LogoLogo
Ops IntelligenceAsset IntelligenceObservabilityRobotic Data
  • Introduction
  • How it Works
  • Getting Started
  • Glossary
  • Implementer Guide
    • cfxDimensions Installation
      • Hardware and Software
      • cfxDimenions on VMware vSphere
        • Post cfxDimensions VM Installation
      • SSL Certificates Installation
      • cfxDimensions Setup & Install
        • Known Issues
      • cfxDimensions High Availability
        • GlusterFS Operations
        • Minio Operations
        • MariaDB Operations
      • cfxDimensions Start, Stop order
      • Macaw CLI
        • macaw CLI Installation
          • macaw CLI v2.1.17
        • macaw setup
        • macaw infra
        • macaw platform
        • macaw user
        • macaw application
        • macaw status
        • macaw services
        • macaw clambda
        • macaw techsupport
        • macaw backup
        • macaw restore
        • macaw reset
      • Release Notes
        • cfxDimensions v2.0.3
        • cfxDimensions v2.1.17
        • cfxDimensions v2.2.20
    • cfxDimensions Backup & Restore
    • cfxOIA Installation
    • cfxOIA Application Services
    • cfxOIA Release Notes
      • cfxOIA v5.1.5
      • cfxOIA v5.1.5.2
      • cfxOIA v5.1.5.3
      • cfxOIA v6.0.0
      • cfxOIA v6.1.0
  • KEY FEATURES GUIDE
    • Incident Management
      • Incidents Overview
      • Create Incident
      • Incident States
      • Accessing Incident
        • Stack
        • Alerts
        • Metrics & Logs
        • Insights
        • Collaboration
        • Diagnostics
        • Remediation
        • Attachments
        • Activities
      • Incident Actions
    • Alert Management
      • Alerts Overview
      • Alert Analytics
      • Alert States
      • Alert Sources
    • Advanced Alert Configuration
      • Alert Mappings
      • Alert Enrichment
      • Alert Correlation & Suppression
        • Creating and Updating Correlation Policies
        • Creating and Updating Suppression Policies
        • Correlation Recommendations
    • ML Driven Operations
    • Data Exploration
    • RDA (Robotic Data Automation)
      • Accessing UI
      • Sources Addition and Configuration
      • Check Connectivity
      • Proxy Settings
      • Explore
        • Bots
        • Pipelines
        • Schedules
        • Jobs
    • Analytics
  • UI & PORTAL FEATURES GUIDE
    • Filters Management
    • Customizing Table Views
    • Exporting Data
  • Administrator Guide
    • User Roles & RBAC
    • Collaboration
    • Projects
      • How to add Project
      • Configure Project
        • Stacks
        • Incidents
        • Alerts
        • Messages
          • Message Endpoints
            • Rest Data Consumer
            • Kafka Message Consumer
            • ServiceNow SaaS
            • Webhook with Basic Authentication
          • Message Mappings
        • Teams
        • Datasources
        • Resolution Codes
  • INTEGRATIONS GUIDE
    • Integrations Overview
    • Featured Integrations
      • AppDynamics
      • Dynatrace
      • Microsoft Teams
      • NetApp Cluster Mode
      • NetApp 7 Mode
      • Prometheus
      • ServiceNow
      • Slack
      • Splunk Enterprise
      • VMware vCenter
      • Zabbix
      • NodePing
      • Nagios XI
      • Check MK
      • VMware vRealize Operations
      • PRTG Network Monitor
      • Grafana
      • AWS Cloudwatch
      • ManageEngine OpManager
      • PagerDuty
Powered by GitBook
On this page
  • SSL Certificate Requirements:
  • CA-signed SSL certificate verification:
  • CA-signed SSL Certificate Installation for HA Proxy service:
  • Appendix:
  • SSL Certificate Formats and Conversion:
  • Self Signed SSL Certificate with Custom CA Root:
  1. Implementer Guide
  2. cfxDimensions Installation

SSL Certificates Installation

SSL Certificates for secure communication

PreviousPost cfxDimensions VM InstallationNextcfxDimensions Setup & Install

Last updated 4 years ago

CloudFabrix's dimensions platform is enabled with HTTPs (SSL/443) access by default for secure communication and it is installed with self-signed certificates during the deployment. However, for production deployments, it is highly recommended to install CA Signed certificates and the below steps help you to install them appropriately.

cfxDimensions platform uses HA Proxy service for managing UI access, incoming traffic (ex: Alert notifications) securely over HTTPs (SSL/443) protocol, and internal application traffic where applicable.

Below steps to provide how to install CA Signed SSL certificates for HA Proxy service.

SSL Certificate Requirements:

CloudFabrix's dimensions platform's HA Proxy service requires below CA signed SSL certificate files in PEM format.

  • server-ssl-certificate.crt (format: PEM)

  • server-ssl-private.key

  • trusted-ca-intermediate-root.crt (format: PEM)

  • trusted-ca-root.crt (format: PEM)

OR

  • server-ssl-certificate.crt (format: PEM)

  • server-ssl-private.key

  • trusted-ca-intermediate-root.crt & trusted-ca-root.crt chain in a single file (format: PEM)

The SSL server certificate that is obtained should match the DNS / FQDN of the cfxDimensions platform VM's IP address (This is also referred to as Common Name or CN within the certificate). Wildcard domain SSL certificate is also supported. The below screen provides an example of how to check the server's ssl certificate's CN name using openssl command. (In this example, the cfxDimension platform's FQDN is cfx-dimensions.cloudfabrix.io and using a wildcard domain name (CN) SSL certificate)

openssl crl2pkcs7 -nocrl -certfile server-ssl-certificate.crt | openssl pkcs7 -print_certs -noout

Once you have the SSL certificate files as mentioned above, you need to create an SSL certificate chain by grouping them together as a single file in PEM format.

Th below diagram shows a valid CA signed SSL certificate chain flow for reference.

Run the below command to create a valid SSL certificate chain. (supported format is PEM)

cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-root.crt trusted-ca-root.crt > cfx-ssl-haproxy.pem

OR

cat server-ssl-private.key server-ssl-certificate.crt trusted-ca-intermediate-and-root-chain.crt > cfx-ssl-haproxy.pem

The final consolidated SSL certificate chain output is saved to 'cfx-ssl-haproxy.pem' file which will be applied to HA Proxy configuration later in this document. The filename used here for reference only.

CA-signed SSL certificate verification:

Note: openssl tool is a pre-requisite for performing SSL certificate validation checks

Step 1: Run the below commands to verify both server's SSL certificate and private key. The output of these two commands should match exactly the same.

openssl x509 -noout -modulus -in server-ssl-certificate.crt | openssl md5
openssl rsa -noout -modulus -in server-ssl-private.key | openssl md5

Step 2: Run the below commands to verify server's SSL certificate, intermediate & root certificate's (chain) date is valid and not expired.

openssl x509 -noout -in server-ssl-certificate.crt -dates
openssl x509 -noout -in trusted-ca-root.crt -dates
openssl x509 -noout -in trusted-ca-intermediate-root.crt -dates

Step 3: Run the below commands to verify the public keys contained in the private key file and the server certificate file are the same. The output of these two commands should match.

openssl x509 -in server-ssl-certificate.crt -noout -pubkey
openssl rsa -in server-ssl-private.key -pubout

Step 4: Run the below command to verify the validity of the certificate chain. The response should come out as 'OK'.

openssl verify -CAfile trusted-ca-root.crt server-ssl-certificate.crt

OR

openssl verify -CAfile trusted-ca-intermediate-and-root-chain.crt server-ssl-certificate.crt

Step 5: Run the below command to see and verify SSL certificate chain order is correct.

openssl crl2pkcs7 -nocrl -certfile cfx-ssl-haproxy.pem | openssl pkcs7 -print_certs -noout

Please refer to the below screenshot on how to validate the SSL certificate chain order.

Verify if the SSL certificate and key is in PEM format

openssl rsa -inform PEM -in server-ssl-private.key
openssl x509 -inform PEM -in server-ssl-certificate.crt

CA-signed SSL Certificate Installation for HA Proxy service:

Step 1: Go to HA Proxy service's certificates path on the cfxDimensions platform machine.

cd /opt/macaw/macaw-platform-<id>/certificates/<cfx-platform-ip>/haproxy

Step 2: Take a backup of the existing HA Proxy service's SSL certificate

cp haproxy.pem haproxy.pem.backup

Step 3: Copy the CA-signed SSL certificate chain file that is in PEM format to this location as 'haproxy.pem'

cp <ssl-cert-path>/cfx-ssl-haproxy.pem haproxy.pem

Step 4: Restart HA Proxy container

docker ps -a | grep haproxy
docker restart <haproxy-container-id>

Step 5: Verify HA Proxy service logs to make sure there are no errors after installing CA signed SSL server certificate chain file.

docker logs -f <haproxy-container-id> --tail 200

Step 6: Run the below 'openssl' command to verify the newly installed SSL certificate and check SSL verification is shown as 'OK' without any validation failures.

openssl s_client -connect <cfx-platform-FQDN>:443

Step 7: Open an internet browser (Firefox / Chrome / Safari) and enter the cfxDimensions Platform's FQDN to access the UI securely over HTTPs (port: 443) protocol.

https://<cfx-platform-fqdn>

Appendix:

SSL Certificate Formats and Conversion:

SSL certificate files come in different formats and most common ones that CA's (Certificate Authorities) deliver include .pfx, .p7b, .pem, .crt, .cer, and .cert. You can get more details about these different certificate formats in the following link:

  • Convert PFX to PEM

openssl pkcs12 -in server-ssl-certificate.pfx -out server-ssl-certificate.pem -nodes
  • Convert P7B to PEM

openssl pkcs7 -print_certs -in server-ssl-certificate.p7b -out server-ssl-certificate.pem
  • Convert DER to PEM

 openssl x509 -inform der -in server-ssl-certificate.cer -out server-ssl-certificate.pem

You can use the following commands to check if your certificate files are already in the required format:

  • Check and verify if your key is in PEM format

 openssl rsa -inform PEM -in server-ssl-private.key
  • Check and verify if your certificate is in PEM format

 openssl x509 -inform PEM -in server-ssl-certificate.pem

Self Signed SSL Certificate with Custom CA Root:

The truststore or root store is a file that contains the root certificates for Certificate Authorities (CA) that issue SSL certificates such as GoDaddy, Verisign, Network Solutions, Comodo and others. Internet browsers, operating systems and applications include list of authorized SSL certificate authorities within their root store or truststore repository file.

However, many enterprises may use Custom CA root certificates to validate and certify self-signed SSL certificates for internal use. In such scenario, when an application is being accessed through a browser or an SSL client, SSL certificate verification error may be observed. Because, neither the browser nor the SSL client will have the Custom CA root certificate within their root store / truststore repository file and hence, they will fail to recognize the authenticity of the SSL certificate and the issuer (CA) from the application.

In order to resolve this issue, update the client's root store / truststore with the Custom CA root & intermediate root certificates so that they can recognize them as a valid & trusted Certificate Authority (CA). Please refer the client's (internet browser or application) documentation on how to update their root store / truststore with custom CA root certificates.

Note: Please take guidance from your internal security team while using self-signed SSL certificates with Custom CA root certificates.

If you need to convert the format of your SSL certificate files to PEM, please use the following commands:

SSL Certificate file format's explanation