This article applies to:
- • Data Ingestion
- • Product edition: Proxy Current Release
- • Feature Category: Proxy
Overview:
This article outlines how to establish secured communication between two VMware Aria Operations for Applications proxies using self-signed certificates. The topology for the connection between the various endpoints is shown below; where the host or infrastructure is the metric emitting system, VMware Aria Operations for Applications proxy (A) is the first proxy in the chain receiving metrics from the host system and VMware Aria Operations for Applications Proxy (B) is the relaying proxy that collects data from proxy A over a TLS channel and relays that to the VMware Aria Operations for Applications Service endpoint.
Prerequisites:
- OpenSSL tool
- OpenJDK (This article was tested with OpenJDK 11)
- Required OS level permissions to update VMware Aria Operations for Applications Proxy configurations and service restarts
- Working Unsecured proxy chaining setup
- Existing CA (Certificate Authority) certificate.
Procedure:
Generate required PKI artifacts:
This section describes the TLS keys and certificates needed for this setup and how to generate them.
Generate private key:
$ openssl genrsa -out private_key.pem 2048
Where "private_key.pem
" is the name of the generated private key
Generate certificate signing request:
Create a certificate configuration file, like the cert.cnf example below:
cert.cnf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = <replace this with your country code>
countryName_default = US
stateOrProvinceName = <replace this with your state code>
stateOrProvinceName_default = TX
localityName = <replace this with your city name>
localityName_default = Plano
organizationName = <replace this with your org name>
organizationName_default = Abc Inc
commonName = <replace this with your wavefront-proxy hostname or IP>
commonName_max = 64
commonName_default = localhost
The certificate signing request file can be created using above config file:
$ openssl req -new -key private_key.pem -out cert.csr -config cert.cnf
Where,
"private_key.pem
" is the generated private key in above step
"cert.cnf
" is the certificate signing request configuration file as described above
Generate certificate
In order to generate the certificate you must use an existing root CA certificate and key. The command to run would take the form of:
$openssl x509 -req -in cert.csr -out cert.pem -CA myCA.pem -CAkey myCA.key -CAcreateserial -days 365
Where,
"cert.csr
" is the certificate signing request that is created above
"cert.pem
" is the output certificate file resulting from this command
"myCA.pem
" is an existing root CA certificate used to generate a new certificate
"myCA.key
" is the key to the existing root CA
This command will generate required certificate for the relaying proxy instance (B).
Convert the private key in PKCS#8 format
The VMware Aria Operations for Applications proxy only understands the private key in PKCS#8 format. Hence, the private key generated above needs to be converted into PKCS#8 format using below command.
This command creates a new copy of the existing private key.
$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_key.pem -out private_key_pkcs8.pem
Where,
"private_key.pem
" is the generated private key in above step
"private_key_pkcs8.pem
" is the new private key in PKCS#8 format
Configure relaying VMware Aria Operations for Applications Proxy (B) instance to accept TLS connections
Move the key and certificate files and change file permission
Locate the Wavefront_config_path as per your host OS.
Copy the files "private_key_pkcs8.pem
" and "cert.pem
" generated above into the <wavefront_config_path> directory.
Assign required file permissions on the host where the relaying proxy (B) is deployed (include appropriate directory), for example:
$ chmod 644 <wavefront_config_path>/private_key_pkcs8.pem
$ chmod 644 <wavefront_config_path>/cert.pem
Change VMware Aria Operations for Applications Proxy configuration
Update below listed properties for the relaying proxy instance in the wavefront.conf
file located at <wavefront_config_path>.
File: wavefront.conf
pushListenerPorts=2878,4443
pushRelayListenerPorts=2978,4443
tlsPorts=4443
privateCertPath=<wavefront_config_path>/cert.pem
privateKeyPath=<wavefront_config_path>/private_key_pkcs8.pem
Where,
"<wavefront_config_path>
" should be replaced with actual path.
"2878
" and "2978
" should be replaced with the pre-existing values if different from this.
Restart the wavefront proxy service.
Configure client VMware Aria Operations for Applications Proxy (A) instance to use TLS connection to relaying VMware Aria Operations for Applications Proxy (B)
Change VMware Aria Operations for Applications Proxy configuration
Update below listed property for the client proxy instance in the wavefront.conf
file located at <wavefront_config_path> based on the host configuration listed here.
File: wavefront.conf
server=https://<wavefront-proxy-B-host-or-ip>:4443/api/
Where, "wavefront-proxy-B-host-or-ip" should be the same as of the "commonName
" property value used in the "cert.cnf
" file while creating the certificate signing request in previous step.
Import the root CA in the trusted certificate list
sudo keytool -import -alias wavefront_root_ca -file myCA.pem -keystore /usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home/cacerts$
Where,
"wavefront_root_ca
" is an arbitrary name of the CA cert for the reference in the cacerts store
"myCA.pem
" is the root CA used to generate relaying VMware Aria Operations for Applications Proxy (B) certificate in above steps. This certificate file should be present where this command is executed, or should have its path prefixed.
"/usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home
" is the value of $JAVA_HOME on the client VMware Aria Operations for Applications Proxy (B) host.
This command will prompt for the password of the cacerts file referred here. Unless it is changed, the default password should be "changeit".
Supply the cacert to VMware Aria Operations for Applications Proxy JRE command
Now the startup file in /etc/init.d/wavefront-proxy would need the the reference to location of cacert added so it can be loaded at startup (Djavax.net.ssl.trustStore).
Backup /etc/init.d/wavefront-proxy file. Then add valid path to cacert supplied under the jsvc_exec() method in the form of :
-Djavax.net.ssl.trustStore= /usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home
Where /usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home is $JAVA_HOME on the client VMware Aria Operations for Applications Proxy (B) machine. See below for example:
jsvc_exec()
{
if [[ ! $1 == "-stop" ]]; then
: > $daemon_log_file
: > $err_file
fi
cd "$(dirname "$proxy_jar")"
set +e
# We want word splitting below, as we're building up a command line.
# shellcheck disable=SC2086
$jsvc \
-user $user \
-home $JAVA_HOME \
-cp $proxy_jar \
$java_args \
-Xss2049k \
-XX:OnOutOfMemoryError="kill -1 %p" \
-Dlog4j.configurationFile=$config_dir/log4j2.xml \
-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager \
-errfile $err_file \
-Djavax.net.ssl.trustStore=/usr/local/test/openjdk@11/11.0.9/libexec/openjdk.jdk/Contents/Home \
-pidfile $pid_file \
-wait 20 \
-debug \
$1 \
$class \
$app_args &> $daemon_log_file
if [[ $? -ne 0 ]]; then
echo "There was a problem, see $err_file and $daemon_log_file" >&2
fi
Restart VMware Aria Operations for Applications proxy B service and verify there are no startup or connection errors in relevant logs, for example:
/var/log/wavefront/wavefront.log
See also:
Advanced Proxy Configuration.
How to Chain Proxies in Tanzu Observability by VMware Aria Operations for Applications.
Comments