This fixes the issue that TLSv1 and TLSv1.1 are still used by CloudStack
management server to communicate with VMware vCenter server. With the
current defaults, the setup/deployment on VMware fails. Users/admins
can however setup the security file according to their env needs to
disable TLSv1 and TLSv1.1 for server sockets (8250/agent service for
example).
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This cleanups management server default file, the `cloud.jks` is no
longer created by the management server but instead created in-memory
by the root CA plugin on management server startup.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This reverts changes from #2480, instead moves TLS settings to
java ciphers settings config file. It should be sufficient to enforce
TLS v1.2 on public facing CloudStack services:
- CloudStack webserver (Jetty based)
- Apache2 for secondary storage VM
- CPVM HTTPs server
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* Bump Jetty to 9.4
* Use new jetty gzip handler
* Redirect / to context
* Update wiremock but still not working
* Add session timeout configuration
* server.properties.in: Change default timeout to 30 (mins)
* cloudian: fix unit test failures
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* client: use older 9.2.x jetty-maven-plugin that works
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
* Moving jetty mvn plugin version in properties
Signed-off-by: Marc-Aurèle Brothier <m@brothier.org>
* Set default session timeout to 30mins
Per @wido's comment on PR #2226, this adds default server configuration
to make embedded Jetty listen on all interfaces ipv4 and ipv6. This
also fixes default deployment and mgmt server start issues on Trillian
and other CI systems.
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
- Migrate to embedded Jetty server.
- Improve ServerDaemon implementation.
- Introduce a new server.properties file for easier configuration.
- Have a single /etc/default/cloudstack-management to configure env.
- Reduce shaded jar file, removing unnecessary dependencies.
- Upgrade to Spring 5.x, upgrade several jar dependencies.
- Does not shade and include mysql-connector, used from classpath instead.
- Upgrade and use bountcastle as a separate un-shaded jar dependency.
- Remove tomcat related configuration and files.
- Have both embedded UI assets in uber jar and separate webapp directory.
- Refactor systemd and init scripts, cleanup packaging.
- Made cloudstack-setup-databases faster, using `urandom`.
- Remove unmaintained distro packagings.
- Moves creation and usage of server keystore in CA manager, this
deprecates the need to create/store cloud.jks in conf folder and
the db.cloud.keyStorePassphrase in db.properties file. This also
remove the need of the --keystore-passphrase in the
cloudstack-setup-encryption script.
- GZip contents dynamically in embedded Jetty
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
