Appendix D. Red Hat Virtualization and Encrypted Communication
D.1. Replacing the Red Hat Virtualization Manager CA Certificate
Do not change the permissions and ownerships for the /etc/pki
directory or any subdirectories. The permission for the /etc/pki
and the /etc/pki/ovirt-engine
directory must remain as the default, 755
.
You can configure your organization’s third-party CA certificate to identify the Red Hat Virtualization Manager to users connecting over HTTPS.
Using a third-party CA certificate for HTTPS connections does not affect the certificate used for authentication between the Manager and hosts. They will continue to use the self-signed certificate generated by the Manager.
Prerequisites
-
A third-party CA certificate. This is the certificate of the CA (Certificate Authority) that issued the certificate you want to use. It is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain’s order is critical and must be from the last intermediate certificate to the root certificate. This procedure assumes that the third-party CA certificate is provided in
/tmp/3rd-party-ca-cert.pem
. -
The private key that you want to use for Apache httpd. It must not have a password. This procedure assumes that it is located in
/tmp/apache.key
. -
The certificate issued by the CA. This procedure assumes that it is located in
/tmp/apache.cer
.
If you received the private key and certificate from your CA in a P12 file, use the following procedure to extract them. For other file formats, contact your CA. After extracting the private key and certificate, proceed to Replacing the Red Hat Virtualization Manager Apache CA Certificate.
Extracting the Certificate and Private Key from a P12 Bundle
The internal CA stores the internally generated key and certificate in a P12 file, in /etc/pki/ovirt-engine/keys/apache.p12
. Red Hat recommends storing your new file in the same location. The following procedure assumes that the new P12 file is in /tmp/apache.p12
.
Back up the current
apache.p12
file:# cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck
Replace the current file with the new file:
# cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
Extract the private key and certificate to the required locations. If the file is password protected, you must add
-passin pass:_password_
, replacing password with the required password.# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer
For new Red Hat Virtualization installations, you must complete all of the steps in this procedure. If you upgraded from a Red Hat Enterprise Virtualization 3.6 environment with a commercially signed certificate already configured, only steps 1, 8, and 9 are required.
Replacing the Red Hat Virtualization Manager Apache CA Certificate
If you are using a self-hosted engine, put the environment into global maintenance mode.
# hosted-engine --set-maintenance --mode=global
For more information, see Section 15.1, “Maintaining the Self-Hosted Engine”.
Add your CA certificate to the host-wide trust store:
# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors # update-ca-trust
The Manager has been configured to use
/etc/pki/ovirt-engine/apache-ca.pem
, which is symbolically linked to/etc/pki/ovirt-engine/ca.pem
. Remove the symbolic link:# rm /etc/pki/ovirt-engine/apache-ca.pem
Save your CA certificate as
/etc/pki/ovirt-engine/apache-ca.pem
:# cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
Back up the existing private key and certificate:
# cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck # cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
Copy the private key to the required location:
# cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
Set the private key owner to root and set the permissions to
0640
:# chown root:ovirt /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass
Copy the certificate to the required location:
# cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
Restart the Apache server:
# systemctl restart httpd.service
Create a new trust store configuration file,
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
, with the following parameters:ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
Copy the
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
file, and rename it with an index number that is greater than 10 (for example,99-setup.conf
). Add the following parameters to the new file:SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
Restart the
websocket-proxy
service:# systemctl restart ovirt-websocket-proxy.service
-
If you manually changed the
/etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf
file, or are using a configuration file from an older installation, make sure that the Manager is still configured to use/etc/pki/ovirt-engine/apache-ca.pem
as the certificate source. Enable
engine-backup
to update the system on restore by creating a new file,/etc/ovirt-engine-backup/engine-backup-config.d/update-system-wide-pki.sh
, with the following content:BACKUP_PATHS="${BACKUP_PATHS} /etc/ovirt-engine-backup" cp -f /etc/pki/ovirt-engine/apache-ca.pem /etc/pki/ca-trust/source/anchors/3rd-party-ca-cert.pem update-ca-trust
Restart the
ovirt-provider-ovn
service:# systemctl restart ovirt-provider-ovn.service
Restart the
ovirt-engine
service:# systemctl restart ovirt-engine.service
If you are using a self-hosted engine, turn off global maintenance mode.
# hosted-engine --set-maintenance --mode=none
Your users can now connect to the Administration Portal and VM Portal, without seeing a warning about the authenticity of the certificate used to encrypt HTTPS traffic.