Este contenido no está disponible en el idioma seleccionado.

E.3. Enabling encrypted VNC consoles for FIPS


You can set up encrypted VNC consoles to work with a Red Hat Virtualization (RHV) Manager and hosts that have FIPS enabled.

To set up encrypted VNC consoles, you complete the following procedures:

E.3.1. Configuring the cluster to enable VNC Encryption

Prerequisites

  • FIPS must be enabled on the cluster.

Procedure

  1. In the Administration Portal, click Compute Clusters.
  2. Select the cluster where you plan to enable VNC encryption and click Edit. The Edit Cluster window opens.
  3. Select the Console tab.
  4. Select the Enable VNC Encryption checkbox and click OK.

E.3.2. Running the VNC SASL Ansible playbook for each host

Procedure

  1. In the Administration Portal, put the FIPS-enabled hosts into maintenance mode:

    1. Click Compute Hosts.
    2. In the Virtual Machines column, verify that each host has zero virtual machines.

      Perform a live migration to remove virtual machines from hosts, if necessary. See Migrating Virtual Machines Between Hosts.

    3. Select each host and click Management Maintenance and OK.
  2. Connect to the command line of the machine where the Manager is running.

    • Standalone Manager:

      # ssh root@rhvm
    • Self-hosted engine: Click Compute Virtual Machines to select the self-hosted engine virtual machine, named HostedEngine by default, and then click Console.
  3. Run the VNC SASL Ansible playbook for each host:

    # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
    # ansible-playbook --ask-pass --inventory=<hostname> ovirt-vnc-sasl.yml <1>
    Specify the Hostname displayed on Compute Hosts.
  4. Select the host and click Installation Reinstall.
  5. After reinstallation, select the host and click Management Restart.
  6. After rebooting, select the host and click Management Activate.
VNC SASL Ansible playbook error message

When running the VNC SASL Ansible playbook, the task might fail with the following error message:

Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host’s fingerprint to your known_hosts file to manage this host.

To solve this problem, disable host key checking by doing one of the following:

  • Disable host key checking permanently by uncommenting the following line in /etc/ansible/ansible.cfg:

    #host_key_checking = False
  • Disable host key checking temporarily by running the following command:

    export ANSIBLE_HOST_KEY_CHECKING=False

E.3.3. Configuring the Remote Viewer to trust the Manager’s CA certificate

Configure the Remote Viewer console on your client machine, virt-viewer or remote-viewer, to trust the RHV Manager’s certificate authority (CA)

Procedure

  1. Navigate to https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA.
  2. Enable all the trust settings.
  3. On the client machine where you plan to run the VNC console, create a directory for the certificate file:

    $ mkdir ~/.pki/CA
    Warning

    If this step generates an error such as mkdir: cannot create directory ‘/home/example_user/.pki/CA’: File exists, take precautions to avoid overwriting ~/.pki/CA/cacert.pem in the next step. For example, include the current date in the filename.

  4. Download the certificate:

    $ curl -k -o ~/.pki/CA/cacert-<today’s date>.pem '\https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA'
  5. Install the certificate authority in your browser:

  6. Install the SASL SCRAM libraries on the client machine:

    $ sudo dnf install cyrus-sasl-scram

Verification steps

  1. Run a virtual machine on one of the FIPS-enabled hosts you created.
  2. Connect to the virtual machine using a VNC console.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.