Configure Python Drivers and Scripts to Run in HTTPS Mode
The feature allows secure communication (https) between any Python driver/script that uses CloudShell Automation API and Quali Server.
Once HTTPS mode is enabled, Quali Server will only respond to HTTPS communication when using XML RPC or TCL.
This is a three-step process:
- Bind a new certificate to the Quali Server port
- Enable HTTPS mode on Quali Server
- Enable HTTPS mode on Linux Execution Servers
- Set python drivers and scripts to create an HTTPS session
Bind a new certificate to the Quali Server port
To bind a new certificate, first obtain the certificate and then bind it to the Quali Server port.
Creating a mock certificate
If you don't have a certificate, use the below procedure to create a mock certificate. If you already have a certificate, skip this section and continue with Binding the certificate to the Quali Server port.
To create a mock certificate:
-
On the Quali Server machine, open command-prompt as administrator.
-
Run this command to create a base certificate:
makecert.exe -sk RootCA -sky signature -pe -n CN=<Quali-Server-hostname/IP> -r -sr LocalMachine -ss Root MyCA.cer
-
Run this command to create a client certificate based on the base certificate:
makecert.exe -sk server -sky exchange -pe -n CN=<Quali-Server-hostname/IP> -ir LocalMachine -is Root -ic MyCA.cer -sr LocalMachine -ss My MyCA2.cer
-
Add the location of the
makecert.exe
file to the path environment variables (system):
Binding the certificate to the Quali Server port
To bind the certificate to the Quali Server port:
-
On the Quali Server machine, in the
C:\Program Files (x86)\QualiSystems\CloudShell\Server\Certificates
folder, double-click theMyCA2.cer
file. -
In the Details tab, scroll down and select Thumbprint.
-
Copy the entire hex value to notepad.
-
Remove any spaces and copy the updated hex value.
-
Open command-prompt as administrator and run the following command with the updated value:
netsh http add sslcert ipport=0.0.0.0:8029 certhash=PASTE_THE_HEX_VALUE_HERE appid={1b1e7a9d-1af7-4922-88b9-8220e09cc071}
Enable HTTPS mode on Quali Server
-
Open the
C:\Program Files (x86)\QualiSystems\CloudShell\Server\customer.config
file, and add the following key:<add key="ResourceManagerAPIHostAddress" value="https://localhost:{0}/ResourceManagerApiService"/>
note{0} will be populated by CloudShell.
-
Restart the Quali Server service.
Enable HTTPS mode on Linux Execution Servers
If you are using any Execution Servers on Linux machines, do the following to allow those Execution Servers to use HTTPS without a certificate:
-
Set the QS_PYTHON_SETUP_TEARDOWN_DRIVER_IGNORE_SSL_ERRORS environment variable with the value "true" on the Execution Server machines.
This will disable SSL errors.
Set python drivers and scripts to create an HTTPS session
To use the CloudShell Automation API with a server configured to work in HTTPS, the client should create a session with a matching connection method.
For example, instead of using this method, which was used before CloudShell 8.2:
session = api.CloudShellAPISession(context.connectivity.server_address, context.reservation.domain, token_id=context.connectivity.admin_auth_token)
Use this method in your drivers and scripts:
session = api.CloudShellAPISession(context.connectivity.server_address, context.reservation.domain, token_id=context.connectivity.admin_auth_token, cloudshell_api_scheme="https")
Alternatively, you can use the cloudshell_scripts_helpers.get_api_session()
out-of-the-box script helper that uses the orchestration script context from the Execution Server and connects with the suitable method.
To know the correct API scheme (HTTP or HTTPS), we extended the driver context and orchestration script context to include the tsAPIScheme
property. This property is placed in the connectivity info JSON and will be populated by the Execution Server according to the server configuration method.