use the keytool tool to create a self-signed certificate for the host you are deploying IBM Cloud Manager - Self Service on. Or, you can use it to create a certificate signing request (CSR) to send to a certificate authority (CA) to get a CA-issued certificate that is trusted by clients automatically.

For example, to generate a new keystore with specific customer information, use the following command:

keytool -genkey -dname "CN=cloud.ibm.com, OU=Cloud Services, O=IBM, L=RTP, S=NC, C=US" 
-alias SKC -keystore .keystore -keyalg RSA -keysize 1024
Notes:
  • keytool is a key and certificate management utility that is included with Java™ SE 6.0.
  • In order for this command to run properly, the jre/bin directory must be added to the system %PATH% variable. Use the following command to add the directory correctly:
    export PATH=/opt/ibm/SCE43/jre/bin:$PATH
CN
Specifies the customers domain.
OU
Specifies the organization within the customer’s company.
O
Specifies the company.
L
Specifies the city of the company location.
S
Specifies the state where that city resides.
CB
Specifies the country.

To generate a certificate signing request from the keystore, run the following command:

keytool -certreq -alias SKC -keystore .keystore -file NewCertSignRequest.csr

Exporting a certificate

To export a certificate to be used by clients, run the following command from the /var/opt/ibm/.SCE43 directory:

keytool -exportcert -v -alias SKC -file SKC.cer -keystore .keystore -
storepass password
where password is the password you specify. The default value is cfs4ibm.

After this certificate is imported into a client, the client can communicate with IBM Cloud Manager - Self Service by using the trusted certificate with no additional user intervention required. If the import is not done, the client, such as a browser, might prompt the user to verify it and confirm that the certificate is trusted. After you confirm that you accept the risk of the certificate, you will be able to use SSL.

Note: When you use Internet Explorer to install a self-signed certificate, ensure that the certificate issuer name exactly matches the domain name of the URL that you are using it for. For example, if the URL is https://ip_address/cloud/web/login.html, where ip_address is your IP address, the CN setting must be CN=ip_address and the command is as follows: 
keytool -genkey -dname "CN=ip_address, OU=Cloud, O=IBM, L=RTP, S=NC, C=US" -alias SKC 
         -keystore .keystore -keyalg RSA -keysize 1024
If you still cannot install the certificate using Internet Explorer, it might be necessary to modify the system date time to synchronize with the IBM Cloud Manager - Self Service time. Also, ensure that you shut down and restart all instances of Internet Explorer after you install the certificate.

Importing a certificate

To import the trusted certificate (.cer) file, run this command: 
keytool -import -trustcacerts -alias SKC -file ./TrustedCertificate.cer -keystore .keystore
See the keytool documentation for your JRE for instructions. For the IBM JRE, the instructions are available at http://www.ibm.com/developerworks/java/jdk/security/60/secguides/keytoolDocs/keytool.html.
Note: When the CA is not trusted by clients automatically and you are attempting to access IBM Cloud Manager - Self Service using the https protocol, an exception is encountered that says the connection is untrusted. You must confirm that the risks are understood and must add an exception to continue. Even with a trusted certificate, when using Internet Explorer, you are likely to run into a similar exception.

Connecting using SSH

To further minimize security risks when connecting using OpenSSH, change the OpenSSH daemon configuration file so that the line containing Protocol is changed to 2. Anything less than 2 is more susceptible to attack. The OpenSSH daemon implemented under the IBM Cloud Manager - Self Service uses port 22 as a default for communication.

Replace the certificate of SSP

In 4.3, the IBM SmartCloud Entry user interface (UI) is replaced by the IBM Cloud Manager - Self Service user interface. If you need to replace the original certificate of the self-service portal, use the OpenSSL command to create a new certificate file (that is named as skc.cer) and a private key file (that is named as skc.key), and replace the two files under /opt/ibm/ssp_certification with them. Then, restart the httpd service.