<div dir="ltr">Hi Alon,<div><br></div><div>Thanks understand....that means no need to enroll certificate from the internal...just generate the CSR from standalone websocket proxy server and receive the 3rd party SSL and install that SSL on the websocket proxy server and then <span style="font-size:13px;font-family:arial,sans-serif">Create /etc/ovirt-engine/ovirt-</span><span style="font-size:13px;font-family:arial,sans-serif">websocket-proxy.conf.d/20-pki.</span><span style="font-size:13px;font-family:arial,sans-serif">conf and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate chain and matching key. ???</span></div>
<div><span style="font-size:13px;font-family:arial,sans-serif"><br></span></div><div><font face="arial, sans-serif">Also one more question....as i don't want to use the ovirt default websocket proxy as it doesn't fit to our requirement....we are using websockify on the separate standalone server....it seems i need to do the same as we can do for the websocket...m i right ??</font></div>
<div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Thanks For your help Alon...</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif">Thanks,</font></div>
<div><font face="arial, sans-serif">Punit</font></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Aug 15, 2014 at 10:19 AM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=""><br>
<br>
----- Original Message -----<br>
> From: "Punit Dambiwal" <<a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a>><br>
> To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> Cc: <a href="mailto:users@ovirt.org">users@ovirt.org</a>, <a href="mailto:ahadas@redhat.com">ahadas@redhat.com</a>, "Sven Kieske" <<a href="mailto:S.Kieske@mittwald.de">S.Kieske@mittwald.de</a>>, "Dan Kenigsberg" <<a href="mailto:danken@redhat.com">danken@redhat.com</a>>,<br>
> "Michal Skrivanek" <<a href="mailto:michal.skrivanek@redhat.com">michal.skrivanek@redhat.com</a>>, "Antoni Segura Puimedon" <<a href="mailto:asegurap@redhat.com">asegurap@redhat.com</a>>, "Frantisek Kobzik"<br>
> <<a href="mailto:fkobzik@redhat.com">fkobzik@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>>, "sabose" <<a href="mailto:sabose@redhat.com">sabose@redhat.com</a>>, <a href="mailto:barumuga@redhat.com">barumuga@redhat.com</a>, "Simone<br>
> Tiraboschi" <<a href="mailto:stirabos@redhat.com">stirabos@redhat.com</a>><br>
</div><div class="">> Sent: Friday, August 15, 2014 4:56:36 AM<br>
> Subject: Re: [ovirt-users] Ovirt SSL Question<br>
><br>
> Hi Alon,<br>
><br>
</div><div><div class="h5">> Thanks...that means even we use the standalone websocket proxy or<br>
> standalone websockify...do i need to do the same process :-<br>
><br>
> <a href="http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Separate_Machine" target="_blank">http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Separate_Machine</a><br>
><br>
> On the engine, generate a certificate and key. substitute <FQDN> with the<br>
> DNS name of the host. Substitute <country>, <organization> to suite your<br>
> environment (i.e. the values must match values in the certificate authority<br>
> of your engine).<br>
><br>
> /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh<br>
> --name=websocket-proxy-standalone --password=mypass<br>
> --subject="/C=<country>/O=<organization>/CN=<fqdn>"<br>
><br>
> Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and<br>
> /etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy machine<br>
> at /etc/pki/ovirt-websocket-proxy<br>
> At websocket-proxy machine<br>
><br>
> Install ovirt-engine-websocket-proxy package.<br>
><br>
> Extract keys:<br>
><br>
> cd /etc/pki/ovirt-websocket-proxy<br>
> openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out<br>
> websocket-proxy-standalone.cer<br>
> openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out<br>
> websocket-proxy-standalone.key<br>
> chown ovirt:ovirt *<br>
> chmod 0600 *<br>
><br>
> And then Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf<br>
> and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate<br>
> chain and matching key. ??<br>
<br>
</div></div>you wanted to use a certificate from 3rd party certificate authority, you do not need to enroll a certificate from the internal certificate authority.<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
><br>
><br>
> On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Punit Dambiwal" <<a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a>><br>
> > > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > > Cc: <a href="mailto:users@ovirt.org">users@ovirt.org</a>, <a href="mailto:ahadas@redhat.com">ahadas@redhat.com</a>, "Sven Kieske" <<br>
> > <a href="mailto:S.Kieske@mittwald.de">S.Kieske@mittwald.de</a>>, "Dan Kenigsberg" <<a href="mailto:danken@redhat.com">danken@redhat.com</a>>,<br>
> > > "Michal Skrivanek" <<a href="mailto:michal.skrivanek@redhat.com">michal.skrivanek@redhat.com</a>>, "Antoni Segura<br>
> > Puimedon" <<a href="mailto:asegurap@redhat.com">asegurap@redhat.com</a>>, "Frantisek Kobzik"<br>
> > > <<a href="mailto:fkobzik@redhat.com">fkobzik@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>>, "sabose" <<br>
> > <a href="mailto:sabose@redhat.com">sabose@redhat.com</a>>, <a href="mailto:barumuga@redhat.com">barumuga@redhat.com</a>, "Simone<br>
> > > Tiraboschi" <<a href="mailto:stirabos@redhat.com">stirabos@redhat.com</a>><br>
> > > Sent: Friday, August 15, 2014 4:48:13 AM<br>
> > > Subject: Re: [ovirt-users] Ovirt SSL Question<br>
> > ><br>
> > > Hi Alon,<br>
> > ><br>
> > > Thanks...but still the same question....for which FQDN i need to purchase<br>
> > > the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??<br>
> ><br>
> > this is standard https, the browser expects the name of the remote host,<br>
> > which is the websocket proxy host.<br>
> ><br>
> > ><br>
> > ><br>
> > ><br>
> > ><br>
> > > On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
> > ><br>
> > > ><br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "Punit Dambiwal" <<a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a>><br>
> > > > > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > > > > Cc: <a href="mailto:users@ovirt.org">users@ovirt.org</a>, <a href="mailto:ahadas@redhat.com">ahadas@redhat.com</a>, "Sven Kieske" <<br>
> > > > <a href="mailto:S.Kieske@mittwald.de">S.Kieske@mittwald.de</a>>, "Dan Kenigsberg" <<a href="mailto:danken@redhat.com">danken@redhat.com</a>>,<br>
> > > > > "Michal Skrivanek" <<a href="mailto:michal.skrivanek@redhat.com">michal.skrivanek@redhat.com</a>>, "Antoni Segura<br>
> > > > Puimedon" <<a href="mailto:asegurap@redhat.com">asegurap@redhat.com</a>>, "Frantisek Kobzik"<br>
> > > > > <<a href="mailto:fkobzik@redhat.com">fkobzik@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>>, "sabose" <<br>
> > > > <a href="mailto:sabose@redhat.com">sabose@redhat.com</a>>, <a href="mailto:barumuga@redhat.com">barumuga@redhat.com</a>, "Simone<br>
> > > > > Tiraboschi" <<a href="mailto:stirabos@redhat.com">stirabos@redhat.com</a>><br>
> > > > > Sent: Friday, August 15, 2014 4:43:31 AM<br>
> > > > > Subject: Re: [ovirt-users] Ovirt SSL Question<br>
> > > > ><br>
> > > > > Hi Alon,<br>
> > > > ><br>
> > > > > Thanks for your reply...but i didn't find 20-pki.conf file in my<br>
> > > > > ovirt-engine server....<br>
> > > > ><br>
> > > > > I am using websocket proxy as standalone....and fetch the vm console<br>
> > with<br>
> > > > > the help of API...and then it will display to the browser with our<br>
> > portal<br>
> > > > > url...<br>
> > > ><br>
> > > > this is conf.d structure, files are sorted by name, last wins.<br>
> > > > so instead of overriding files you can add your own.<br>
> > > ><br>
> > > > ><br>
> > > > > Thanks,<br>
> > > > > Punit<br>
> > > > ><br>
> > > > ><br>
> > > > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > > > wrote:<br>
> > > > ><br>
> > > > > ><br>
> > > > > ><br>
> > > > > > ----- Original Message -----<br>
> > > > > > > From: "Punit Dambiwal" <<a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a>><br>
> > > > > > > To: <a href="mailto:users@ovirt.org">users@ovirt.org</a>, <a href="mailto:ahadas@redhat.com">ahadas@redhat.com</a>, "Sven Kieske" <<br>
> > > > > > <a href="mailto:S.Kieske@mittwald.de">S.Kieske@mittwald.de</a>>, "Dan Kenigsberg" <<a href="mailto:danken@redhat.com">danken@redhat.com</a>>,<br>
> > > > > > > "Michal Skrivanek" <<a href="mailto:michal.skrivanek@redhat.com">michal.skrivanek@redhat.com</a>>, "Antoni Segura<br>
> > > > > > Puimedon" <<a href="mailto:asegurap@redhat.com">asegurap@redhat.com</a>>, "Frantisek Kobzik"<br>
> > > > > > > <<a href="mailto:fkobzik@redhat.com">fkobzik@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>>,<br>
> > "sabose" <<br>
> > > > > > <a href="mailto:sabose@redhat.com">sabose@redhat.com</a>>, <a href="mailto:barumuga@redhat.com">barumuga@redhat.com</a>, "Simone<br>
> > > > > > > Tiraboschi" <<a href="mailto:stirabos@redhat.com">stirabos@redhat.com</a>><br>
> > > > > > > Sent: Thursday, August 14, 2014 12:37:01 PM<br>
> > > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question<br>
> > > > > > ><br>
> > > > > > > Hi All,<br>
> > > > > > ><br>
> > > > > > > Is there any one can help me to solve this issue..<br>
> > > > > > ><br>
> > > > > > > Thanks,<br>
> > > > > > > Punit<br>
> > > > > > ><br>
> > > > > > ><br>
> > > > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <<br>
> > <a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a><br>
> > > > ><br>
> > > > > > wrote:<br>
> > > > > > ><br>
> > > > > > ><br>
> > > > > > ><br>
> > > > > > > Hi All,<br>
> > > > > > ><br>
> > > > > > > I have one question regarding the SSL settings in Ovirt....let me<br>
> > > > > > explain my<br>
> > > > > > > environment first :-<br>
> > > > > > ><br>
> > > > > > > 1. Ovirt engine :- <a href="http://mgmt.3linux.com" target="_blank">mgmt.3linux.com</a><br>
> > > > > > > 2. Standalone websocket proxy :- <a href="http://web-proxy.3linux.com" target="_blank">web-proxy.3linux.com</a><br>
> > > > > > > 3. Our Own Portal :- <a href="http://portal.3linux.com" target="_blank">portal.3linux.com</a><br>
> > > > > > ><br>
> > > > > > > We have the above architecture...we fetch the VM console from the<br>
> > > > > > websocket<br>
> > > > > > > proxy to our own portal through API....because still we are using<br>
> > > > > > selfsigned<br>
> > > > > > > certificate...we need to trust the certificate every<br>
> > time,whenever we<br>
> > > > > > open<br>
> > > > > > > the VM console... (https://< <a href="http://web-proxy.3linux.com" target="_blank">web-proxy.3linux.com</a> >:<port>)<br>
> > > > > > ><br>
> > > > > > > When we initiate the VM console through our own web portal the<br>
> > url (<br>
> > > > > > ><br>
> > > > > ><br>
> > > ><br>
> > <a href="https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-ae7d-493e-a51d-ecc32f507f00" target="_blank">https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-ae7d-493e-a51d-ecc32f507f00</a><br>
> > > > > > > ),if we accept the SSL certificate with https://<<br>
> > > > <a href="http://web-proxy.3linux.com" target="_blank">web-proxy.3linux.com</a><br>
> > > > > > > >:<port> ....then it will open as expected but if we didn't<br>
> > accept<br>
> > > > the<br>
> > > > > > > certificate manually...then it through failed to connect:1006<br>
> > > > error...<br>
> > > > > > ><br>
> > > > > > > We don't want that every time end user will accept the<br>
> > certificate<br>
> > > > > > > manually...as our link to open VM console is different then<br>
> > > > webproxy....<br>
> > > > > > ><br>
> > > > > > > Now we want to replace the self signed certificate with valid<br>
> > > > SSL....can<br>
> > > > > > any<br>
> > > > > > > one tell me where we need to put the certificates and how to<br>
> > > > generate the<br>
> > > > > > > CSR for them and how many SSL we need to purchase to make this<br>
> > thing<br>
> > > > > > > workable without accepting the certificate everytime....<br>
> > > > > ><br>
> > > > > > Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf<br>
> > and<br>
> > > > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate<br>
> > > > chain<br>
> > > > > > and matching key.<br>
> > > > > ><br>
> > > > > > You can create the request in any tool you like, what we need is<br>
> > the<br>
> > > > > > certificate and key.<br>
> > > > > ><br>
> > > > > > Regards,<br>
> > > > > > Alon<br>
> > > > > ><br>
> > > > ><br>
> > > ><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div>