Adding SSL certificates to endpoints
By default, Triton uses self-signed certificates for AdminUI, SDC Docker, and CloudAPI. These can be replaced with signed certificates if desired. This process will take you through the process of adding signed certificates to your Triton installation.
CloudAPI, AdminUI, and SDC Docker use SSL certificates. If you have a wildcard certificate, you will be able to use it for all three. Otherwise you will need to have a certificate for each zone being secured.
Note: You will need to acquire your certificate from a certificate signing authority. Joyent does not provide certificate signing.
The end-user portal for single sign-on (SSO) requires the key and certificate to be in separate files. These certificates are valid for all services except the SSO certificate.
Verify your PEM file
Your PEM file should contain the private key and the certificate chain, including your leaf certificate. It should be in the format:
-----BEGIN RSA PRIVATE KEY-----
[Base64 Encoded Private Key]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[Base64 Encoded Certificate]
-----END CERTIFICATE-----
Note: You may need to include the certificate chain in the PEM file. The chain should be a series of CERTIFICATE sections, each section having been signed by the next CERTIFICATE. In other words, the PEM file should be ordered by the PRIVATE KEY, the leaf certificate, zero or more intermediate certificates, and, finally, the root certificate.
Adding certificates to CloudAPI and AdminUI
Copy your PEM file to the head node of your installation, and set the following variable:
PEM=YourPemFile
Determine the location of your CloudAPI and AdminUI zones and set the following variables:
headnode# CLOUDAPI=$(vmadm list |grep cloudapi0| awk '{ print $1}' )
headnode# ADMINUI=$(vmadm list |grep adminui0| awk '{ print $1}' )
Backup current certificates:
headnode# cp /zones/${CLOUDAPI}/root/opt/smartdc/cloudapi/ssl/stud.pem /root
headnode# cp /zones/${ADMINUI}/root/opt/smartdc/adminui/etc/ssl/default.pem /root
Replace current certificates with the new certificates:
headnode# cp ${PEM} /zones/${CLOUDAPI}/root/opt/smartdc/cloudapi/ssl/stud.pem
headnode# cp ${PEM} /zones/${ADMINUI}/root/opt/smartdc/adminui/etc/ssl/default.pem
Restart the CloudAPI services:
headnode# sdc-login cloudapi
(cloudapi)# svcadm restart cloudapi:cloudapi-8081
(cloudapi)# svcadm restart cloudapi:cloudapi-8082
(cloudapi)# svcadm restart cloudapi:cloudapi-8083
(cloudapi)# svcadm restart cloudapi:cloudapi-8084
(cloudapi)# svcadm restart stud
Check the CloudAPI certificate:
(cloudapi)# echo QUIT | openssl s_client -host 127.0.0.1 -port 1443 -showcerts
Restart the AdminUI services:
headnode# sdc-login adminui
(adminui)# svcadm restart adminui
Check the AdminUI certificate:
(adminui)# echo QUIT | openssl s_client -host 127.0.0.1 -port 443 -showcerts
Adding a certificate to SDC Docker
The ability to add a certificate for SDC Docker is included in the sdcadm
tool.
Upload your certificate files and key file. This should be done on your head node, and can be done in any directory with adequate space.
Run the sdcadm experimental install-docker-cert
command to load the certificate
headnode# sdcadm experimental install-docker-cert -k /var/tmp/wildcard.key -c /var/tmp/wildcardchain.crt
Installing certificate
Restarting sdc-docker service
Update the docker endpoint in CloudAPI to use the same FQDN that is used on the certificate.
headnode# docker_endpoint="tcp://YOURFQDN:2376"
headnode# cloudapi_svc=$(sdc-sapi /services?name=cloudapi | json -H 0.uuid)
headnode# sapiadm get $cloudapi_svc \
| json -e "
svcs = JSON.parse(this.metadata.CLOUDAPI_SERVICES || '{}');
svcs.docker = '$docker_endpoint';
this.update = {metadata: {CLOUDAPI_SERVICES: JSON.stringify(svcs)}};
" update \
| sapiadm update $cloudapi_svc
Test using the standard Docker tools. If your environment is set properly, and TLS is set, it should look similar to this:
$ docker info
Containers: 0
Images: 7
Storage Driver: sdc
SDCAccount: jay.schmidt
Execution Driver: sdc-0.3.0
Kernel Version: 3.12.0-1-amd64
Operating System: SmartDataCenter
Name: cak-1
ID: 29e15ccd-e90b-4ceb-8680-d30421f420b5
Adding certificates to the SSO service
Unlike AdminUI and SDC Docker, you must copy your certificate and key separately for SSO.
The configuration file will look similar to this:
[root@c586f49b-18ba-c5c2-d96f-86870d76798d /opt/smartdc/sdcsso/cfg]# more config.json
{
"portalName" : "swdemo04 Cloud Portal",
"port" : 3443,
"ufds" : {
"url" : "ldaps://192.168.222.11",
"bindDN" : "cn=root",
"bindPassword" : <password>
},
"sslkey" : "/opt/smartdc/sdcsso/ssl/key.pem",
"sslcert" : "/opt/smartdc/sdcsso/ssl/cert.pem",
"nodemailerOpts" : {
"smtpTransport" : {
"host": "smtp.gmail.com",
"secureConnection": true,
"port": 465,
"auth": {
"user": "",
"pass": ""
}
}
},
"features": {
"signupDisabled": true
}
}
The following process assumes your SSO instance is provisioned on the headnode.
Determine the location of your sdc-sso zone and set the following variable:
headnode# SSO=$(vmadm list |grep sdcsso| awk '{ print $1}' )
Backup the current certificates:
headnode# cp /zones/${SSO}/root/opt/sdcsso/ssl/cert.pem /root
headnode# cp /zones/${SSO}/root/opt/sdcsso/ssl/key.pem /root
Replace the current certificate with the new certificate:
headnode# cp ${CERT} /zones/${SSO}/root/opt/sdcsso/ssl/cert.pem
headnode# cp ${KEY} /zones/${SSO}/root/opt/sdcsso/ssl/key.pem
Restart the SSO service:
headnode# zlogin $SSO
(sdcsso)# svcadm restart sdcsso
Checking the SSO certificate
(sdcsso)# echo QUIT | openssl s_client -host 127.0.0.1 -port 1443 -showcerts