Hi all, thaks for lot, it's work 1) get CA to client "wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt" 2) set "vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS}" on kvm host 3) and connect to consle use this line "spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT}" successfully but how to install "setVmTicket" without login as root on kvm host, how to make it through the post request? 2012/8/6 David Jaša <djasa@redhat.com>:
@Itamar - this is recurring problem, what about creating a wiki page for it?
@Artem:
Artem píše v Po 06. 08. 2012 v 01:30 +0400:
yes engine and kvm(qemu-kvm) installed on same machine (vm-srv)
i change host-subject but..
# spicec -h vm-srv -p 5900 -s 5901 --host-subject "C=US, O=ICL, CN=vm-srv" --secure-channels=all
1) your command line is missing '--ca-file $CA_FILE' altoghether
2) you don't mention password
3) you shouldn't need to specify host subject at all because your host (-h) matches name of server in CN field of host subject. If you override it anyway, strip white spaces after commas in it: --host-subject='C=US,O=ICL,CN=vm-srv'
4) you could omit -p and --secure-channels altogether in order to achieve tls-only connection, but you can hit https://bugzilla.redhat.com/show_bug.cgi?id=723582 then
So you should do (out of my head, may contain typos): get CA: * on engine, it is found here: CA_FILE=/etc/pki/ovirt-engine/ca.pem * on host, it's here: CA_FILE=/etc/pki/vdsm/libvirt-spice/ca-cert.pem * on any other host, get it from engine web interface: wget -O ${CA_FILE} http://ovirt-engine.example.org/ca.crt
on the host, get UUID of the VM: $ VM_UUID="$(ps -ef | grep ${VM_NAME} | sed -e 's/^.*-uuid[ \t]\+\([ \t]\+\)[ \t].*$/\1/')"
as root on the host, set ticket (password and its period of validity): # vdsClient -s 0 setVmTicket ${VM_UUID} ${PASSWORD} ${VALIDITY_SECONDS} (doing it via REST API is cleaner but more cumbersome for me)
if the hostname you're connecting does not match what is in CN field of Subject of the server cert, get the subject without spaces after commas on the host: $ grep Subject: ${SERVER_CERT_FILE} | sed -e 's/^.*Subject:[ \t]*\(.*\)$/\1/;s/,[ \t]*/,/'
connect to the spice-server: $ spicec --ca-file ${CA_FILE} -w ${PASSWORD} -h vm-srv -s ${SECURE_PORT} OR, with newer, shinier and overall better client :) # yum install virt-viewer $ remote-viewer --spice-ca-file /etc/pki/ovirt-engine/ca.pem spice://vm-srv/?tls-port=${SECURE_PORT} (you'll have to provide the password through the pop-up dialog)
if you need to provide host subject (host name/IP not matching the one from server cert Subject): $ spicec --host-subject ${HOST_SUBJECT} [...] OR $ remote-viewer --spice-host-subject ${HOST_SUBJECT} [...]
David
Error: subject mismatch: #entries cert=2, input=3 Error: failed to connect w/SSL, ssl_error error:00000001:lib(0):func(0):reason(1) 3079539240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: Warning: SSL Error:
2012/8/6 Itamar Heim <iheim@redhat.com>:
On 08/06/2012 12:07 AM, Artem wrote:
hmm... not sure if understood correctly...
vm-srv this KVM host.. (server) and I connect from another machine to vm on kvm.
did you install the engine and kvm host on same machine?
this subject name i get in .spicec/spice_truststore.pem
yes, spice trusts the CA, but client needs to validate the target host certificate. (if you run engine and host on same machine, try: "C=US, O=ICL, CN=vm-srv" (assuming you added the host with hostname of vm-srv to engine. if you added it with fqdn or ip, use them under last CN)
////////////////////////////////// # cat .spicec/spice_truststore.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=ICL, CN=CA-vm-srv.15064 Validity Not Before: Jul 28 03:42:06 2012 Not After : Jul 26 23:42:07 2022 GMT Subject: C=US, O=ICL, CN=CA-vm-srv.15064 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ///////////////////////////////////////////
2012/8/6 Itamar Heim <iheim@redhat.com>:
this looks like the subject name of the CA, not the host running the virtual machine?
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
--
David Jaša, RHCE
SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24