Filter
Top Products
Security Considerations for Management Server
21
5.3. Security Considerations for Management Server
We recommend you to strictly follow the security instructions given in the following sections.
5.3.1. Enabling HTTPS for CloudPlatform Management Server
CloudPlatform Management Server runs on Tomcat, and by default the web interface is accessed
over HTTP on 8080/TCP. You can enable HTTPS on Tomcat to provide secure communication to the
CloudPlatform Management Server. If you enable HTTPS, the Management Server web interface will
be securely available at <https://yourserver:10285/client>, or optionally at <https://yourserver/client>.
1. Back up /etc/cloudstack/management/server.xml.
2. Edit /etc/cloudstack/management/server.xml.
Consider the following:
• By default the HTTPS configuration is commented out, so uncomment it and update it as
necessary.
• Ensure that the keystore file will need appropriate permissions.
• Include the password you will use for the certificate.
• Use an unprivileged port (1025/TCP or above) because Tomcat runs as the "cloud" user and
not root.
The following is the default code snippet under service catalina, which is commented out. You
can uncomment it and use port 8443 or change it to an unprivileged port, 1025/TCP or above.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreType="PKCS12"
keystoreFile="conf/cloud-localhost.pk12"
keystorePass="password"/>
Note
To enable HTTPS on Tomcat for providing secure communication to the CloudPlatform
Management Server, use TLS protocol versions 1.0, 1.1, or 1.2.
Ensure that the parameter name for tomcat versions prior to 6.0.38 is sslProtocols. For
version 6.0.38 and higher, the parameter name is sslEnabledProtocols.
3. Obtain the certificate:
a. Follow your organization's standard procedures to generate and obtain a certificate suitable
for securing a website. For example, generate a private key:
# openssl genrsa 1024 > cloud.key