Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Appendix E. Red Hat Virtualization and encrypted communication

E.1. Replacing the Red Hat Virtualization Manager CA Certificate
Copiar enlace

You can configure your organization’s third-party CA certificate to authenticate users connecting to the Red Hat Virtualization Manager over HTTPS.

Third-party CA certificates are not used for authentication between the Manager and hosts or for disk transfer URLs. These HTTPS connections use the self-signed certificate generated by the Manager.

Important

When you switch to a custom HTTPS certificate, you must use your own CA certificate distribution to make that certificate available on clients.

If you are integrating with Red Hat Satellite, you need to manually import the correct certificate into Satellite.

If you received the private key and certificate from your CA in a P12 file, use the following procedure to extract them. For other file formats, contact your CA. After extracting the private key and certificate, proceed to Replacing the Red Hat Virtualization Manager Apache CA Certificate.

E.1.1. Extracting the Certificate and Private Key from a P12 Bundle
Copiar enlace

The internal CA stores the internally generated key and certificate in a P12 file, in /etc/pki/ovirt-engine/keys/apache.p12. Store your new file in the same location. The following procedure assumes that the new P12 file is in /tmp/apache.p12.

Warning

Do not change the permissions and ownerships for the /etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default, 755.

Procedure

  1. Back up the current apache.p12 file: 

    # cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck
    Copy to Clipboard Toggle word wrap

  2. Replace the current file with the new file: 

    # cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
    Copy to Clipboard Toggle word wrap

  3. Extract the private key and certificate to the required locations: 

    # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key
# openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer
    Copy to Clipboard Toggle word wrap

    If the file is password protected, add -passin pass:password to the command, replacing password with the required password.

Important

For new Red Hat Virtualization installations, you must complete all of the steps in this procedure.

You configure your organization’s third-party CA certificate to authenticate users connecting to the Administration Portal and the VM Portal over HTTPS.

Warning

Do not change the permissions and ownerships for the /etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default, 755.

Prerequisites

  • Third-party CA (Certificate Authority) certificate. It is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain’s order is critical and must be from the last intermediate certificate to the root certificate. This procedure assumes that the third-party CA certificate is provided in /tmp/3rd-party-ca-cert.pem.
  • Private key that you want to use for Apache httpd. It must not have a password. This procedure assumes that it is located in /tmp/apache.key.
  • Certificate issued by the CA. This procedure assumes that it is located in /tmp/apache.cer.

Procedure

  1. If you are using a self-hosted engine, put the environment into global maintenance mode. 

    # hosted-engine --set-maintenance --mode=global
    Copy to Clipboard Toggle word wrap

    For more information, see Maintaining the Self-Hosted Engine.

  2. Add your CA certificate to the host-wide trust store: 

    # cp /tmp/3rd-party-ca-cert.pem /etc/pki/ca-trust/source/anchors
# update-ca-trust
    Copy to Clipboard Toggle word wrap

  3. The Manager has been configured to use /etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to /etc/pki/ovirt-engine/ca.pem. Remove the symbolic link: 

    # rm /etc/pki/ovirt-engine/apache-ca.pem
    Copy to Clipboard Toggle word wrap

  4. Save your CA certificate as /etc/pki/ovirt-engine/apache-ca.pem: 

    # cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
    Copy to Clipboard Toggle word wrap

  5. Back up the existing private key and certificate: 

    # cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
# cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
    Copy to Clipboard Toggle word wrap

  6. Copy the private key to the required location: 

    # cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
    Copy to Clipboard Toggle word wrap

  7. Set the private key owner to root and set the permissions to 0640: 

    # chown root:ovirt  /etc/pki/ovirt-engine/keys/apache.key.nopass
# chmod 640 /etc/pki/ovirt-engine/keys/apache.key.nopass
    Copy to Clipboard Toggle word wrap

  8. Copy the certificate to the required location: 

    # cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
    Copy to Clipboard Toggle word wrap

  9. Set the certificate owner to root and set the permissions to 0644: 

    # chown root:ovirt /etc/pki/ovirt-engine/certs/apache.cer
# chmod 644 /etc/pki/ovirt-engine/certs/apache.cer
    Copy to Clipboard Toggle word wrap

  10. Restart the Apache server: 

    # systemctl restart httpd.service
    Copy to Clipboard Toggle word wrap

  11. Create a new trust store configuration file, /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf, with the following parameters: 

    ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
    Copy to Clipboard Toggle word wrap

  12. Copy the /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf file, and rename it with an index number that is greater than 10 (for example, 99-setup.conf). Add the following parameters to the new file: 

    SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer
SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
    Copy to Clipboard Toggle word wrap

  13. Restart the websocket-proxy service: 

    # systemctl restart ovirt-websocket-proxy.service
    Copy to Clipboard Toggle word wrap
  14. If you manually changed the /etc/ovirt-provider-ovn/conf.d/10-setup-ovirt-provider-ovn.conf file, or are using a configuration file from an older installation, make sure that the Manager is still configured to use /etc/pki/ovirt-engine/apache-ca.pem as the certificate source.

  15. Create the /etc/ovirt-engine-backup/engine-backup-config.d directory: 

    # mkdir -p /etc/ovirt-engine-backup/engine-backup-config.d
    Copy to Clipboard Toggle word wrap

  16. Create the /etc/ovirt-engine-backup/engine-backup-config.d/update-system-wide-pki.sh file with the following content. This enables ovirt-engine-backup to automatically update the system on restore. 

    BACKUP_PATHS="${BACKUP_PATHS}
/etc/ovirt-engine-backup"
cp -f /etc/pki/ovirt-engine/apache-ca.pem \
  /etc/pki/ca-trust/source/anchors/3rd-party-ca-cert.pem
update-ca-trust
    Copy to Clipboard Toggle word wrap

  17. Restart the ovirt-provider-ovn service: 

    # systemctl restart ovirt-provider-ovn.service
    Copy to Clipboard Toggle word wrap

  18. Restart the ovirt-imageio service: 

    # systemctl restart ovirt-imageio.service
    Copy to Clipboard Toggle word wrap

  19. Restart the ovirt-engine service: 

    # systemctl restart ovirt-engine.service
    Copy to Clipboard Toggle word wrap

  20. If you are using a self-hosted engine, turn off global maintenance mode: 

    # hosted-engine --set-maintenance --mode=none
    Copy to Clipboard Toggle word wrap

Your users can now connect to the Administration Portal and VM Portal without seeing a certificate warning.

Volver arriba
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2025 Red Hat