On Sat, Oct 27, 2018 at 2:36 PM Anastasiya Ruzhanskaya
I am trying to analyze traffic between ovirt-engine and vdsm.
First strange thing is, that it should be encrypted by default . When I listen in
wireshark for message from engine to vdsm being on the engine machine, the traffic is not
encrypted. It is only tcp. I expect it then be acceptable for wireshark json dissector.
But this is not a json. Is this a normal situation or I should set up encryption by
I think it should be encrypted.
However, on the guest machine, I see in wireshark that the traffic between engine and
vdsm is encrypted. ( I have a configuration of my computer as a client and two VMs as
engine and node). So , I am trying to use engine's private key to decrypt it. The
private key is not engine_id_rsa (am I right?), but it is hidden inside .p12 file.
The p12 file is a PKCS#12 format archive, contains both private and public keys.
The engine_id_rsa is the private key in ssh format.
To extract the key from this file I need a password. During the ovirt
installing I didn't set up any password for this. Is this maybe a default one?
Yes, 'mypass'. I do not think we have a documented way to change it,
might be wrong.
Generally speaking, we only rely on file-level protection for this.
How can I extract a private key?
Check also the script packaging/bin/pki-pkcs12-extract.sh .
So, the final questions are:
1) Should the traffic between engine and vdsm be encrypted by default?
Yes, IMO, but I didn't fully understand what you wrote above.
Do you see it encrypted on one side (vdsm) and cleartext on the
other (engine)? Weird.
2) How the private key for engine can be extracted?
See also: https://ovirt.org/develop/release-management/features/infra/pki/
It's probably outdated a bit, but should still be mostly accurate.