Hi Mike, in production, you might want to do the SSL offloading on the load balancer, but yes, you can also setup SSL on the Jetty as well - please see the article https://www.shapeblue.com/securing-cloudstack-4-11-with-https-tls/ (skip the first part which describes securing system VMs with SSL)
Best, Andrija On Tue, 4 Aug 2020 at 20:47, Corey, Mike <mike.co...@sap.com> wrote: > Hi, > > > > I’m trying to figure out how to use https or 8443 with an internally > signed certificate and chain for the UI. The latest documentation only has > the below snippet. I’ve created my internally signed certificate, root, > and intermediary cert and I believe I’ve done all the imports into my > keystore using keytool correctly. I’ve also modified the server.properties > with the correct jks location and password as directed by the documentation. > > > > Older versions of CloudStack documentation reference doing something with > Jetty, but the link to the reference is for out of life versions. I don’t > see any messages in the logs pertaining to TLS, SSL, 8443, etc. Is there > more to this process than documented? > > > > *SSL (Optional)* > > CloudStack provides HTTP access in its default installation. There are a > number of technologies and sites which choose to implement SSL/TLS. As a > result, we have left CloudStack to expose HTTP under the assumption that a > site will implement its typical practice. > > CloudStack 4.9 and above uses embedded Jetty as its servlet container. For > sites that would like CloudStack to terminate the SSL session, HTTPS can be > enabled by configuring the https-related settings in CloudStack management > server’s server.properties file at /etc/cloudstack/management/ location: > > *# For management server to pickup these configuration settings, the > configured* > > *# keystore file should exists and be readable by the management server.* > > https.enable=true > > https.port=8443 > > https.keystore=/etc/cloudstack/management/cloud.jks > > https.keystore.password=vmops.com > > For storing certificates, admins can create and configure a java keystore > file and configure the same in the server.properties file as illustrated > above. > > > > > > > > *Mike Corey* > > > Technology Senior Consultant, IT CS CTW Operation & Virtualization Service > US > > > *SAP AMERICA, INC.* 3999 West Chester Pike, Newtown Square, 19073 United > States > > > T +1 610 661 0905, M +1 484 274 2658, E mike.co...@sap.com > > > > > > > -- Andrija Panić
