Wednesday, August 31, 2016

Consuming Hawkular API over SSL

Hawkular supports secure communications (https), you can turn it on by following this guide. It will show you how to configure your Hawkular server to use the certificate and even trust self-signed certificates on java.

Currently there are hawkular-clients for programming languages other than Java, i.e. Python, Go and Ruby.

Self-signed certificates are useful for testing, demos and developing. In this post I'll show you how to trust self-signed certificates for use with Ruby client, used on projects such as ManageIQ and HawkFX. I'll assume that you have a Hawkular Server configured and followed Securing communications guide.

For this you need to:
  1. Install c_rehash.
  2. Identify where OpenSSL reads certificates and keys from.
  3. Hand over your certificate to OpenSSL in PEM format and rehash.

Install c_rehash

c_rehash is an OpenSSL utility to create symbolic links to files by their hash values. That format is used by OpenSSL to find certificates.

On fedora:
$ sudo dnf install openssl-perl

Identify where OpenSSL reads certificates and keys from.

OpenSSL reads certificates and keys from a specific path, you will need to copy your self-signed certificates there.You can find this path by running
$ openssl version -d
On fedora 24 it will show you the OPENSSLDIR and should be similar on other OS.
$ openssl version -d
OPENSSLDIR: "/etc/pki/tls"
Note: It seems that if you are using RVM to manage your Ruby versions, this path should be replaced with: $rvm_path/usr/ssl

Hand over your certificate to OpenSSL in PEM format and rehash.

c_rehash specs the certificates in PEM format, so before proceeding we need make sure is in PEM format. If you used Hawkular guide, you already have the certificate in DER format and you need to convert to PEM.

To convert your hawkular.cert from DER to PEM format you can use OpenSSL as follow:
openssl x509 -inform der -in hawkular.cert -out hawkular.pem

Once created, copy that file to OPENSSLDIR/certs (you will need root permissions) and run c_rehash on that dir
$ sudo cp hawkular.pem OPENSSLDIR/certs$ sudo c_rehash OPENSSLDIR/certs
If you are using any application that relies on JRuby (such as HawkFX) you will probably need to use old-style hashes. To do that run c_rehash a second time with flags to use the old-style hash and to keep existing hashes.
$ sudo c_rehash -old -n OPENSSLDIR/certs
That should be enough to let Ruby client or any application that uses it (e.g. HawkFX) to communicate with Hawkular Server over SSL.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)