On 10/05/2012 08:03 AM, Juan Hernandez wrote:
Hi,
I see some interest on how to change the host name of the machine where the engine runs (in release 3.1). This is a manual procedure that you can use to do that:
Thanks, Juan -- I'm sure this will come in handy! I've copied these instructions into a page on the oVirt wiki: http://wiki.ovirt.org/wiki/How_to_change_engine_host_name Regards, Jason
0. Make a backup copy of the /etc/pki/ovirt-engine directory.
1. Regenerate the engine certificate signing request preserving the existing private key (this is very important in order to avoid having to decrypt/encrypt passwords stored in the database):
openssl req \ -new \ -subj '/C=US/O=Example Inc./CN=f17.example.com' \ -key /etc/pki/ovirt-engine/keys/engine_id_rsa \ -out /etc/pki/ovirt-engine/requests/engine.req
Replace "Example Inc." with the value that you provided during the installation. If you don't forgot them they can be extracted from the current engine certificate:
openssl x509 \ -in /etc/pki/ovirt-engine/certs/engine.cer \ -noout \ -subject
And *VERY IMPORTANT*, replace "f17.example.com" with the new fully qualified host name.
2. Sign again the engine certificate, to simplify this the SignReq.sh script should be used:
cd /etc/pki/ovirt-engine ./SignReq.sh \ engine.req \ engine.cer \ 1800 \ /etc/pki/ovirt-engine \ `date -d yesterday +%y%m%d%H%M%S+0000` \ NoSoup4U
Double check that the generated certificate is correct, visually and with the following command:
openssl verify \ -CAfile /etc/pki/ovirt-engine/ca.pem \ /etc/pki/ovirt-engine/certs/engine.cer
3. Generate also a DER encoded version of the certificate:
openssl x509 \ -in /etc/pki/ovirt-engine/certs/engine.cer \ -out /etc/pki/ovirt-engine/certs/engine.der \ -outform der
4. Export the engine private key and certificate to a PKCS12 file:
openssl pkcs12 \ -export \ -name engine \ -inkey /etc/pki/ovirt-engine/keys/engine_id_rsa \ -in /etc/pki/ovirt-engine/certs/engine.cer \ -out /etc/pki/ovirt-engine/keys/engine.p12 \ -passout pass:NoSoup4U
5. Regenerate the keystore used by the engine, importing the old CA certificate and the new engine certificate:
rm -f /etc/pki/ovirt-engine/.keystore
keytool \ -keystore /etc/pki/ovirt-engine/.keystore \ -import \ -alias cacert \ -storepass mypass \ -noprompt \ -file /etc/pki/ovirt-engine/ca.pem
keytool \ -keystore /etc/pki/ovirt-engine/.keystore \ -importkeystore \ -srckeystore /etc/pki/ovirt-engine/keys/engine.p12 \ -srcalias engine \ -srcstoretype PKCS12 \ -srcstorepass NoSoup4U \ -srckeypass NoSoup4U \ -destalias engine \ -deststorepass mypass \ -destkeypass mypass
6. Restart the httpd and ovirt-engine services:
service ovirt-engine restart service httpd restart
7. If using ovirt-node as the hypervisors then for each of then check and fix the "vdc_host_name" parameter in the "/etc/vdsm-reg/vdsm-reg.conf" file.
Note that this procedure will leave a small trace: the CA certificate will still contain the URL of the old host. That is a minor invonvenience, but to solve it *all* certificates would need to be replaced. If there is interest I can prepare a procedure to do that as well.
Feedback is welcome.
Regards, Juan Hernandez
-- @jasonbrooks