Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Enable SSL
You can enable SSL by editing the cycle_server.properties file in the CycleCloud installation directory. Open the cycle_server.properties file with a text editor and set the following values:
# True if SSL is enabled
webServerEnableHttps=true
webServerRedirectHttp=true
Important
When editing the cycle_server.properties file, look for existing keyvalue definitions. If you find more than one definition, the last one takes effect.
The default SSL port for CycleCloud is port 8443. If you want to run encrypted web communications on another port, change the webServerSslPort property to the new port value. Make sure the webServerSslPort and the webServerPort values DON'T CONFLICT.
After editing your cycle_server.properties file, restart CycleCloud to activate the encrypted communication channel:
/opt/cycle_server/cycle_server restart
Assuming you didn't change the SSL port for CycleCloud when configuring it for encrypted communications, you can now go to http://<my CycleCloud address>:8443/ to verify the SSL connection.
Note
If the HTTPS URL doesn't work, check the <CycleCloud Home>/logs/catalina.err and <CycleCloud Home>/logs/cycle_server.log for error messages that might indicate why the encrypted channel isn't responding.
Self-generated certificates
If you don't have a certificate from a Certificate Authority (CA) such as VeriSign, you can use the autogenerated self-signed certificate that comes with Azure CycleCloud. This certificate provides a quick way to start using SSL at no cost, but most web browsers display a warning stating a trusted authority didn't verify the certificate used to encrypt the channel. For some cases, like internal CycleCloud deployments on secure networks, this warning is acceptable. Users need to add an exception to their browser to view the site, but the contents and the session are otherwise encrypted as expected.
Warning
The Azure CycleCloud self-signed certificate has a shortened shelf life. When it expires, browsers re-issue the warning about the SSL certificates being untrusted. Users need to explicitly accept them to view the web console.
Working with Let's Encrypt
CycleCloud supports certificates from Let's Encrypt. To use Let's Encrypt with CycleCloud, you must:
- enable SSL on port 443
- ensure CycleCloud is publicly reachable over port 443 with an external domain name
You can enable Let's Encrypt support with the SSL option on the settings page, or by running cycle_server keystore automatic DOMAIN_NAME from the CycleCloud machine.
Working with CA-generated certificates
If you use a CA-generated certificate, you can access your CycleCloud installation through the web without seeing the trusted certificate error. To start the process, run:
./cycle_server keystore create_request <FQDN>
You're asked to provide a domain name, which is the "Common Name" field on the signed certificate. This step generates a new self-signed certificate for the specified domain and creates a cycle_server.csr file. You must give the CSR to a certificate authority. The certificate authority provides the final signed certificate (referred to as server.crt in this article). You also need the root certificates and any intermediate certificates used in the chain between your new certificate and the root certificate. The certificate authority provides these certificates. If the certificate authority provides these certificates bundled as a single certificate file, use the following command to import them:
./cycle_server keystore import server.crt
If you provide multiple certificate files, import them all at once by appending the names to the same command. Separate the names with spaces:
./cycle_server keystore import server.crt ca_cert_chain.crt
Import Existing Certificates
If you previously created a CA or self-signed certificate, update CycleCloud to use it with the following command:
./cycle_server keystore update server.crt
To import a PFX file, use the following command in CycleCloud 7.9.7 or later:
./cycle_server keystore import_pfx server.pfx --pass PASSWORD
The PFX file can only contain one entry. The -pass argument is required, even if there's no password. Use --pass '' in that case.
If you make changes to the keystore outside of these commands, you can reload the keystore immediately in CycleCloud 7.9.7 or later:
./cycle_server keystore reconfig
Keystore implementation details
CycleCloud stores certificates in /opt/cycle_server/config/private/keystore, along with other certificates it needs to operate. The following list describes the main items stored in the keystore:
| Alias | Purpose |
|---|---|
| identity | Holds the certificate chain for the user-facing web interface (port 443 or 8443) |
| cluster-identity | Holds the certificate chain for nodes to connect to CycleCloud (port 9443) |
| root | Holds the certificate used to sign all local certificates, including cluster-identity |
You can inspect the keystore with Java's keystore file. For example, the following command lists all items in the keystore:
keytool -list -keystore /opt/cycle_server/config/private/keystore -storepass changeit
The preceding cycle_server commands update the identity alias. Updating other entries, including the cluster-identity or root certificates, isn't supported.
You can modify the keystore directly, but we don't recommend it. In general, changes require a CycleServer restart to take effect.
Warning
Changing the keystore's contents might cause clusters to stop working. Always back up the keystore before you modify it.
The keystore password is changeit and you can't change it. However, only the cycle_server user can read and write the file.
Backwards compatibility for TLS 1.0 and 1.1
By default, CycleServer uses only the TLS 1.2 protocol. If you need to offer TLS 1.0 or 1.1 protocols for older web clients, you can opt in for backwards compatibility.
Open cycle_server.properties with a text editor, and look for the sslEnabledProtocols attribute:
sslEnabledProtocols="TLSv1.2"
Change the attribute to a + delimited list of protocols you want to support.
sslEnabledProtocols="TLSv1.0+TLSv1.1+TLSv1.2"
Turning off unencrypted communications
The preceding setup allows unencrypted (HTTP) connections, but it redirects those connections to HTTPS for security.
You might want to prevent unencrypted access to your CycleCloud installation. To turn off unencrypted communications, open your cycle_server.properties file in a text editor. Look for the webServerEnableHttp property and change it to:
# HTTP
webServerEnableHttp=false
Save the changes and restart CycleCloud. HTTP access to CycleCloud is disabled.