D.2. Setting Up SSL or TLS Connections between the Manager and an LDAP Server

Procedure D.2. Creating a PEM-encoded CA certificate

1. On the Red Hat Enterprise Virtualization Manager, copy the root CA certificate of the LDAP server to the /tmp directory and import the root CA certificate using keytool to create a PEM-encoded CA certificate. The following command imports the root CA certificate at /tmp/myrootca.pem and creates a PEM-encoded CA certificate myrootca.jks under /etc/ovirt-engine/aaa/. Note down the certificate's location and password. If you are using the interactive setup tool, this is all the information you need. If you are configuring the LDAP server manually, follow the rest of the procedure to update the configuration files.

   $ keytool -importcert -noprompt -trustcacerts -alias myrootca -file /tmp/myrootca.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass password

   Copy to Clipboard Toggle word wrap
2. Update the /etc/ovirt-engine/aaa/profile1.properties file with the certificate information:

   Note

   ${local:_basedir} is the directory where the LDAP property configuration file resides and points to the /etc/ovirt-engine/aaa directory. If you created the PEM-encoded CA certificate in a different directory, replace ${local:_basedir} with the full path to the certificate.
   • To use startTLS (recommended):

     # Create keystore, import certificate chain and uncomment
     pool.default.ssl.startTLS = true
     pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
     pool.default.ssl.truststore.password = password

     Copy to Clipboard Toggle word wrap
   • To use SSL:

     # Create keystore, import certificate chain and uncomment
     pool.default.serverset.single.port = 636
     pool.default.ssl.enable = true
     pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
     pool.default.ssl.truststore.password = password

     Copy to Clipboard Toggle word wrap