<div dir="ltr">Hi Alon,<div><br></div><div>Thanks...that means even we use the standalone websocket proxy or standalone websockify...do i need to do the same process :- </div><div><br></div><div><a href="http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Separate_Machine">http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Separate_Machine</a><br>
</div><div><br></div><div><p style="margin:10px 0px;color:rgb(46,52,54);font-family:'Source Sans Pro',sans-serif;font-size:14.399999618530273px;line-height:20px">On the engine, generate a certificate and key. substitute <FQDN> with the DNS name of the host. Substitute <country>, <organization> to suite your environment (i.e. the values must match values in the certificate authority of your engine).</p>
<pre style="padding:8px 10px;font-family:Monaco,Menlo,Consolas,'Courier New',monospace;font-size:13px;color:rgb(238,238,238);border-top-left-radius:6px;border-top-right-radius:6px;border-bottom-right-radius:6px;border-bottom-left-radius:6px;margin-top:10px;margin-bottom:10px;line-height:20px;word-break:break-all;word-wrap:break-word;white-space:pre-wrap;border:none;background:rgb(136,136,136)">
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh --name=websocket-proxy-standalone --password=mypass --subject="/C=<country>/O=<organization>/CN=<fqdn>"
</pre><p style="margin:0px 0px 10px;color:rgb(46,52,54);font-family:'Source Sans Pro',sans-serif;font-size:14.399999618530273px;line-height:20px">Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and /etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy machine at /etc/pki/ovirt-websocket-proxy</p>
<h4 style="margin:10px 0px;font-family:'Venturis Sans','Open Sans',sans-serif;font-weight:normal;line-height:20px;color:rgb(85,87,83);font-size:14.399999618530273px;padding-top:1em"><span class="" id="At_websocket-proxy_machine">At websocket-proxy machine</span></h4>
<p style="margin:0px 0px 10px;color:rgb(46,52,54);font-family:'Source Sans Pro',sans-serif;font-size:14.399999618530273px;line-height:20px">Install ovirt-engine-websocket-proxy package.</p><p style="margin:10px 0px;color:rgb(46,52,54);font-family:'Source Sans Pro',sans-serif;font-size:14.399999618530273px;line-height:20px">
Extract keys:</p><pre style="padding:8px 10px;font-family:Monaco,Menlo,Consolas,'Courier New',monospace;font-size:13px;color:rgb(238,238,238);border-top-left-radius:6px;border-top-right-radius:6px;border-bottom-right-radius:6px;border-bottom-left-radius:6px;margin-top:10px;margin-bottom:10px;line-height:20px;word-break:break-all;word-wrap:break-word;white-space:pre-wrap;border:none;background:rgb(136,136,136)">
cd /etc/pki/ovirt-websocket-proxy
openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out websocket-proxy-standalone.cer
openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out websocket-proxy-standalone.key
chown ovirt:ovirt *
chmod 0600 *</pre></div><div class="gmail_extra">And then <span style="font-family:arial,sans-serif;font-size:13px">Create /etc/ovirt-engine/ovirt-</span><span style="font-family:arial,sans-serif;font-size:13px">websocket-proxy.conf.d/20-pki.</span><span style="font-family:arial,sans-serif;font-size:13px">conf and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate chain and matching key. ??</span></div>
<div class="gmail_extra"><font face="arial, sans-serif"><br></font></div><div class="gmail_extra"><font face="arial, sans-serif"><br></font><br><div class="gmail_quote">On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <span dir="ltr"><<a href="mailto:alonbl@redhat.com" target="_blank">alonbl@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class=""><br>
<br>
----- Original Message -----<br>
> From: "Punit Dambiwal" <<a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a>><br>
> To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> Cc: <a href="mailto:users@ovirt.org">users@ovirt.org</a>, <a href="mailto:ahadas@redhat.com">ahadas@redhat.com</a>, "Sven Kieske" <<a href="mailto:S.Kieske@mittwald.de">S.Kieske@mittwald.de</a>>, "Dan Kenigsberg" <<a href="mailto:danken@redhat.com">danken@redhat.com</a>>,<br>
> "Michal Skrivanek" <<a href="mailto:michal.skrivanek@redhat.com">michal.skrivanek@redhat.com</a>>, "Antoni Segura Puimedon" <<a href="mailto:asegurap@redhat.com">asegurap@redhat.com</a>>, "Frantisek Kobzik"<br>
> <<a href="mailto:fkobzik@redhat.com">fkobzik@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>>, "sabose" <<a href="mailto:sabose@redhat.com">sabose@redhat.com</a>>, <a href="mailto:barumuga@redhat.com">barumuga@redhat.com</a>, "Simone<br>
> Tiraboschi" <<a href="mailto:stirabos@redhat.com">stirabos@redhat.com</a>><br>
</div><div class="">> Sent: Friday, August 15, 2014 4:48:13 AM<br>
> Subject: Re: [ovirt-users] Ovirt SSL Question<br>
><br>
> Hi Alon,<br>
><br>
</div><div class="">> Thanks...but still the same question....for which FQDN i need to purchase<br>
> the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??<br>
<br>
</div>this is standard https, the browser expects the name of the remote host, which is the websocket proxy host.<br>
<div class=""><div class="h5"><br>
><br>
><br>
><br>
><br>
> On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>> wrote:<br>
><br>
> ><br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Punit Dambiwal" <<a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a>><br>
> > > To: "Alon Bar-Lev" <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > > Cc: <a href="mailto:users@ovirt.org">users@ovirt.org</a>, <a href="mailto:ahadas@redhat.com">ahadas@redhat.com</a>, "Sven Kieske" <<br>
> > <a href="mailto:S.Kieske@mittwald.de">S.Kieske@mittwald.de</a>>, "Dan Kenigsberg" <<a href="mailto:danken@redhat.com">danken@redhat.com</a>>,<br>
> > > "Michal Skrivanek" <<a href="mailto:michal.skrivanek@redhat.com">michal.skrivanek@redhat.com</a>>, "Antoni Segura<br>
> > Puimedon" <<a href="mailto:asegurap@redhat.com">asegurap@redhat.com</a>>, "Frantisek Kobzik"<br>
> > > <<a href="mailto:fkobzik@redhat.com">fkobzik@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>>, "sabose" <<br>
> > <a href="mailto:sabose@redhat.com">sabose@redhat.com</a>>, <a href="mailto:barumuga@redhat.com">barumuga@redhat.com</a>, "Simone<br>
> > > Tiraboschi" <<a href="mailto:stirabos@redhat.com">stirabos@redhat.com</a>><br>
> > > Sent: Friday, August 15, 2014 4:43:31 AM<br>
> > > Subject: Re: [ovirt-users] Ovirt SSL Question<br>
> > ><br>
> > > Hi Alon,<br>
> > ><br>
> > > Thanks for your reply...but i didn't find 20-pki.conf file in my<br>
> > > ovirt-engine server....<br>
> > ><br>
> > > I am using websocket proxy as standalone....and fetch the vm console with<br>
> > > the help of API...and then it will display to the browser with our portal<br>
> > > url...<br>
> ><br>
> > this is conf.d structure, files are sorted by name, last wins.<br>
> > so instead of overriding files you can add your own.<br>
> ><br>
> > ><br>
> > > Thanks,<br>
> > > Punit<br>
> > ><br>
> > ><br>
> > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <<a href="mailto:alonbl@redhat.com">alonbl@redhat.com</a>><br>
> > wrote:<br>
> > ><br>
> > > ><br>
> > > ><br>
> > > > ----- Original Message -----<br>
> > > > > From: "Punit Dambiwal" <<a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a>><br>
> > > > > To: <a href="mailto:users@ovirt.org">users@ovirt.org</a>, <a href="mailto:ahadas@redhat.com">ahadas@redhat.com</a>, "Sven Kieske" <<br>
> > > > <a href="mailto:S.Kieske@mittwald.de">S.Kieske@mittwald.de</a>>, "Dan Kenigsberg" <<a href="mailto:danken@redhat.com">danken@redhat.com</a>>,<br>
> > > > > "Michal Skrivanek" <<a href="mailto:michal.skrivanek@redhat.com">michal.skrivanek@redhat.com</a>>, "Antoni Segura<br>
> > > > Puimedon" <<a href="mailto:asegurap@redhat.com">asegurap@redhat.com</a>>, "Frantisek Kobzik"<br>
> > > > > <<a href="mailto:fkobzik@redhat.com">fkobzik@redhat.com</a>>, "Itamar Heim" <<a href="mailto:iheim@redhat.com">iheim@redhat.com</a>>, "sabose" <<br>
> > > > <a href="mailto:sabose@redhat.com">sabose@redhat.com</a>>, <a href="mailto:barumuga@redhat.com">barumuga@redhat.com</a>, "Simone<br>
> > > > > Tiraboschi" <<a href="mailto:stirabos@redhat.com">stirabos@redhat.com</a>><br>
> > > > > Sent: Thursday, August 14, 2014 12:37:01 PM<br>
> > > > > Subject: Re: [ovirt-users] Ovirt SSL Question<br>
> > > > ><br>
> > > > > Hi All,<br>
> > > > ><br>
> > > > > Is there any one can help me to solve this issue..<br>
> > > > ><br>
> > > > > Thanks,<br>
> > > > > Punit<br>
> > > > ><br>
> > > > ><br>
> > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal < <a href="mailto:hypunit@gmail.com">hypunit@gmail.com</a><br>
> > ><br>
> > > > wrote:<br>
> > > > ><br>
> > > > ><br>
> > > > ><br>
> > > > > Hi All,<br>
> > > > ><br>
> > > > > I have one question regarding the SSL settings in Ovirt....let me<br>
> > > > explain my<br>
> > > > > environment first :-<br>
> > > > ><br>
> > > > > 1. Ovirt engine :- <a href="http://mgmt.3linux.com" target="_blank">mgmt.3linux.com</a><br>
> > > > > 2. Standalone websocket proxy :- <a href="http://web-proxy.3linux.com" target="_blank">web-proxy.3linux.com</a><br>
> > > > > 3. Our Own Portal :- <a href="http://portal.3linux.com" target="_blank">portal.3linux.com</a><br>
> > > > ><br>
> > > > > We have the above architecture...we fetch the VM console from the<br>
> > > > websocket<br>
> > > > > proxy to our own portal through API....because still we are using<br>
> > > > selfsigned<br>
> > > > > certificate...we need to trust the certificate every time,whenever we<br>
> > > > open<br>
> > > > > the VM console... (https://< <a href="http://web-proxy.3linux.com" target="_blank">web-proxy.3linux.com</a> >:<port>)<br>
> > > > ><br>
> > > > > When we initiate the VM console through our own web portal the url (<br>
> > > > ><br>
> > > ><br>
> > <a href="https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-ae7d-493e-a51d-ecc32f507f00" target="_blank">https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-ae7d-493e-a51d-ecc32f507f00</a><br>
> > > > > ),if we accept the SSL certificate with https://<<br>
> > <a href="http://web-proxy.3linux.com" target="_blank">web-proxy.3linux.com</a><br>
> > > > > >:<port> ....then it will open as expected but if we didn't accept<br>
> > the<br>
> > > > > certificate manually...then it through failed to connect:1006<br>
> > error...<br>
> > > > ><br>
> > > > > We don't want that every time end user will accept the certificate<br>
> > > > > manually...as our link to open VM console is different then<br>
> > webproxy....<br>
> > > > ><br>
> > > > > Now we want to replace the self signed certificate with valid<br>
> > SSL....can<br>
> > > > any<br>
> > > > > one tell me where we need to put the certificates and how to<br>
> > generate the<br>
> > > > > CSR for them and how many SSL we need to purchase to make this thing<br>
> > > > > workable without accepting the certificate everytime....<br>
> > > ><br>
> > > > Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf and<br>
> > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate<br>
> > chain<br>
> > > > and matching key.<br>
> > > ><br>
> > > > You can create the request in any tool you like, what we need is the<br>
> > > > certificate and key.<br>
> > > ><br>
> > > > Regards,<br>
> > > > Alon<br>
> > > ><br>
> > ><br>
> ><br>
><br>
</div></div></blockquote></div><br></div></div>