Managing AMS access
AMS exposes an HTTP interface. Clients can be anything, whether it’s the CLI (amc), the registry (aar) or any client you developed yourself.
However, talking with AMS requires a secure and trusted setup for communications with TLS and certificates.
Through AMS eyes, every client is similar. To establish communication, AMS needs the client certificates, and the client needs AMS certificate.
You can generate certificates using a Certificate Authority or via openssl and self signing it. The former is better suited for multiple clients while the latter is more straight forward.
Option 1: Certificate Authority (CA)
Certificates authorities are useful for larger teams as you only need to trust a single certificate.
+-----+ | CA | +-------------+--+--+-------------+ | | | +------v------+ +------v------+ +------v------+ | Certificate | | Certificate | | Certificate | +-------------+ +-------------+ +-------------+ Trusting a CA trusts all its signed certificates as well
To setup you own Certificate Authority, you need to generate its own certificate and key
$ openssl genrsa -out ca.key 2048 $ openssl req -new -x509 -key ca.key -out ca.crt -days 1024
and tell AMS to trust it and verify all subsequents certificates.
$ amc config trust add ca.crt
Option 2: Self signed certificate
Every new self signed certificates you create has to be manually added to AMS.
You can use the following command to generate a simple key pair:
NOTE: Don’t set a password for the key as
amcwont be able to make use of it otherwise.
$ openssl req -nodes -x509 -newkey rsa:4096 -keyout anbox-cloud.key -out anbox-cloud.crt -days 365
ams to trust it:
$ amc config trust add anbox-cloud.crt
Using the certificate on clients
To finalize the setup, you have to tell your client to use the newly trusted certificate.
amc, place the certificate in
$HOME/snap/ams/current/client/client.crt and the key in
For your client, it depends on the language and framework used.
Installing the AMC client on a separate machine
If you want to access AMS from a separate machine you have to install the AMC command line client.
You can install the AMC client with the following command:
$ snap install amc
You’ll have to generate a certificate as indicated above, register it with
ams, and point
amc to it:
$ amc remote add <your remote name> https://<IP adddress of the AMS machine>:8444
Hint: If you haven’t changed the port AMS is listening on, it’s 8444 by default.
The command will now connect to AMS and show you the fingerprint of the server certificate. If it matches what you expect, acknowledge the fingerprint by typing “yes” and the new remote is successfully added.
To switch to the new remote you can now run
$ amc remote set-default <your remote name>
All invocations of the
amc command will from now on use the new remote.
amc provides full use of
ams features, you can take further advantage of
ams capabilities by developing a client built around your needs using
ams REST API.
ams can be access either by IP or unix socket.
The IP depends on your network, but the unix socket will always be located at
/var/snap/ams/common/server/unix.socket on the machine hosting
Hint: If your client requires it, you can find the certificate for AMS in
Last updated 5 months ago.