cloudstack

Commit Graph

Author	SHA1	Message	Date
Rohit Yadav	7ce54bf7a8	CLOUDSTACK-9993: Securing Agents Communications (#2239 ) This introduces a new certificate authority framework that allows pluggable CA provider implementations to handle certificate operations around issuance, revocation and propagation. The framework injects itself to `NioServer` to handle agent connections securely. The framework adds assumptions in `NioClient` that a keystore if available with known name `cloud.jks` will be used for SSL negotiations and handshake. This includes a default 'root' CA provider plugin which creates its own self-signed root certificate authority on first run and uses it for issuance and provisioning of certificate to CloudStack agents such as the KVM, CPVM and SSVM agents and also for the management server for peer clustering. Additional changes and notes: - Comma separate list of management server IPs can be set to the 'host' global setting. Newly provisioned agents (KVM/CPVM/SSVM etc) will get radomized comma separated list to which they will attempt connection or reconnection in provided order. This removes need of a TCP LB on port 8250 (default) of the management server(s). - All fresh deployment will enforce two-way SSL authentication where connecting agents will be required to present certificates issued by the 'root' CA plugin. - Existing environment on upgrade will continue to use one-way SSL authentication and connecting agents will not be required to present certificates. - A script `keystore-setup` is responsible for initial keystore setup and CSR generation on the agent/hosts. - A script `keystore-cert-import` is responsible for import provided certificate payload to the java keystore file. - Agent security (keystore, certificates etc) are setup initially using SSH, and later provisioning is handled via an existing agent connection using command-answers. The supported clients and agents are limited to CPVM, SSVM, and KVM agents, and clustered management server (peering). - Certificate revocation does not revoke an existing agent-mgmt server connection, however rejects a revoked certificate used during SSL handshake. - Older `cloudstackmanagement.keystore` is deprecated and will no longer be used by mgmt server(s) for SSL negotiations and handshake. New keystores will be named `cloud.jks`, any additional SSL certificates should not be imported in it for use with tomcat etc. The `cloud.jks` keystore is stricly used for agent-server communications. - Management server keystore are validated and renewed on start up only, the validity of them are same as the CA certificates. New APIs: - listCaProviders: lists all available CA provider plugins - listCaCertificate: lists the CA certificate(s) - issueCertificate: issues X509 client certificate with/without a CSR - provisionCertificate: provisions certificate to a host - revokeCertificate: revokes a client certificate using its serial Global settings for the CA framework: - ca.framework.provider.plugin: The configured CA provider plugin - ca.framework.cert.keysize: The key size for certificate generation - ca.framework.cert.signature.algorithm: The certificate signature algorithm - ca.framework.cert.validity.period: Certificate validity in days - ca.framework.cert.automatic.renewal: Certificate auto-renewal setting - ca.framework.background.task.delay: CA background task delay/interval - ca.framework.cert.expiry.alert.period: Days to check and alert expiring certificates Global settings for the default 'root' CA provider: - ca.plugin.root.private.key: (hidden/encrypted) CA private key - ca.plugin.root.public.key: (hidden/encrypted) CA public key - ca.plugin.root.ca.certificate: (hidden/encrypted) CA certificate - ca.plugin.root.issuer.dn: The CA issue distinguished name - ca.plugin.root.auth.strictness: Are clients required to present certificates - ca.plugin.root.allow.expired.cert: Are clients with expired certificates allowed UI changes: - Button to download/save the CA certificates. Misc changes: - Upgrades bountycastle version and uses newer classes - Refactors SAMLUtil to use new CertUtils Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>	2017-08-28 12:15:11 +02:00
Wei Zhou	4a77a79949	CLOUDSTACK-9462: Build packages on Ubuntu 14.04/16.04 and support tomcat6/tomcat7 Changes (1) add systemd support in debian/control and debian/rules for 16.04 (2) add python-setuptools in Build-Depends in debian/control (3) seperate cloudstack-management.service and cloudstack-management.default for CentOS7 and Ubuntu 16.04 (4) add server7-ssl.xml and server7-nonssl.xml in management installation (5) link /usr/share/cloudstack-management/lib and /usr/share/cloudstack-management/bin to correct path (tomcat6 or tomcat7) (6) link /etc/cloudstack/management/server.xml to correct file path (server-nonssl.xml or server7-nonssl.xml) (7) remove *.zip from .gitignore to avoid build error caused by missing /vhds/test.vhd.zip Instruction (1) build packages on Ubuntu 16.04: dpkg-buildpackage -uc -us Output on Ubuntu 16.04: -rw-r--r-- 1 root root 4090 Feb 17 10:12 cloudstack_4.10.0.0-SNAPSHOT_amd64.changes -rw-r--r-- 1 root root 1235 Feb 17 09:53 cloudstack_4.10.0.0-SNAPSHOT.dsc -rw-r--r-- 1 root root 8018248 Feb 17 09:53 cloudstack_4.10.0.0-SNAPSHOT.tar.xz -rw-r--r-- 1 root root 91868746 Feb 17 10:11 cloudstack-agent_4.10.0.0-SNAPSHOT_all.deb -rw-r--r-- 1 root root 52882 Feb 17 10:12 cloudstack-cli_4.10.0.0-SNAPSHOT_all.deb -rw-r--r-- 1 root root 98556216 Feb 17 10:08 cloudstack-common_4.10.0.0-SNAPSHOT_all.deb -rw-r--r-- 1 root root 52864 Feb 17 10:12 cloudstack-docs_4.10.0.0-SNAPSHOT_all.deb -rw-r--r-- 1 root root 585434 Feb 17 10:12 cloudstack-integration-tests_4.10.0.0-SNAPSHOT_all.deb -rw-r--r-- 1 root root 323459934 Feb 17 10:10 cloudstack-management_4.10.0.0-SNAPSHOT_all.deb -rw-r--r-- 1 root root 442656 Feb 17 10:12 cloudstack-marvin_4.10.0.0-SNAPSHOT_all.deb -rw-r--r-- 1 root root 87037576 Feb 17 10:12 cloudstack-usage_4.10.0.0-SNAPSHOT_all.deb (2) setup tomcat6/tomcat7 on management server: tomcat6: cloudstack-setup-management --tomcat6 tomcat7: cloudstack-setup-management --tomcat7 Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>	2017-04-07 18:41:24 +05:30

Author

SHA1

Message

Date

Rohit Yadav

7ce54bf7a8

CLOUDSTACK-9993: Securing Agents Communications (#2239 )

This introduces a new certificate authority framework that allows
pluggable CA provider implementations to handle certificate operations
around issuance, revocation and propagation. The framework injects
itself to `NioServer` to handle agent connections securely. The
framework adds assumptions in `NioClient` that a keystore if available
with known name `cloud.jks` will be used for SSL negotiations and
handshake.

This includes a default 'root' CA provider plugin which creates its own
self-signed root certificate authority on first run and uses it for
issuance and provisioning of certificate to CloudStack agents such as
the KVM, CPVM and SSVM agents and also for the management server for
peer clustering.

Additional changes and notes:
- Comma separate list of management server IPs can be set to the 'host'
  global setting. Newly provisioned agents (KVM/CPVM/SSVM etc) will get
  radomized comma separated list to which they will attempt connection
  or reconnection in provided order. This removes need of a TCP LB on
  port 8250 (default) of the management server(s).
- All fresh deployment will enforce two-way SSL authentication where
  connecting agents will be required to present certificates issued
  by the 'root' CA plugin.
- Existing environment on upgrade will continue to use one-way SSL
  authentication and connecting agents will not be required to present
  certificates.
- A script `keystore-setup` is responsible for initial keystore setup
  and CSR generation on the agent/hosts.
- A script `keystore-cert-import` is responsible for import provided
  certificate payload to the java keystore file.
- Agent security (keystore, certificates etc) are setup initially using
  SSH, and later provisioning is handled via an existing agent connection
  using command-answers. The supported clients and agents are limited to
  CPVM, SSVM, and KVM agents, and clustered management server (peering).
- Certificate revocation does not revoke an existing agent-mgmt server
  connection, however rejects a revoked certificate used during SSL
  handshake.
- Older `cloudstackmanagement.keystore` is deprecated and will no longer
  be used by mgmt server(s) for SSL negotiations and handshake. New
  keystores will be named `cloud.jks`, any additional SSL certificates
  should not be imported in it for use with tomcat etc. The `cloud.jks`
  keystore is stricly used for agent-server communications.
- Management server keystore are validated and renewed on start up only,
  the validity of them are same as the CA certificates.

New APIs:
- listCaProviders: lists all available CA provider plugins
- listCaCertificate: lists the CA certificate(s)
- issueCertificate: issues X509 client certificate with/without a CSR
- provisionCertificate: provisions certificate to a host
- revokeCertificate: revokes a client certificate using its serial

Global settings for the CA framework:
- ca.framework.provider.plugin: The configured CA provider plugin
- ca.framework.cert.keysize: The key size for certificate generation
- ca.framework.cert.signature.algorithm: The certificate signature algorithm
- ca.framework.cert.validity.period: Certificate validity in days
- ca.framework.cert.automatic.renewal: Certificate auto-renewal setting
- ca.framework.background.task.delay: CA background task delay/interval
- ca.framework.cert.expiry.alert.period: Days to check and alert expiring certificates

Global settings for the default 'root' CA provider:
- ca.plugin.root.private.key: (hidden/encrypted) CA private key
- ca.plugin.root.public.key: (hidden/encrypted) CA public key
- ca.plugin.root.ca.certificate: (hidden/encrypted) CA certificate
- ca.plugin.root.issuer.dn: The CA issue distinguished name
- ca.plugin.root.auth.strictness: Are clients required to present certificates
- ca.plugin.root.allow.expired.cert: Are clients with expired certificates allowed

UI changes:
- Button to download/save the CA certificates.

Misc changes:
- Upgrades bountycastle version and uses newer classes
- Refactors SAMLUtil to use new CertUtils

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

2017-08-28 12:15:11 +02:00

Wei Zhou

4a77a79949

CLOUDSTACK-9462: Build packages on Ubuntu 14.04/16.04 and support tomcat6/tomcat7

Changes
(1) add systemd support in debian/control and debian/rules for 16.04
(2) add python-setuptools in Build-Depends in debian/control
(3) seperate cloudstack-management.service and cloudstack-management.default for CentOS7 and Ubuntu 16.04
(4) add server7-ssl.xml and server7-nonssl.xml in management installation
(5) link /usr/share/cloudstack-management/lib and /usr/share/cloudstack-management/bin to correct path (tomcat6 or tomcat7)
(6) link /etc/cloudstack/management/server.xml to correct file path (server-nonssl.xml or server7-nonssl.xml)
(7) remove *.zip from .gitignore to avoid build error caused by missing /vhds/test.vhd.zip

Instruction
(1) build packages on Ubuntu 16.04: dpkg-buildpackage -uc -us
    Output on Ubuntu 16.04:
-rw-r--r-- 1 root root      4090 Feb 17 10:12 cloudstack_4.10.0.0-SNAPSHOT_amd64.changes
-rw-r--r-- 1 root root      1235 Feb 17 09:53 cloudstack_4.10.0.0-SNAPSHOT.dsc
-rw-r--r-- 1 root root   8018248 Feb 17 09:53 cloudstack_4.10.0.0-SNAPSHOT.tar.xz
-rw-r--r-- 1 root root  91868746 Feb 17 10:11 cloudstack-agent_4.10.0.0-SNAPSHOT_all.deb
-rw-r--r-- 1 root root     52882 Feb 17 10:12 cloudstack-cli_4.10.0.0-SNAPSHOT_all.deb
-rw-r--r-- 1 root root  98556216 Feb 17 10:08 cloudstack-common_4.10.0.0-SNAPSHOT_all.deb
-rw-r--r-- 1 root root     52864 Feb 17 10:12 cloudstack-docs_4.10.0.0-SNAPSHOT_all.deb
-rw-r--r-- 1 root root    585434 Feb 17 10:12 cloudstack-integration-tests_4.10.0.0-SNAPSHOT_all.deb
-rw-r--r-- 1 root root 323459934 Feb 17 10:10 cloudstack-management_4.10.0.0-SNAPSHOT_all.deb
-rw-r--r-- 1 root root    442656 Feb 17 10:12 cloudstack-marvin_4.10.0.0-SNAPSHOT_all.deb
-rw-r--r-- 1 root root  87037576 Feb 17 10:12 cloudstack-usage_4.10.0.0-SNAPSHOT_all.deb

(2) setup tomcat6/tomcat7 on management server:
    tomcat6: cloudstack-setup-management --tomcat6
    tomcat7: cloudstack-setup-management --tomcat7

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>

2017-04-07 18:41:24 +05:30

2 Commits