Re: [ovirt-users] Info on changing IPA server hostname in oVirt
----- Original Message -----
From: "Gianluca Cecchi" <gianluca.cecchi(a)gmail.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: "Ondra Machacek" <omachace(a)redhat.com>, "users"
<users(a)ovirt.org>
Sent: Thursday, December 11, 2014 12:10:43 AM
Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
On Wed, Dec 10, 2014 at 10:30 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
>
>
> better to use startTLS over ldaps.
> so yes, the above is the right setting.
> you should import the ca certificate, see instructions here[1]
>
> Alon
>
> [1]
>
http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=bl...
I've done it this way:
copied /etc/ipa/ca.crt on engine server renaming it ipa_ca.crt
keytool -importcert -noprompt -trustcacerts -alias iparootca -file
/root/ipa_ca.crt -keystore ipaca.jks -storepass mysecret
put ipaca.jks in /etc/ovirt-engine/aaa/
ldap1.properties now has
# Create keystore, import certificate chain and uncomment
# if using ssl/tls.
pool.default.ssl.startTLS = true
#pool.default.ssl.truststore.file =
${local:_basedir}/${global:vars.server}.jks
pool.default.ssl.truststore.file = /etc/ovirt-engine/aaa/ipaca.jks
pool.default.ssl.truststore.password = mysecret
and restarted ovirt engine but it seems all conenctions are still through
389 port....
that's ok.
there are two methods of secure communications.
1. a protocol over TLS/SSL, in which you negotiate secure stream and communicate over it.
2. startTLS(and similar), in which you connect using plain protocol and instruct remote to
start secure stream within the same connection.
the startTLS is more flexible and has some advantages over the secure stream, for example:
you do not need two separate tcp ports, you can also fallback within same connection to
plain if ssl is not supported.
you can verify that you are using secure connection using wireshark, or you can use a
store without the correct ca certificate.
Alon