Advanced MidoNet REST API configuration options

This section describes the configuration options for advanced users. The values for the following keys are modified using the MidoNet configuration tool, mn-conf. For more information on the MidoNet configuration, see the section called “MidoNet Configuration: mn-conf”.

 Configuration options

 

Table 29.2. Admin Roles

Configuration KeyDefault ValueDescription

cluster.rest_api.enabled

true

Specifies whether the REST API service is enabled at the MidoNet cluster instance where the configuration applies.

cluster.rest_api.http_port

8181

Specifies the listening port for the HTTP end-point.

cluster.rest_api.https_port

8443

Specifies the listening port for the HTTPS end-point.


 Specifying the private and public keys for HTTPS

To enable the HTTPS end-point of the MidoNet Cluster REST API service, you must configure a JKS key store containing the private and public key X.509 certificate used for encrypting such connections.

The location of the key store file and the password for the private key are specified as the following Java system properties.

 

Table 29.3. System Properties for the HTTPS Key Store

Property NameDefault ValueDescription

midonet.keystore_path

/etc/midonet-cluster/ssl/midonet.jks

The name of the key store file.

midonet.keystore_password

none

The password for the private key entry. If not set, the HTTPS end-point of the REST API will be disabled (default).


To change the previous properties, and enable HTTPS, you can add the corresponding property values to the environmental MidoNet Cluster script file found at /etc/midonet-cluster/midonet-cluster-env.sh:

JVM_OPTS="$JVM_OPTS -Dmidonet.keystore_path=<key-store-file>"
JVM_OPTS="$JVM_OPTS -Dmidonet.keystore_password=<key-entry-password>"

 Generating self-signed keys

To generate a self-signed key, you can use the following procedure. Note that you will be prompted for passwords during this process, and need to keep the keystore password for later use.

openssl genrsa -des3 -out midonet.key 2048
openssl rsa -in midonet.key -out midonet.key
openssl req -sha256 -new -key midonet.key -out midonet.csr -subj '/CN=localhost'
openssl x509 -req -days 365 -in midonet.csr -signkey midonet.key -out midonet.crt

Now we will combine the private key into the cert, because we generated them separately:

openssl pkcs12 -inkey midonet.key -in midonet.crt -export -out midonet.pkcs12

And load the certificate into the keystore:

keytool -importkeystore -srckeystore midonet.pkcs12 -srcstoretype PKCS12 -destkeystore midonet.jks

Now place the keystore in the default location:

mv midonet.jks /etc/midonet-cluster/ssl

For more advanced key management, including adding your own certificate to the keystore, please refer to the following documentation:

https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

Questions? Discuss on Mailing Lists or Chat.
Found an error? Report a bug.


loading table of contents...