E.3. Enabling encrypted VNC consoles for FIPS


You can set up encrypted VNC consoles to work with a Red Hat Virtualization (RHV) Manager and hosts that have FIPS enabled.

To set up encrypted VNC consoles, you complete the following procedures:

E.3.1. Configuring the cluster to enable VNC Encryption

Prerequisites

  • FIPS must be enabled on the cluster.

Procedure

  1. In the Administration Portal, click Compute Clusters.
  2. Select the cluster where you plan to enable VNC encryption and click Edit. The Edit Cluster window opens.
  3. Select the Console tab.
  4. Select the Enable VNC Encryption checkbox and click OK.

E.3.2. Running the VNC SASL Ansible playbook for each host

Procedure

  1. In the Administration Portal, put the FIPS-enabled hosts into maintenance mode:

    1. Click Compute Hosts.
    2. In the Virtual Machines column, verify that each host has zero virtual machines.

      Perform a live migration to remove virtual machines from hosts, if necessary. See Migrating Virtual Machines Between Hosts.

    3. Select each host and click Management Maintenance and OK.
  2. Connect to the command line of the machine where the Manager is running.

    • Standalone Manager:

      # ssh root@rhvm
    • Self-hosted engine: Click Compute Virtual Machines to select the self-hosted engine virtual machine, named HostedEngine by default, and then click Console.
  3. Run the VNC SASL Ansible playbook for each host:

    # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
    # ansible-playbook --ask-pass --inventory=<hostname> ovirt-vnc-sasl.yml <1>
    Specify the Hostname displayed on Compute Hosts.
  4. Select the host and click Installation Reinstall.
  5. After reinstallation, select the host and click Management Restart.
  6. After rebooting, select the host and click Management Activate.
VNC SASL Ansible playbook error message

When running the VNC SASL Ansible playbook, the task might fail with the following error message:

Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host’s fingerprint to your known_hosts file to manage this host.

To solve this problem, disable host key checking by doing one of the following:

  • Disable host key checking permanently by uncommenting the following line in /etc/ansible/ansible.cfg:

    #host_key_checking = False
  • Disable host key checking temporarily by running the following command:

    export ANSIBLE_HOST_KEY_CHECKING=False

E.3.3. Configuring the Remote Viewer to trust the Manager’s CA certificate

Configure the Remote Viewer console on your client machine, virt-viewer or remote-viewer, to trust the RHV Manager’s certificate authority (CA)

Procedure

  1. Navigate to https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA.
  2. Enable all the trust settings.
  3. On the client machine where you plan to run the VNC console, create a directory for the certificate file:

    $ mkdir ~/.pki/CA
    Warning

    If this step generates an error such as mkdir: cannot create directory ‘/home/example_user/.pki/CA’: File exists, take precautions to avoid overwriting ~/.pki/CA/cacert.pem in the next step. For example, include the current date in the filename.

  4. Download the certificate:

    $ curl -k -o ~/.pki/CA/cacert-<today’s date>.pem '\https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA'
  5. Install the certificate authority in your browser:

  6. Install the SASL SCRAM libraries on the client machine:

    $ sudo dnf install cyrus-sasl-scram

Verification steps

  1. Run a virtual machine on one of the FIPS-enabled hosts you created.
  2. Connect to the virtual machine using a VNC console.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.