how to replace realhostip with your custom domain by nitin mehta

21
Replacing realhostip.com with your custom domain -Nitin Mehta

Upload: karen-vuong

Post on 26-Dec-2014

395 views

Category:

Software


4 download

DESCRIPTION

This talk is about replacing realhostip.com with your custom domain. Citrix is shutting down realhostip.com soon and this talk would help understand the prerequisites, procedure and troubleshooting steps for customizing your cloud with your own domain. Currently Secondary Storage virtual machine (SSVM) and Console Proxy virtual machine (CPVM) use realhostip.com as default SSL domain for functionalities such as viewing virtual machine console, copying templates across zones, download template/iso/volume and so these functionalities would be impacted with the shutdown of realhostip.com. A demo will be included. Who should attend Folks from development side enthusiastic in understanding Cloudstack architecture or Cloudstack system admins impacted by realhostip shutdown. Anyone is welcome!

TRANSCRIPT

Page 1: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Replacing realhostip.com with your custom domain-Nitin Mehta

Page 2: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Agenda• What is Realhostip.com ?• Why is it retiring ?• Does it affect my cloud ? • If impacted, what are the possible solutions ?• How to apply these solutions and possibly troubleshoot.

Page 3: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

What is realhostip.com (RHIP) ?• Default domain used by CloudStack system VMs to host HTTPS

connections.• Console proxy VM (CPVM) and Secondary storage VM (SSVM),

both use it in its HTTP server.

Page 4: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Where exactly is RHIP utilized ?

• Console view access - CPVM acts as server using Java HTTP server.

• Download template/iso/volume - SSVM acts as server for download template/volume/iso operations

• CopyTemplate across zones -• At source zone acts as server using Apache webserver. • At destination zone acts as Java client.

Page 5: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Single certificate works for all CS instances• Citrix hosts DDNS service• Thisservice translates following form of DNS names to IP

addresses xxx-xxx-xxx-xxx.realhostip.com to IP address xxx.xxx.xxx.xxx• This trick helps realhostip.com to play as ONE SSL certificate

applicable universally among all CloudStack installations.

Page 6: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

RHIP is retiring• Original intention of RHIP - • Provide small-scale service to allow user to quickly evaluate the

ability to remotely access their virtual machine behind a firewall via HTTPS.

• Never designed with a distributed or redundant architecture that would have been necessary for a highly available services

• Unfortunately is a single point of failure should the service ever experience outages.

• Success of Citrix Clouplatform and Apache Cloustack - Service quickly reaching its maximum threshold for handling DNS requests.

• After careful review, Citrix has decided to END this service on September 30th, 2014.

Page 7: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

What options do I have if RHIP is retiring.• Two options• Don’t care for SSL (say it’s a private cloud) - Version >= 4.3 –

disable SSL allowed.• Want SSL – Pay attention to what follows

Page 8: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Disable SSL (4.3 onwards)• Change global configs and restart management server• secstorage.encrypt.copy to "false”• consoleproxy.url.domain to empty.

• Verification steps - • Check cpvm console url is http• Check Download template/volume/iso url is http• Check copy template works.

Page 9: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Enable SSL communication (read on)Follow sequentially steps below to enable SSL communication• Prerequisites • Installation Procedure • Uploading Custom Certificates • Verification Procedure

Page 10: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Prerequisites #1• A publicly resolvable DNS server for your domain –

• Set up dynamic name resolution. Basically mimic the steps as is done for RHIP. OR

• Populate all possible DNS names in your public IP range into your existing DNS server with the format.

aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.

Page 11: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Prerequisites #2A signed wildcard certificate for your domain – Can be obtained from any well known CA like VeriSign etc. You will need the following handy

1. Public certificate of root CA in PEM format2. Public certificate(s) of intermediate CA(s) (if any) in PEM format3. Wildcard domain certificate in PEM format 4. Private key in PKCS8 format (Note - steps are documented in

Admin Guide section "Changing the Console Proxy SSL Certificate and Domain")

Page 12: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Installation Procedure• Upgrade/Install MS and Agents to version >= 4.4. Follow

installation guide instructions. • Post upgrade change following global configuration

parameters and restart the Management Server• secstorage.encrypt.copy = true (By default, set to false.)• secstorage.ssl.cert.domain = *.yourdomain.com. Eg - *.xyz.com• consoleproxy.url.domain = *.yourdomain.com. Eg - *.xyz.com (By

default, this is empty)

Page 13: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Uploading Custom CertificatesCS provides uploadCustomCertificate API for uploading your custom certificate.Understanding parameters: • Uploading through API - Make sure certificates are URL encoded. • API invocation should be in order ie first the root certificate with

id=1 then zero or more intermediate certificates with id =2, 3, 4 etc. • No convention for the name parameter but it would help to name

the root certificate as "root", intermediate certificates as "intermediate1", "intermediate2" etc. NOTE - Keep the names always unique.

• Domainsuffix - same as global config without ‘*’ secstorage.ssl.cert.domain/consoleproxy.url.domain – ‘*’ = yourdomain.com and for all the API invocations.

Eg. Global configs = *.xyz.com, domain suffix = xyz.com

Page 14: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Uploading Custom Certificates• API calls – with no UI support.• Uploading root certificate - mandatory step.• Uploading Intermediate certificate(s) - optional step

• UI • Go to UI --> Infastructure –> Upload SSL certificate to upload the

server certificate, private key and the same domain name and press OK.

• You will get the "Update SSL certificate succeeded" as a response once its successfully uploaded. (Note - this should not be URL encoded certificate and key) SSVM and CPVM get rebooted to get programmed with the certificates.

Page 15: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Verification• CPVM - Check console view of user VMs and it should work.

They should show the embedded iframe's source URL with HTTP / HTTPS protocol as configured

• SSVM • CopyTemplate - Try copying a template from one zone to the

other and see whether it works. • Download template/volume/iso - The download URL should show

the URL with HTTP / HTTPS protocol as configured, and you should be able to download the entity.

Page 16: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Demo

Page 18: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Getting a certificate from a known authorityIn essence the steps are as follows. Use the openssl tool.• Generate the private key for your certificate in PKCS#8 format.• Generate a certificate signing request (CSR)• Head to your favorite trusted Certificate Authority, purchase

an SSL certificate, and submit the CSR. You should receive a valid certificate in return.

• NOTE – exact steps found in the cwiki – “Procedure to Replace realhostip.com with Your Own Domain Name”

Page 19: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Generating your own certificateIn essence, the process is to : • Create your own root CA • Create your own intermediate CA, who is signed by the root

CA • Create your domain specific certificate request, and sign it

using the intermediate CA • Optionally, you will need to add the root CA and intermediate

CA in your browser. • NOTE – exact steps found in the cwiki – “Procedure to Replace

realhostip.com with Your Own Domain Name”

Page 21: How to Replace RealHostIP With Your Custom Domain by Nitin Mehta

Q & A