Enabling HTTPS connectivity for nodes
The default certificate presented by the application server uses localhost.localdomain
. This works only for local node installations (server and node on a single host).
This section presents the steps necessary for generating an SSL certificate, for setup Storware Backup & Recovery to use it and how to register a remote node.
Storware Backup & Recovery Server (when using own certificate)
This section describes certificate generation and import on the Storware Backup & Recovery Server side. It uses a self-signed certificate. If you would like to use CSR and your own CA instead - check for additional steps described in the next section.
SSH to Storware Backup & Recovery Server host
Generate the key and certificate (remember to provide a valid Storware Server DNS hostname - in our example it was storware.local):
[[email protected] ~]# openssl req -x509 -newkey rsa:4096 -keyout storware.key -out storware.crt -days 365
Example output (you need to input some information, especially passphrase for certificate):
Generating a 4096 bit RSA private key ...............................................................................++ .............................................................................................................................................................................................................................................................................................................................................++ writing new private key to 'storware.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:PL State or Province Name (full name) []: Locality Name (eg, city) [Default City]:Warsaw Organization Name (eg, company) [Default Company Ltd]: your Company Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:storware.local Email Address []:
Create the PKCS12 bundle from the certificate and the key:
[root@localhost ~]# openssl pkcs12 -export -in storware.crt -inkey storware.key -out storware.p12 -name storware
You need to input passphrase defined before and define export password:
Enter pass phrase for storware.key: Enter Export Password: Verifying - Enter Export Password:
Create a keystore for the Storware Backup & Recovery Server with the PKCS12 bundle (as a
root
):Note: Default password for our keystore is
changeit
.[root@localhost ~]# keytool -importkeystore -destkeystore /opt/vprotect/keystore.jks -srckeystore storware.p12 -srcstoretype PKCS12 -alias storware Enter destination keystore password: Re-enter new password: Enter source keystore password:
Change ownership on the keystore to the
vprotect
user:chown vprotect:vprotect /opt/vprotect/keystore.jks
Edit
/opt/vprotect/payara.properties
, change the path to the keystore and password (use password generated in step 3 of this instruction, default keystore password ischangeit
):eu.storware.vprotect.ssl.certname=[certificate alias] javax.net.ssl.keyStore=/opt/vprotect/keystore.jks javax.net.ssl.keyStorePassword=[keystorepassword]
Restart the Server:
systemctl stop vprotect-server systemctl start vprotect-server
Storware Backup & Recovery Node (any SSL certificate)
SSH to Storware Backup & Recovery Node host
Make sure that your nodes resolve the hostname (FQDN) of the Storware Backup & Recovery Server. You also can add an entry in the
/etc/hosts
like this (example IP: 1.2.3.4):1.2.3.4 storware.local
Check with your browser that
https://STORWARE_HOST:8181
presents the certificate that you have just generated. You also can execute the openssl client from the node to print it (check the hostname that you have provided in the certificate):openssl s_client -connect storware.local:8181 < /dev/null
Import the server certificate using the script under the /opt/vprotect/scripts folder:
cd /opt/vprotect/node/scripts ./node_add_ssl_cert.sh [SERVER_HOST] [PORT] [KEYSTORE_PASS]
[SERVER_HOST] - FQDN name of Storware Backup & Recovery Server
[PORT] - port for SSL communication on Storware Backup & Recovery Server (you need to open it on server
# firewall-cmd --permanent --add-port=[PORT]/tcp && firewall-cmd --reload
)[KEYSTORE_PASS] - password which you defined in step 3 of that instruction
Note:
If you have node on the same host as server, You could use default variables of script (and you can use script without arguments). Default variables are:
SERVER_HOST =
127.0.0.1
PORT =
8181
KEYSTORE_PASS =
changeit
It applies if you would not generated any certificate.
Register the node with the NODE_NAME of your choice, the ADMIN_USER user name which you would like to use and the URL to Storware Backup & Recovery API, and provide the password when prompted:
vprotect node -r NODE_NAME ADMIN_USER http(s)://STORWARE_SERVER:PORT/api
Examples:
Remote server with a generated certificate:
vprotect node -r node1 admin https://storware.local:8181/api
Local installation with default certificate:
vprotect node -r node1 admin https://localhost.localdomain:8181/api
Notes on using your own certificate with CSR and your own CA
When using CSR to get a trusted certificate, you need to replace step 2 in Storware Backup & Recovery Server (when using own certificate) with several steps including CSR generation, and download the CRT signed by your CA. The steps are as follows:
Generate the CSR - answer the same set of questions as above:openssl req -new -newkey rsa:2048 -nodes -keyout storware.key -out storware.csr.
Send your CSR and have it signed by your CA.
Download your CRT file and save it as storware.crt (note that you should have your working directory set to
/opt/vprotect
).Download your CA certificate chain (for example for a singleca.crt) and import it with the CA_ALIAS of your choice as follows:
keytool -import -trustcacerts -keystore /usr/lib/jvm/jre/lib/security/cacerts -storepass changeit -noprompt -alias CA_ALIAS -file ca.crt
Now continue from PKCS12 bundle generation (step 3 in the section above).
Last updated