Command-line Configuration Method

The following sections will introduce the command line configuration method of HTTPS login to UI in two scenarios of single management node and multi-management node.

HTTPS mode is disabled by default.
After enabling HTTPS, the system supports port 5443 by default and you can specify other ports for login.
When HTTPS is enabled, if you log in to the Cloud on port 5000 using HTTP, the login page will be automatically redirected to HTTPS. Currently, only HTTP port 5000 is supported for automatic redirection to HTTPS.
The system supports PKCS12 format certificates by default. Currently, only PKCS12/JKS format certificate is supported. If you use certificates in other formats, please convert the format yourself.

Single Management Node Scenario

This section primarily focuses on scenarios involving a single management node and you will learn:

How to log in to the UI using the default HTTPS method
How to log in to the UI with a custom HTTPS configuration
How to switch back to HTTP for UI login

Log in to UI Using Default HTTPS Method

By default, the Cloud supports HTTPS login to the UI with a system default certificate.

Stop the management node service and UI service by running the following commands on the management node.
```
zstack-ctl stop
```
Make sure that the VNC console supports the HTTPS feature.
1. Run the following command to view the certificate path and the private key password (which are both initially set to system default values).
```
zstack-ctl show_ui_config
```
  Example:
```
[root@localhost ~]# zstack-ctl show_ui_config db_url = jdbc:mysql://10.0.233.184:3306 db_username = zstack_ui db_password = zstack.ui.password mn_host = 127.0.0.1 mn_port = 8080 webhook_host = 127.0.0.1 webhook_port = 5000 server_port = 5000 log = /usr/local/zstack/apache-tomcat/logs enable_ssl = false ssl_keyalias = zstackui ssl_keystore = /usr/local/zstack/zstack-ui/ui.keystore.p12 //certificate path ssl_keystore_type = PKCS12 ssl_keystore_password = password //private key password
```
2. By default, the UI supports PKCS12 formatted certificates, whereas the VNC console proxy supports x509 formatted certificates. If you want to use the UI certificate for the VNC console proxy as well, you need to convert the PKCS12 formatted certificate into x509 format.
```
openssl pkcs12 -in /path/to/mykeystore.p12 -out ui.keystore.pem -nodes
```
  In this command, /path/to/mykeystore.p12 is the PKCS12 formatted certificate and ui.keystore.pem is the converted x509 formatted certificate.
  Example:
```
[root@localhost ~]# openssl pkcs12 -in /usr/local/zstack/zstack-ui/ui.keystore.p12 -out ui.keystore.pem -nodes Enter Import Password: MAC verified OK
```
3. Edit the zstack.properties configuration file in /usr/local/zstack/apache-tomcat/webapps/zstack/WEB-INF/classes/zstack.properties, and set the certificate path to an absolute path (pointing to the certificate private key password file).
```
consoleProxyCertFile = /usr/local/zstack/zstack-ui/ui.keystore.pem
```
Run the following command to automatically generate a certificate based on the default configuration and log in to the UI using HTTPS with the default certificate. The default port is 5443.
```
zstack-ctl config_ui --enable-ssl True
```
Run the following command on the management node to enable the management node service and UI service.
```
zstack-ctl start
```
To access the ZStack Cloud management interface (https://your_domain_name:5443), use a Chrome or Firefox browser. Enter the default username and password (admin/password) to log in to the UI via HTTPS.
Set the console proxy address.

Log in to the UI interface, on the main menu of ZStack Cloud, choose Operational Management > Access Control > Console Proxy and set the console proxy as your_domain_name to make sure the console opens properly.

Log in to UI with Custom HTTPS Configuration

By default, the Cloud supports logging in to the UI using HTTPS with the custom certificate.

A custom certificate is required. You can generate a system self-signed certificate using related tools or purchase a certificate issued by a commercial CA.

You can use Keytool (a Java data certificate management tool) to generate a self-signed certificate.

mkdir certs  keytool -genkey -alias tomcat  -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore ./certs/keystore.p12 -validity 365

Example:

[root@localhost ~]# mkdir certs [root@localhost ~]# keytool -genkey -alias tomcat  -storetype PKCS12 -keyalg RSA -keysize 2048 \ -keystore ./certs/keystore.p12 -validity 365 Enter keystore password: Re-enter new password: What is your first and last name?   [Unknown]:  Jack Chen What is the name of your organizational unit?   [Unknown]:  ZStack What is the name of your organization?   [Unknown]:  DOC What is the name of your City or Locality?   [Unknown]:  SH What is the name of your State or Province?   [Unknown]:  SH What is the two-letter country code for this organizational unit?   [Unknown]:  CN Is CN=Jack Chen, OU=Cloud, O=DOC, L=SH, ST=SH, C=CN correct?   [No]:  Yes [root@localhost certs]# ls keystore.p12

On the management node, run following command to stop the management node service and the UI service.
```
zstack-ctl stop
```
Ensure that the VNC console proxy supports HTTPS.
1. The VNC console proxy supports x509 formatted certificates by default. You can convert the certificate format if needed.
  For example, you can convert a PKCS12 formatted certificate into x509 format.
```
openssl pkcs12 -in /path/to/mykeystore.p12 -out ui.keystore.pem -nodes
```
  In this command, /path/to/mykeystore.p12 is the PKCS12 formatted certificate and ui.keystore.pem is the converted x509 formatted certificate.
  Example:
```
[root@localhost ~]# openssl pkcs12 -in /root/certs/keystore.p12 -out ui.keystore.pem -nodes Enter Import Password: MAC verified OK
```
2. Modify the zstack.properties configuration file. Set the certificate path to an absolute path (the absolute path points to the certificate private key password file).
```
consoleProxyCertFile = /usr/local/zstack/zstack-ui/ui.keystore.pem
```

Run following command to customize certificate alias, certificate path, certificate type, private key password, HTTPS login port, and other information. Then log in to the UI via HTTPS using the custom certificate.

zstack-ctl config_ui --enable-ssl True \ --ssl-keyalias=*** --ssl-keystore=*** --ssl-keystore-type=*** \ --ssl-keystore-password=*** --server-port=*** --webhook-port=*** //Record the custom parameter information in the zstack.ui.properties configuration file. //Including settings for: enabling HTTPS, certificate alias, certificate path, certificate type, private key password, HTTPS login port.   zstack-ctl show_ui_config //View the custom parameter information  zstack-ctl stop_ui zstack-ctl start_ui //Log in to the UI via HTTPS each time

Example:

[root@localhost ~]# zstack-ctl config_ui --enable-ssl True \ --ssl-keyalias=tomcat --ssl-keystore=/root/certs/keystore.p12 --ssl-keystore-type=PKCS12 \ --ssl-keystore-password=password --server-port=8888 [root@localhost ~]# zstack-ctl show_ui_config db_url = jdbc:mysql://10.0.233.184:3306 db_username = zstack_ui db_password = zstack.ui.password mn_host = 127.0.0.1 mn_port = 8080 webhook_host = 127.0.0.1 webhook_port = 5000 server_port = 8888 log = /usr/local/zstack/apache-tomcat/logs enable_ssl = true ssl_keyalias = tomcat ssl_keystore = /usr/local/zstack/zstack-ui/ui.keystore.p12.cp ssl_keystore_type = PKCS12 ssl_keystore_password = password [root@localhost ~]# zstack-ctl stop_ui successfully stopped the UI server [root@localhost ~]# zstack-ctl start_ui successfully started UI server on the local host, PID[32166], https://10.0.233.184:8888

On the management node, run following command to start the management node service and the UI service.
```
zstack-ctl start
```
Enter the ZStack Cloud management interface (https://your_domain_name:your_server_port) using a Chrome or Firefox browser. Enter the default username and password (admin/password) to log in via custom HTTPS.
Note:
If you encounter issues with accessing VNC console using Firefox browser, follow these steps:
1. Access https://your_domain_name:4900 using Firefox browser.
2. Follow the prompts from the Firefox browser and add https://your_domain_name:4900 to the security exceptions.
3. Open the VNC console using the Firefox browser.
For more information, see Firefox.
Set the console proxy address.

Log in to the UI interface, on the main menu of ZStack Cloud, choose Operational Management > Access Control > Console Proxy and set the console proxy to your_domain_name to make sure the console opens properly.