<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html><body>
<p>New Hawkular blog post from noreply@hawkular.org (Josejulio Martínez): http://ift.tt/2fiy8ZH<br><br></p>
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>SSL provides identification of the communicating parties, confidentiality and integrity of the information being shared.</p>
</div>
<div class="paragraph">
<p>In production environments, network eavesdropping could be a concern. You can use SSL to provide a secure communication channel between servers.</p>
</div>
<div class="paragraph">
<p>Hawkular Services expects Hawkular Agents to connect, push information and listen for commands. These commands also include server credentials that could be vulnerable to a man-in-the-middle attack.</p>
</div>
<div class="paragraph">
<p>A previous <a href="http://ift.tt/2wwOs0g">article</a> shows how to configure your Hawkular Services with SSL and have Hawkular Agents connect to it trough SSL. This guide will show how is done for Dockerized Hawkular Services Agents.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_preparing_your_certificates">Preparing your certificates</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Before starting we need to prepare the certificates that we are going to use. Your public and private key for Hawkular Services need to be on PEM or PKC12 format. For this guide we will use PEM.</p>
</div>
<div class="paragraph">
<p>We can create self-signed certificates (in PEM format) using:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="prettyprint highlight">
<code>keytool -genkey -keystore hawkular.keystore -alias hawkular -dname "CN=hawkular-services" -keyalg RSA -storepass hawkular -keypass hawkular -validity 36500 -ext san=ip:127.0.0.1,dns:hawkular-services
keytool -importkeystore -srckeystore hawkular.keystore -destkeystore hawkular.p12 -deststoretype PKCS12 -srcalias hawkular -deststorepass hawkular -destkeypass hawkular -srcstorepass hawkular
openssl pkcs12 -in hawkular.p12 -password pass:hawkular -nokeys -out hawkular-services-public.pem
openssl pkcs12 -in hawkular.p12 -password pass:hawkular -nodes -nocerts -out hawkular-services-private.key</code>
</pre>
</div>
</div>
<div class="admonitionblock important">
<table><tr>
<td class="icon">
<div class="title">Important</div>
</td>
<td class="content">When creating the certificates, remember to include the host that Hawkular will use (as Common Name(CN) and Subject Alternative Name(SAN)), else the certificate validation will fail. Through this guide, host will be set to hawkular-services.</td>
</tr></table>
</div>
<div class="admonitionblock warning">
<table><tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">Always include san=ip:127.0.0.1 in your certificate, as this will be used internally by Hawkular Services.</td>
</tr></table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_starting_cassandra">Starting Cassandra</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Hawkular Services requires a cassandra instance, you can start one by doing:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="prettyprint highlight">
<code>docker run --name hawkular-cassandra -e CASSANDRA_START_RPC=true -d cassandra:3.0.12</code>
</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_starting_hawkular_services_on_ssl">Starting Hawkular Services on SSL</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Now that there is a cassandra ready, Hawkular Services can be started, it will be linked to the cassandra instance (hawkular-cassandra)</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="prettyprint highlight">
<code>docker pull hawkular/hawkular-services
docker run --name hawkular-services --link=hawkular-cassandra -e CASSANDRA_NODES=hawkular-cassandra -e HAWKULAR_HOSTNAME=hawkular-services -e HAWKULAR_USE_SSL=true -p 8443:8443 -v `pwd`/hawkular-services-private.key:/client-secrets/hawkular-services-private.key:z -v `pwd`/hawkular-services-public.pem:/client-secrets/hawkular-services-public.pem:z hawkular/hawkular-services</code>
</pre>
</div>
</div>
<div class="admonitionblock note">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">To avoid guessing the host, we explicitly set it to hawkular-services using HAWKULAR_HOSTNAME environmental variable.</td>
</tr></table>
</div>
<div class="admonitionblock warning">
<table><tr>
<td class="icon">
<div class="title">Warning</div>
</td>
<td class="content">If you don’t specify any certificate, Hawkular services will create one, but we won’t be able to connect agents unless we export the certificate.</td>
</tr></table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_starting_a_hawkular_agent">Starting a Hawkular Agent</h2>
<div class="sectionbody">
<div class="paragraph">
<p>By now there should be a Hawkular Services listening on default secure port 8443, if any agent wants to connect, it will need to know and trust its certificate. If you are self-signing your certificate, you will need to pass Hawkular Service’s certificate when starting the agent.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="prettyprint highlight">
<code>docker pull hawkular/wildfly-hawkular-javaagent
docker run --name hawkular-agent-01 --link=hawkular-services -e HAWKULAR_SERVER_PROTOCOL=https -e HAWKULAR_SERVER_ADDR=hawkular-services -e HAWKULAR_SERVER_PORT=8443 -v `pwd`/hawkular-services-public.pem:/client-secrets/hawkular-services-public.pem:z hawkular/wildfly-hawkular-javaagent</code>
</pre>
</div>
</div>
<div class="admonitionblock note">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">Host must match with the one specified in the certificate, thus setting HAWKULAR_SERVER_ADDR to hawkular-services is required. Update as needed if using other value.</td>
</tr></table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_testing_the_setup">Testing the setup</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Any Hawkular client that supports connecting using SSL can be used. Curl, ManageIQ and HawkFX will be show below.</p>
</div>
<div class="admonitionblock note">
<table><tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">If using self-signed certificates, the client machine needs to trust Hawkular Services certificate or the client should support to specify which certificate to trust. See <a href="http://ift.tt/2cn3DjH">here</a> for more info.</td>
</tr></table>
</div>
<div class="sect2">
<h3 id="_curl">Curl</h3>
<div class="paragraph">
<p>Simplest way to test, we only need to tell curl how to resolve <code>hawkular-services</code> and pass the public certificate.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="prettyprint highlight">
<code>curl -H "Hawkular-Tenant: hawkular" --resolve "hawkular-services:8443:127.0.0.1" --cacert hawkular-services-prd -X GET https://hawkular-services:8443/hawkular/metrics/metrics</code>
</pre>
</div>
</div>
<div class="paragraph">
<p>It will output metrics stored on Hawkular Services.</p>
</div>
</div>
<div class="sect2">
<h3 id="_manageiq">ManageIQ</h3>
<div class="paragraph">
<p>It can be quickly tested using the dockerized ManageIQ as follow:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="prettyprint highlight">
<code>docker run --link=hawkular-services --privileged -d -p 8444:443 manageiq/manageiq:fine-3</code>
</pre>
</div>
</div>
<div class="paragraph">
<p>Once ManageIQ has started, add a Middleware Provider, there is three secured ways to do that:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>SSL — Requires that the client box trusts Hawkular Services certificate.</p>
</li>
<li>
<p>SSL trusting custom CA — Requires to provide the certificate to trust.</p>
</li>
<li>
<p>SSL without validation — No validation is performed.</p>
</li>
</ol>
</div>
<div class="paragraph">
<p>We will focus on (2) and (3) as (1) will require to trust the certificates on the machine itself.</p>
</div>
<div class="paragraph">
<p>Before going onto details, navigate to <code><a href="https://localhost:8444/" class="bare">https://localhost:8444/</a></code>, login with default username <code>admin</code> and password <code>smartvm</code>. Click on Middleware → Configuration → Add a New Middleware Provider.</p>
</div>
<div class="sect3">
<h4 id="_ssl_trusting_custom_ca">SSL trusting custom CA</h4>
<div class="paragraph">
<p>We need to select <code>SSL trusting custom CA</code> in <code>Security Protocol</code> and copy the certificate from the contents of <code>hawkular-services-public.pem</code>. Fill the Hostname with the one used in the certificate and complete the required information.</p>
</div>
<div id="mw-ssl-trusting-custom-ca" class="imageblock">
<div class="content"><img src="http://ift.tt/2wvRzG1" alt="2017 09 manageiq custom ca"></div>
<div class="title">Figure 1: Middleware Provider SSL trusting custom ca</div>
</div>
</div>
<div class="sect3">
<h4 id="_ssl_without_validation">SSL without validation</h4>
<div class="paragraph">
<p>We need to select <code>SSL without validation</code> in <code>Security Protocol</code>. No validation regarding the certificate is made with this option, only fill the required information.</p>
</div>
<div id="mw-ssl-without-validation" class="imageblock">
<div class="content"><img src="http://ift.tt/2wvRzG1" alt="2017 09 manageiq custom ca"></div>
<div class="title">Figure 2: Middleware Provider SSL without validation</div>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_hawkfx">HawkFX</h3>
<div class="paragraph">
<p>One can connect using <a href="http://ift.tt/29DT0Cz">HawkFx</a> by either installing the certificate on the machine or disabling the verification as show in the image. You will also need to update your <code>/etc/hosts</code> to resolve <code>hawkular-services</code>.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="prettyprint highlight">
<code>sudo su -c "echo '127.0.0.1 hawkular-services' >> /etc/hosts"</code>
</pre>
</div>
</div>
<div class="paragraph">
<p>Alternatively, if no verification is used, one could use <code>localhost</code> instead of <code>hawkular-services</code>.</p>
</div>
<div id="hawkfx-disable-validation" class="imageblock">
<div class="content"><img src="http://ift.tt/2wwOu8o" alt="2017 09 hawkfx disable validation"></div>
<div class="title">Figure 3: HawkFX without validation</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_conclusion">Conclusion</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Securing communications between a dockerized Hawkular Agent and Hawkular Services is possible with self-signed certificates. Connecting clients is also possible with the additional step of providing the certificate.</p>
</div>
</div>
</div>
<br><br>
from Hawkular Blog
</body></html>