D.2. Setting Up Encrypted Communication between the Manager and an LDAP Server


To set up encrypted communication between the Red Hat Virtualization Manager and an LDAP server, obtain the root CA certificate of the LDAP server, copy the root CA certificate to the Manager, and create a PEM-encoded CA certificate. The keystore type can be any Java-supported type. The following procedure uses the Java KeyStore (JKS) format.

Note

For more information on creating a PEM-encoded CA certificate and importing certificates, see the X.509 CERTIFICATE TRUST STORE section of the README file at /usr/share/doc/ovirt-engine-extension-aaa-ldap-version.

Creating a PEM-encoded CA certificate

  1. On the Red Hat Virtualization Manager, copy the root CA certificate of the LDAP server to the /tmp directory and import the root CA certificate using keytool to create a PEM-encoded CA certificate. The following command imports the root CA certificate at /tmp/myrootca.pem and creates a PEM-encoded CA certificate myrootca.jks under /etc/ovirt-engine/aaa/. Note down the certificate’s location and password. If you are using the interactive setup tool, this is all the information you need. If you are configuring the LDAP server manually, follow the rest of the procedure to update the configuration files.

    $ keytool -importcert -noprompt -trustcacerts -alias myrootca -file /tmp/myrootca.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass password
    Copy to Clipboard Toggle word wrap
  2. Update the /etc/ovirt-engine/aaa/profile1.properties file with the certificate information:

    Note

    ${local:_basedir} is the directory where the LDAP property configuration file resides and points to the /etc/ovirt-engine/aaa directory. If you created the PEM-encoded CA certificate in a different directory, replace ${local:_basedir} with the full path to the certificate.

    • To use startTLS (recommended):

      # Create keystore, import certificate chain and uncomment
      pool.default.ssl.startTLS = true
      pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
      pool.default.ssl.truststore.password = password
      Copy to Clipboard Toggle word wrap
    • To use SSL:

      # Create keystore, import certificate chain and uncomment
      pool.default.serverset.single.port = 636
      pool.default.ssl.enable = true
      pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
      pool.default.ssl.truststore.password = password
      Copy to Clipboard Toggle word wrap

To continue configuring an external LDAP provider, see Configuring an External LDAP Provider. To continue configuring LDAP and Kerberos for Single Sign-on, see Configuring LDAP and Kerberos for Single Sign-on.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat