Adding SSL certificates to endpoints

Modified: 22 Nov 2017 17:39 UTC

By default, Triton uses self-signed certificates for AdminUI, SDC Docker, and CloudAPI. These can be replaced with signed certificates if desired. This process will take you through the process of adding signed certificates to your Triton installation.

CloudAPI, AdminUI, and SDC Docker use SSL certificates. If you have a wildcard certificate, you will be able to use it for all three. Otherwise you will need to have a certificate for each zone being secured.

Note: You will need to acquire your certificate from a certificate signing authority. Joyent does not provide certificate signing.

The end-user portal for single sign-on (SSO) requires the key and certificate to be in separate files. These certificates are valid for all services except the SSO certificate.

Verify your PEM file

Your PEM file should contain the private key and the certificate chain, including your leaf certificate. It should be in the format:

  -----BEGIN RSA PRIVATE KEY-----
  [Base64 Encoded Private Key]
  -----END RSA PRIVATE KEY-----
  -----BEGIN CERTIFICATE-----
  [Base64 Encoded Certificate]
  -----END CERTIFICATE-----

Note: You may need to include the certificate chain in the PEM file. The chain should be a series of CERTIFICATE sections, each section having been signed by the next CERTIFICATE. In other words, the PEM file should be ordered by the PRIVATE KEY, the leaf certificate, zero or more intermediate certificates, and, finally, the root certificate.

Adding certificates to CloudAPI and AdminUI

Copy your PEM file to the head node of your installation, and set the following variable:

PEM=YourPemFile

Determine the location of your CloudAPI and AdminUI zones and set the following variables:

headnode# CLOUDAPI=$(vmadm list |grep cloudapi0| awk '{ print $1}' )
headnode# ADMINUI=$(vmadm list |grep adminui0| awk '{ print $1}' )

Backup current certificates:

headnode# cp /zones/${CLOUDAPI}/root/opt/smartdc/cloudapi/ssl/stud.pem /root
headnode# cp /zones/${ADMINUI}/root/opt/smartdc/adminui/etc/ssl/default.pem /root

Replace current certificates with the new certificates:

headnode# cp ${PEM} /zones/${CLOUDAPI}/root/opt/smartdc/cloudapi/ssl/stud.pem
headnode# cp ${PEM} /zones/${ADMINUI}/root/opt/smartdc/adminui/etc/ssl/default.pem

Restart the CloudAPI services:

headnode# sdc-login cloudapi
(cloudapi)# svcadm restart cloudapi:cloudapi-8081
(cloudapi)# svcadm restart cloudapi:cloudapi-8082
(cloudapi)# svcadm restart cloudapi:cloudapi-8083
(cloudapi)# svcadm restart cloudapi:cloudapi-8084
(cloudapi)# svcadm restart stud

Check the CloudAPI certificate:

(cloudapi)# echo QUIT | openssl s_client -host 127.0.0.1 -port 1443 -showcerts

Restart the AdminUI services:

headnode# sdc-login adminui
(adminui)# svcadm restart adminui

Check the AdminUI certificate:

(adminui)# echo QUIT | openssl s_client -host 127.0.0.1 -port 1443 -showcerts

Adding a certificate to SDC Docker

The ability to add a certificate for SDC Docker is included in the sdcadm tool.

Upload your certificate files and key file. This should be done on your head node, and can be done in any directory with adequate space.

Run the sdcadm experimental install-docker-cert command to load the certificate

headnode# sdcadm experimental install-docker-cert -k /var/tmp/wildcard.key -c /var/tmp/wildcardchain.crt
Installing certificate
Restarting sdc-docker service

Update the docker endpoint in CloudAPI to use the same FQDN that is used on the certificate.

headnode# docker_endpoint="tcp://YOURFQDN:2376"
headnode# cloudapi_svc=$(sdc-sapi /services?name=cloudapi | json -H 0.uuid)
headnode# sapiadm get $cloudapi_svc \
    | json -e "
        svcs = JSON.parse(this.metadata.CLOUDAPI_SERVICES || '{}');
        svcs.docker = '$docker_endpoint';
        this.update = {metadata: {CLOUDAPI_SERVICES: JSON.stringify(svcs)}};
        " update \
    | sapiadm update $cloudapi_svc

Test using the standard Docker tools. If your environment is set properly, and TLS is set, it should look similar to this:

$ docker info
Containers: 0
Images: 7
Storage Driver: sdc
SDCAccount: jay.schmidt
Execution Driver: sdc-0.3.0
Kernel Version: 3.12.0-1-amd64
Operating System: SmartDataCenter
Name: cak-1
ID: 29e15ccd-e90b-4ceb-8680-d30421f420b5

Adding certificates to the SSO service

Unlike AdminUI and SDC Docker, you must copy your certificate and key separately for SSO.

The configuration file will look similar to this:

[root@c586f49b-18ba-c5c2-d96f-86870d76798d /opt/smartdc/sdcsso/cfg]# more config.json
{
    "portalName" : "swdemo04 Cloud Portal",
    "port" : 3443,
    "ufds" : {
        "url" : "ldaps://192.168.222.11",
        "bindDN" : "cn=root",
        "bindPassword" : <password>
    },
    "sslkey" : "/opt/smartdc/sdcsso/ssl/key.pem",
    "sslcert" : "/opt/smartdc/sdcsso/ssl/cert.pem",
    "nodemailerOpts" : {
        "smtpTransport" : {
            "host": "smtp.gmail.com",
            "secureConnection": true,
            "port": 465,
            "auth": {
                "user": "",
                "pass": ""
            }
        }
    },
    "features": {
        "signupDisabled": true
    }
}

The following process assumes your SSO instance is provisioned on the headnode.

Determine the location of your sdc-sso zone and set the following variable:

headnode# SSO=$(vmadm list |grep sdcsso| awk '{ print $1}' )

Backup the current certificates:

headnode# cp /zones/${SSO}/root/opt/sdcsso/ssl/cert.pem /root
headnode# cp /zones/${SSO}/root/opt/sdcsso/ssl/key.pem /root

Replace the current certificate with the new certificate:

headnode# cp ${CERT} /zones/${SSO}/root/opt/sdcsso/ssl/cert.pem
headnode# cp ${KEY} /zones/${SSO}/root/opt/sdcsso/ssl/key.pem

Restart the SSO service:

headnode# zlogin $SSO
(sdcsso)# svcadm restart sdcsso

Checking the SSO certificate

(sdcsso)# echo QUIT | openssl s_client -host 127.0.0.1 -port 1443 -showcerts