8:56 p.m.
Hi Alon,
Thanks...that means even we use the standalone websocket proxy or
standalone websockify...do i need to do the same process :-
http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Se...
On the engine, generate a certificate and key. substitute <FQDN> with the
DNS name of the host. Substitute <country>, <organization> to suite your
environment (i.e. the values must match values in the certificate authority
of your engine).
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh
--name=websocket-proxy-standalone --password=mypass
--subject="/C=<country>/O=<organization>/CN=<fqdn>"
Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and
/etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy machine
at /etc/pki/ovirt-websocket-proxy
At websocket-proxy machine
Install ovirt-engine-websocket-proxy package.
Extract keys:
cd /etc/pki/ovirt-websocket-proxy
openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out
websocket-proxy-standalone.cer
openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out
websocket-proxy-standalone.key
chown ovirt:ovirt *
chmod 0600 *
And then Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
chain and matching key. ??
On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
----- Original Message -----
> From: "Punit Dambiwal" <hypunit(a)gmail.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> Tiraboschi" <stirabos(a)redhat.com>
> Sent: Friday, August 15, 2014 4:48:13 AM
> Subject: Re: [ovirt-users] Ovirt SSL Question
>
> Hi Alon,
>
> Thanks...but still the same question....for which FQDN i need to purchase
> the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
this is standard https, the browser expects the name of the remote host,
which is the websocket proxy host.
>
>
>
>
> On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
> >
> >
> > ----- Original Message -----
> > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > Tiraboschi" <stirabos(a)redhat.com>
> > > Sent: Friday, August 15, 2014 4:43:31 AM
> > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > >
> > > Hi Alon,
> > >
> > > Thanks for your reply...but i didn't find 20-pki.conf file in my
> > > ovirt-engine server....
> > >
> > > I am using websocket proxy as standalone....and fetch the vm console
with
> > > the help of API...and then it will display to the browser with our
portal
> > > url...
> >
> > this is conf.d structure, files are sorted by name, last wins.
> > so instead of overriding files you can add your own.
> >
> > >
> > > Thanks,
> > > Punit
> > >
> > >
> > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <alonbl(a)redhat.com>
> > wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > > To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<
> > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni Segura
> > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
"sabose" <
> > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > >
> > > > > Hi All,
> > > > >
> > > > > Is there any one can help me to solve this issue..
> > > > >
> > > > > Thanks,
> > > > > Punit
> > > > >
> > > > >
> > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <
hypunit(a)gmail.com
> > >
> > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > > Hi All,
> > > > >
> > > > > I have one question regarding the SSL settings in Ovirt....let
me
> > > > explain my
> > > > > environment first :-
> > > > >
> > > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > > > > 3. Our Own Portal :- portal.3linux.com
> > > > >
> > > > > We have the above architecture...we fetch the VM console from
the
> > > > websocket
> > > > > proxy to our own portal through API....because still we are
using
> > > > selfsigned
> > > > > certificate...we need to trust the certificate every
time,whenever we
> > > > open
> > > > > the VM console... (https://< web-proxy.3linux.com
>:<port>)
> > > > >
> > > > > When we initiate the VM console through our own web portal the
url (
> > > > >
> > > >
> >
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > > > ),if we accept the SSL certificate with https://<
> > web-proxy.3linux.com
> > > > > >:<port> ....then it will open as expected but if we
didn't
accept
> > the
> > > > > certificate manually...then it through failed to connect:1006
> > error...
> > > > >
> > > > > We don't want that every time end user will accept the
certificate
> > > > > manually...as our link to open VM console is different then
> > webproxy....
> > > > >
> > > > > Now we want to replace the self signed certificate with valid
> > SSL....can
> > > > any
> > > > > one tell me where we need to put the certificates and how to
> > generate the
> > > > > CSR for them and how many SSL we need to purchase to make this
thing
> > > > > workable without accepting the certificate everytime....
> > > >
> > > > Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
and
> > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
> > chain
> > > > and matching key.
> > > >
> > > > You can create the request in any tool you like, what we need is
the
> > > > certificate and key.
> > > >
> > > > Regards,
> > > > Alon
> > > >
> > >
> >
>