Red Hat SummitAppendix D. Red Hat Virtualization and SSL
D.1. Replacing the Red Hat Virtualization Manager SSL/TLS Certificate
Warning
Do not change the permissions and ownerships for the
/etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default 755.
Use the following procedure(s) if you want to use your organization's third-party CA certificate to identify the Red Hat Virtualization Manager to users connecting over HTTPS.
Note
Using a third-party CA certificate for HTTPS connections does not affect the certificate used for authentication between the Manager and hosts. They will continue to use the self-signed certificate generated by the Manager.
Prerequisites
- A third-party CA certificate. This is the certificate of the CA (Certificate Authority) that issued the certificate you want to use. It is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain's order is critical and must be from the last intermediate certificate to the root certificate. This procedure assumes that the third-party CA certificate is provided in
/tmp/3rd-party-ca-cert.pem. - The private key that you want to use for Apache httpd. It must not have a password. This procedure assumes that it is located in
/tmp/apache.key. - The certificate issued by the CA. This procedure assumes that it is located in
/tmp/apache.cer.
If you received the private key and certificate from your CA in a P12 file, use the following procedure to extract them. For other file formats, contact your CA. After extracting the private key and certificate, proceed to Replacing the Red Hat Virtualization Manager Apache SSL Certificate.
Procedure D.1. Extracting the Certificate and Private Key from a P12 Bundle
The internal CA stores the internally generated key and certificate in a P12 file, in
/etc/pki/ovirt-engine/keys/apache.p12. Red Hat recommends storing your new file in the same location. The following procedure assumes that the new P12 file is in /tmp/apache.p12.
- Back up the current
apache.p12file:Copy to Clipboard Copied! Toggle word wrap Toggle overflow cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck
# cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck - Replace the current file with the new file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
# cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12 - Extract the private key and certificate to the required locations. If the file is password protected, you must add
-passin pass:password, replacing password with the required password.Copy to Clipboard Copied! Toggle word wrap Toggle overflow openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer
Important
For new Red Hat Virtualization installations, you must complete all of the steps in this procedure. If you upgraded from a Red Hat Enterprise Virtualization 3.6 environment with a commercially signed certificate already configured, only steps 1, 8, and 9 are required.
Procedure D.2. Replacing the Red Hat Virtualization Manager Apache SSL Certificate
- Add your CA certificate to the host-wide trust store:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors
# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchorsCopy to Clipboard Copied! Toggle word wrap Toggle overflow update-ca-trust
# update-ca-trust - The Manager has been configured to use
/etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to/etc/pki/ovirt-engine/ca.pem. Remove the symbolic link:Copy to Clipboard Copied! Toggle word wrap Toggle overflow rm /etc/pki/ovirt-engine/apache-ca.pem
# rm /etc/pki/ovirt-engine/apache-ca.pem - Save your CA certificate as
/etc/pki/ovirt-engine/apache-ca.pem:Copy to Clipboard Copied! Toggle word wrap Toggle overflow cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem - Back up the existing private key and certificate:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
# cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck # cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck - Copy the private key to the required location:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
# cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass - Copy the certificate to the required location:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
# cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer - Restart the Apache server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart httpd.service
# systemctl restart httpd.service - Create a new trust store configuration file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
# vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.confAdd the following content and save the file:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" - Restart the
ovirt-engineservice:Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart ovirt-engine.service
# systemctl restart ovirt-engine.service - Replacing the certificate can cause the log collector to fail. To prevent this, create a new log collector configuration file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow vi /etc/ovirt-engine/logcollector.conf.d/99-custom-ca-cert.conf
# vi /etc/ovirt-engine/logcollector.conf.d/99-custom-ca-cert.confAdd the following content and save the file:Copy to Clipboard Copied! Toggle word wrap Toggle overflow [LogCollector] cert-file=/etc/pki/ovirt-engine/apache-ca.pem
[LogCollector] cert-file=/etc/pki/ovirt-engine/apache-ca.pem
Your users can now connect to the Administration and User portals without being warned about the authenticity of the certificate used to encrypt HTTPS traffic.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}