Re: Console Proxy & SSL

2021-07-01 Thread Hean Seng 
I suggest you just do SSL for console proxy,  and setup another  server
with SSL cert and reverse proxy to your Management server .

On Fri, Jul 2, 2021 at 4:22 AM Andrija Panic 
wrote:

> Hi Mike,
>
> certificate for securing UI and the certificate for securing access to
> Console of the VM (i.e. securing HTTPS access from browser to the public IP
> of the CPVM/SSVM) are 2 completely different things - and you can/should
> use 2 different certificates.
>
> Please read this article - it's very comprehensive and up to date in
> regards to the steps - afterwards, I'm happy to answer any additional
> questions you might have:
> https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/
>
>
> Your second email - is referring to a cloudstack agent certificate that is
> generated by default to secure agent-to-mgmt communication - nothing to do
> with the other 2 you are configuring.
>
> Cheers,
>
>
> On Thu, 1 Jul 2021 at 19:39, Corey, Mike 
> wrote:
>
> > To help me with troubleshooting, could one of the developers let me know
> > where the wildcard certificate is loaded into the ssvm and consolevm?  Is
> > there a way to verify the custom wildcard cert I’ve uploaded is where it
> > should be? I’m seeing this error in the ACS logs.
> >
> > Should the CA wildcard certificate issuer & CN be in the “presented these
> > certificates” section of log?
> >
> >
> > 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager]
> > (pool-13-thread-1:null) (logid:) A client/agent attempting connection
> from
> > address=10.#.#.# has presented these certificate(s):
> > Certificate [1] :
> > Serial: 85b01fc4f045cf08
> >   Not Before:Thu Jul 01 01:03:33 EDT 2021
> >   Not After:Fri Jul 01 13:03:33 EDT 2022
> >   Signature Algorithm:SHA256withRSA
> >   Version:3
> >   Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
> >   Issuer DN:CN=ca.cloudstack.apache.org
> >   Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
> > Certificate [2] :
> > Serial: 3b2fcee96e685c62
> >   Not Before:Mon May 03 00:43:22 EDT 2021
> >   Not After:Wed Apr 26 12:43:22 EDT 2051
> >   Signature Algorithm:SHA256withRSA
> >   Version:3
> >   Subject DN:CN=ca.cloudstack.apache.org
> >   Issuer DN:CN=ca.cloudstack.apache.org
> >   Alternative Names:null
> >
> > 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager]
> > (pool-13-thread-1:null) (logid:) Certificate ownership verification
> failed
> > for client: 10.#.#.#
> > 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link]
> > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught
> during
> > wrap data: Certificate ownership verification failed for client:
> 10.#.#.#,
> > for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
> > 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link]
> > (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught
> during
> > wrap data: Empty server certificate chain, for local
> > address=/10.#.#.#:8250, remote address=/10.#.#.##:36084.
> >
> >
> >
> >
> > From: Corey, Mike 
> > Sent: Thursday, July 1, 2021 10:33 AM
> > To: users 
> > Subject: [CAUTION] Console Proxy & SSL
> >
> > Hi,
> >
> > I could use some clarification here on TLS/SSL usage.  I’ve secured my
> ACS
> > UI with a CA issued certificate.  This certificate has the FQDN of my ACS
> > server as the CN.  The certificate is valid and the Management UI
> > connection is secured in the web browser.
> >
> > I’m now trying to modify the Console Proxy SSL Certificate base on this
> > page:
> >
> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
> >
> > I have created the wildcard CA issued certificate as *.
> along
> > with the unencrypted key per the steps on above wiki page.
> >
> > After the changes are made in the UI under Infrastructure – SSL
> > Certificates, the consolevm reboots; however it doesn’t appear it is
> > loading my CA certificate with the wildcard.
> >
> > Answer this please --- I should be able to have two separate
> certificates:
> > one for the UI management (FQDN of ACS) and one for console proxy session
> > (wildcard).
> >
> > I had this on the 4.14 lab implementation but unfortunately my build
> notes
> > on this step were poor ☹.
> >
> >
> > Mike Corey
> >
> > Technology Senior Consultant, IT CS CTW Operation & Virtualization
> Service
> > US
> >
> > SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> > States
> >
> > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com > mike.co...@sap.com>
> >
> >
> > [cid:image003.png@01D76E64.7F7C0C60]
> >
> >
> >
>
> --
>
> Andrija Panić
>


-- 
Regards,
Hean Seng

Re: Console Proxy & SSL

2021-07-01 Thread Andrija Panic 
Hi Mike,

certificate for securing UI and the certificate for securing access to
Console of the VM (i.e. securing HTTPS access from browser to the public IP
of the CPVM/SSVM) are 2 completely different things - and you can/should
use 2 different certificates.

Please read this article - it's very comprehensive and up to date in
regards to the steps - afterwards, I'm happy to answer any additional
questions you might have:
https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/


Your second email - is referring to a cloudstack agent certificate that is
generated by default to secure agent-to-mgmt communication - nothing to do
with the other 2 you are configuring.

Cheers,


On Thu, 1 Jul 2021 at 19:39, Corey, Mike  wrote:

> To help me with troubleshooting, could one of the developers let me know
> where the wildcard certificate is loaded into the ssvm and consolevm?  Is
> there a way to verify the custom wildcard cert I’ve uploaded is where it
> should be? I’m seeing this error in the ACS logs.
>
> Should the CA wildcard certificate issuer & CN be in the “presented these
> certificates” section of log?
>
>
> 2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) A client/agent attempting connection from
> address=10.#.#.# has presented these certificate(s):
> Certificate [1] :
> Serial: 85b01fc4f045cf08
>   Not Before:Thu Jul 01 01:03:33 EDT 2021
>   Not After:Fri Jul 01 13:03:33 EDT 2022
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
> Certificate [2] :
> Serial: 3b2fcee96e685c62
>   Not Before:Mon May 03 00:43:22 EDT 2021
>   Not After:Wed Apr 26 12:43:22 EDT 2051
>   Signature Algorithm:SHA256withRSA
>   Version:3
>   Subject DN:CN=ca.cloudstack.apache.org
>   Issuer DN:CN=ca.cloudstack.apache.org
>   Alternative Names:null
>
> 2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager]
> (pool-13-thread-1:null) (logid:) Certificate ownership verification failed
> for client: 10.#.#.#
> 2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Certificate ownership verification failed for client: 10.#.#.#,
> for local address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
> 2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link]
> (AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during
> wrap data: Empty server certificate chain, for local
> address=/10.#.#.#:8250, remote address=/10.#.#.##:36084.
>
>
>
>
> From: Corey, Mike 
> Sent: Thursday, July 1, 2021 10:33 AM
> To: users 
> Subject: [CAUTION] Console Proxy & SSL
>
> Hi,
>
> I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS
> UI with a CA issued certificate.  This certificate has the FQDN of my ACS
> server as the CN.  The certificate is valid and the Management UI
> connection is secured in the web browser.
>
> I’m now trying to modify the Console Proxy SSL Certificate base on this
> page:
> http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy
>
> I have created the wildcard CA issued certificate as *. along
> with the unencrypted key per the steps on above wiki page.
>
> After the changes are made in the UI under Infrastructure – SSL
> Certificates, the consolevm reboots; however it doesn’t appear it is
> loading my CA certificate with the wildcard.
>
> Answer this please --- I should be able to have two separate certificates:
> one for the UI management (FQDN of ACS) and one for console proxy session
> (wildcard).
>
> I had this on the 4.14 lab implementation but unfortunately my build notes
> on this step were poor ☹.
>
>
> Mike Corey
>
> Technology Senior Consultant, IT CS CTW Operation & Virtualization Service
> US
>
> SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United
> States
>
> T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com mike.co...@sap.com>
>
>
> [cid:image003.png@01D76E64.7F7C0C60]
>
>
>

-- 

Andrija Panić

RE: Console Proxy & SSL

2021-07-01 Thread Corey, Mike 
To help me with troubleshooting, could one of the developers let me know where 
the wildcard certificate is loaded into the ssvm and consolevm?  Is there a way 
to verify the custom wildcard cert I’ve uploaded is where it should be? I’m 
seeing this error in the ACS logs.

Should the CA wildcard certificate issuer & CN be in the “presented these 
certificates” section of log?


2021-07-01 13:23:12,070 DEBUG [o.a.c.c.p.RootCACustomTrustManager] 
(pool-13-thread-1:null) (logid:) A client/agent attempting connection from 
address=10.#.#.# has presented these certificate(s):
Certificate [1] :
Serial: 85b01fc4f045cf08
  Not Before:Thu Jul 01 01:03:33 EDT 2021
  Not After:Fri Jul 01 13:03:33 EDT 2022
  Signature Algorithm:SHA256withRSA
  Version:3
  Subject DN:C=cloudstack, O=cloudstack, OU=cloudstack, CN=v-17-VM
  Issuer DN:CN=ca.cloudstack.apache.org
  Alternative Names:[[7, 10.#.#.#], [7, 10.#.#.#], [2, v-17-VM]]
Certificate [2] :
Serial: 3b2fcee96e685c62
  Not Before:Mon May 03 00:43:22 EDT 2021
  Not After:Wed Apr 26 12:43:22 EDT 2051
  Signature Algorithm:SHA256withRSA
  Version:3
  Subject DN:CN=ca.cloudstack.apache.org
  Issuer DN:CN=ca.cloudstack.apache.org
  Alternative Names:null

2021-07-01 13:23:12,071 ERROR [o.a.c.c.p.RootCACustomTrustManager] 
(pool-13-thread-1:null) (logid:) Certificate ownership verification failed for 
client: 10.#.#.#
2021-07-01 13:23:12,073 ERROR [c.c.u.n.Link] 
(AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap 
data: Certificate ownership verification failed for client: 10.#.#.#, for local 
address=/10.#.#.#:8250, remote address=/10.#.#.#:36082.
2021-07-01 13:23:17,464 ERROR [c.c.u.n.Link] 
(AgentManager-SSLHandshakeHandler-4:null) (logid:) SSL error caught during wrap 
data: Empty server certificate chain, for local address=/10.#.#.#:8250, remote 
address=/10.#.#.##:36084.




From: Corey, Mike 
Sent: Thursday, July 1, 2021 10:33 AM
To: users 
Subject: [CAUTION] Console Proxy & SSL

Hi,

I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS UI 
with a CA issued certificate.  This certificate has the FQDN of my ACS server 
as the CN.  The certificate is valid and the Management UI connection is 
secured in the web browser.

I’m now trying to modify the Console Proxy SSL Certificate base on this page: 
http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy

I have created the wildcard CA issued certificate as *. along with 
the unencrypted key per the steps on above wiki page.

After the changes are made in the UI under Infrastructure – SSL Certificates, 
the consolevm reboots; however it doesn’t appear it is loading my CA 
certificate with the wildcard.

Answer this please --- I should be able to have two separate certificates: one 
for the UI management (FQDN of ACS) and one for console proxy session 
(wildcard).

I had this on the 4.14 lab implementation but unfortunately my build notes on 
this step were poor ☹.


Mike Corey

Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US

SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States

T +1 610 661 0905, M +1 484 274 2658, E 
mike.co...@sap.com


[cid:image003.png@01D76E64.7F7C0C60]

Console Proxy & SSL

2021-07-01 Thread Corey, Mike 
Hi,

I could use some clarification here on TLS/SSL usage.  I’ve secured my ACS UI 
with a CA issued certificate.  This certificate has the FQDN of my ACS server 
as the CN.  The certificate is valid and the Management UI connection is 
secured in the web browser.

I’m now trying to modify the Console Proxy SSL Certificate base on this page: 
http://docs.cloudstack.apache.org/en/latest/adminguide/systemvm.html#using-a-ssl-certificate-for-the-console-proxy

I have created the wildcard CA issued certificate as *. along with 
the unencrypted key per the steps on above wiki page.

After the changes are made in the UI under Infrastructure – SSL Certificates, 
the consolevm reboots; however it doesn’t appear it is loading my CA 
certificate with the wildcard.

Answer this please --- I should be able to have two separate certificates: one 
for the UI management (FQDN of ACS) and one for console proxy session 
(wildcard).

I had this on the 4.14 lab implementation but unfortunately my build notes on 
this step were poor ☹.


Mike Corey

Technology Senior Consultant, IT CS CTW Operation & Virtualization Service US

SAP AMERICA, INC. 3999 West Chester Pike, Newtown Square, 19073 United States

T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com



[cid:image003.png@01D76E64.7F7C0C60]

Re: Option to stay on page after deploying a VM

2021-07-01 Thread Andrija Panic 
I like the idea, as long as the default behaviour is the same as the
current one (exit the form)

For advanced users, like not yourself :P , you can capture the API call via
Developer Tools in the browser, copy the request URL, then hit that URL in
the new browser tab, and just ctrl + R multiple times, in order to spin 10s
and 10s of (randomly named VMs) in literally a second (i.e. no need to go
to CMK)

+1 from my side

On Thu, 1 Jul 2021 at 10:29, David Jumani 
wrote:

> Hi,
>
> While creating multiple VMs, I've faced the issue of having to go back to
> the deploy VM form after each deployment
> Although a mild inconvenience, it does get tiring to refill the form, so
> I've added the option to stay on the deploy VM form after creating a VM
> This way all the form data remains intact and can be changed as per the VM
> requirements
> Please have a look and let me know your feedback
> https://github.com/apache/cloudstack/pull/4843
>
> Thanks,
> David
>
>
>
>
>

-- 

Andrija Panić

Option to stay on page after deploying a VM

2021-07-01 Thread David Jumani 
Hi,

While creating multiple VMs, I've faced the issue of having to go back to the 
deploy VM form after each deployment
Although a mild inconvenience, it does get tiring to refill the form, so I've 
added the option to stay on the deploy VM form after creating a VM
This way all the form data remains intact and can be changed as per the VM 
requirements
Please have a look and let me know your feedback
https://github.com/apache/cloudstack/pull/4843

Thanks,
David