8:53 p.m.
Hi All,
I have one question regarding the SSL settings in Ovirt....let me explain
my environment first :-
1. Ovirt engine :- mgmt.3linux.com
2. Standalone websocket proxy :- web-proxy.3linux.com
3. Our Own Portal :- portal.3linux.com
We have the above architecture...we fetch the VM console from the websocket
proxy to our own portal through API....because still we are using
selfsigned certificate...we need to trust the certificate every
time,whenever we open the VM console... (https://<web-proxy.3linux.com
:<port>)
When we initiate the VM console through our own web portal the url (
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
we accept the SSL certificate with https://<web-proxy.3linux.com>:<port>
....then it will open as expected but if we didn't accept the certificate
manually...then it through failed to connect:1006 error...
We don't want that every time end user will accept the certificate
manually...as our link to open VM console is different then webproxy....
Now we want to replace the self signed certificate with valid SSL....can
any one tell me where we need to put the certificates and how to generate
the CSR for them and how many SSL we need to purchase to make this thing
workable without accepting the certificate everytime....
Thanks,
Punit
4:37 a.m.
Hi All,
Is there any one can help me to solve this issue..
Thanks,
Punit
On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <hypunit(a)gmail.com> wrote:
Hi All,
I have one question regarding the SSL settings in Ovirt....let me explain
my environment first :-
1. Ovirt engine :- mgmt.3linux.com
2. Standalone websocket proxy :- web-proxy.3linux.com
3. Our Own Portal :- portal.3linux.com
We have the above architecture...we fetch the VM console from the
websocket proxy to our own portal through API....because still we are using
selfsigned certificate...we need to trust the certificate every
time,whenever we open the VM console... (https://<web-proxy.3linux.com
>:<port>)
When we initiate the VM console through our own web portal the url (
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
we accept the SSL certificate with https://<web-proxy.3linux.com>:<port>
....then it will open as expected but if we didn't accept the certificate
manually...then it through failed to connect:1006 error...
We don't want that every time end user will accept the certificate
manually...as our link to open VM console is different then webproxy....
Now we want to replace the self signed certificate with valid SSL....can
any one tell me where we need to put the certificates and how to generate
the CSR for them and how many SSL we need to purchase to make this thing
workable without accepting the certificate everytime....
Thanks,
Punit
5:53 a.m.
This is a multi-part message in MIME format.
--------------030502060003060901030103
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
On 08/14/2014 03:07 PM, Punit Dambiwal wrote:
Hi All,
Is there any one can help me to solve this issue..
Look for details at http://www.ovirt.org/Features/PKI
(User--SSL-->apache--AJP-->ovirt-engine), that may help you.
Thanks,
Punit
On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <hypunit(a)gmail.com
<mailto:hypunit@gmail.com>> wrote:
Hi All,
I have one question regarding the SSL settings in Ovirt....let me
explain my environment first :-
1. Ovirt engine :- mgmt.3linux.com <http://mgmt.3linux.com>
2. Standalone websocket proxy :- web-proxy.3linux.com
<http://web-proxy.3linux.com>
3. Our Own Portal :- portal.3linux.com <http://portal.3linux.com>
We have the above architecture...we fetch the VM console from the
websocket proxy to our own portal through API....because still we
are using selfsigned certificate...we need to trust the
certificate every time,whenever we open the VM console...
(https://<web-proxy.3linux.com
<http://web-proxy.3linux.com>>:<port>)
When we initiate the VM console through our own web portal the url
(https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
we accept the SSL certificate with https://<web-proxy.3linux.com
<http://web-proxy.3linux.com>>:<port> ....then it will open as
expected but if we didn't accept the certificate manually...then
it through failed to connect:1006 error...
We don't want that every time end user will accept the certificate
manually...as our link to open VM console is different then
webproxy....
Now we want to replace the self signed certificate with valid
SSL....can any one tell me where we need to put the certificates
and how to generate the CSR for them and how many SSL we need to
purchase to make this thing workable without accepting the
certificate everytime....
Thanks,
Punit
--------------030502060003060901030103
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=UTF-8"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 08/14/2014 03:07 PM, Punit Dambiwal
wrote:<br>
</div>
<blockquote
cite="mid:CAGZcrBnMU3abABXFFUpDKiXmYQyopiTaAcJyjcCmU6+HRh_PoQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Is there any one can help me to solve this issue..</div>
</div>
</blockquote>
<br>
<br>
Look for details at <a class="moz-txt-link-freetext"
href="http://www.ovirt.org/Features/PKI">http://www.ovirt.or...
(User--SSL-->apache--AJP-->ovirt-engine), that may help you.<br>
<br>
<blockquote
cite="mid:CAGZcrBnMU3abABXFFUpDKiXmYQyopiTaAcJyjcCmU6+HRh_PoQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div>Punit</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Aug 13, 2014 at 9:53 AM, Punit
Dambiwal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:hypunit@gmail.com"
target="_blank">hypunit(a)gmail.com</a>&gt;</span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>I have one question regarding the SSL settings in
Ovirt....let me explain my environment first :-</div>
<div><br>
</div>
<div>1. Ovirt engine :- <a moz-do-not-send="true"
href="http://mgmt.3linux.com"
target="_blank">mgmt.3linux.com</a></div>
<div>2. Standalone websocket proxy :- <a
moz-do-not-send="true"
href="http://web-proxy.3linux.com"
target="_blank">web-proxy.3linux.com</a></div>
<div>3. Our Own Portal :- <a moz-do-not-send="true"
href="http://portal.3linux.com"
target="_blank">portal.3linux.com</a></div>
<div><br>
</div>
<div>We have the above architecture...we fetch the VM
console from the websocket proxy to our own portal
through API....because still we are using selfsigned
certificate...we need to trust the certificate every
time,whenever we open the VM console... (<a
class="moz-txt-link-freetext"
href="https://">https://</a><<a
moz-do-not-send="true"
href="http://web-proxy.3linux.com"
target="_blank">web-proxy.3linux.com</a>>:<port>)</div>
<div><br>
</div>
<div>When we initiate the VM console through our own web
portal the url (<a moz-do-not-send="true"
href="https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?i...
target="_blank">https://portal.3linux.com/content/ovirt/noVN...
we accept the SSL certificate with <a
class="moz-txt-link-freetext"
href="https://">https://</a><<a
moz-do-not-send="true"
href="http://web-proxy.3linux.com"
target="_blank">web-proxy.3linux.com</a>>:<port>
....then it will open as expected but if we didn't
accept the certificate manually...then it through failed
to connect:1006 error...</div>
<div><br>
</div>
<div>We don't want that every time end user will accept
the certificate manually...as our link to open VM
console is different then webproxy....</div>
<div><br>
</div>
<div>Now we want to replace the self signed certificate
with valid SSL....can any one tell me where we need to
put the certificates and how to generate the CSR for
them and how many SSL we need to purchase to make this
thing workable without accepting the certificate
everytime....</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Punit </div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>
--------------030502060003060901030103--
10:13 a.m.
----- Original Message -----
From: "Punit Dambiwal" <hypunit(a)gmail.com>
To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
"Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
<fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
Tiraboschi" <stirabos(a)redhat.com>
Sent: Thursday, August 14, 2014 12:37:01 PM
Subject: Re: [ovirt-users] Ovirt SSL Question
Hi All,
Is there any one can help me to solve this issue..
Thanks,
Punit
On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal < hypunit(a)gmail.com > wrote:
Hi All,
I have one question regarding the SSL settings in Ovirt....let me explain my
environment first :-
1. Ovirt engine :- mgmt.3linux.com
2. Standalone websocket proxy :- web-proxy.3linux.com
3. Our Own Portal :- portal.3linux.com
We have the above architecture...we fetch the VM console from the websocket
proxy to our own portal through API....because still we are using selfsigned
certificate...we need to trust the certificate every time,whenever we open
the VM console... (https://< web-proxy.3linux.com >:<port>)
When we initiate the VM console through our own web portal the url (
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
),if we accept the SSL certificate with https://< web-proxy.3linux.com
>:<port> ....then it will open as expected but if we didn't accept the
certificate manually...then it through failed to connect:1006 error...
We don't want that every time end user will accept the certificate
manually...as our link to open VM console is different then webproxy....
Now we want to replace the self signed certificate with valid SSL....can any
one tell me where we need to put the certificates and how to generate the
CSR for them and how many SSL we need to purchase to make this thing
workable without accepting the certificate everytime....
Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf and override the
SSL_CERTIFICATE and SSL_KEY with 3rd party certificate chain and matching key.
You can create the request in any tool you like, what we need is the certificate and key.
Regards,
Alon
8:43 p.m.
Hi Alon,
Thanks for your reply...but i didn't find 20-pki.conf file in my
ovirt-engine server....
I am using websocket proxy as standalone....and fetch the vm console with
the help of API...and then it will display to the browser with our portal
url...
Thanks,
Punit
On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
----- Original Message -----
> From: "Punit Dambiwal" <hypunit(a)gmail.com>
> To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> Tiraboschi" <stirabos(a)redhat.com>
> Sent: Thursday, August 14, 2014 12:37:01 PM
> Subject: Re: [ovirt-users] Ovirt SSL Question
>
> Hi All,
>
> Is there any one can help me to solve this issue..
>
> Thanks,
> Punit
>
>
> On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal < hypunit(a)gmail.com >
wrote:
>
>
>
> Hi All,
>
> I have one question regarding the SSL settings in Ovirt....let me
explain my
> environment first :-
>
> 1. Ovirt engine :- mgmt.3linux.com
> 2. Standalone websocket proxy :- web-proxy.3linux.com
> 3. Our Own Portal :- portal.3linux.com
>
> We have the above architecture...we fetch the VM console from the
websocket
> proxy to our own portal through API....because still we are using
selfsigned
> certificate...we need to trust the certificate every time,whenever we
open
> the VM console... (https://< web-proxy.3linux.com >:<port>)
>
> When we initiate the VM console through our own web portal the url (
>
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> ),if we accept the SSL certificate with https://< web-proxy.3linux.com
> >:<port> ....then it will open as expected but if we didn't accept the
> certificate manually...then it through failed to connect:1006 error...
>
> We don't want that every time end user will accept the certificate
> manually...as our link to open VM console is different then webproxy....
>
> Now we want to replace the self signed certificate with valid SSL....can
any
> one tell me where we need to put the certificates and how to generate the
> CSR for them and how many SSL we need to purchase to make this thing
> workable without accepting the certificate everytime....
Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf and
override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate chain
and matching key.
You can create the request in any tool you like, what we need is the
certificate and key.
Regards,
Alon
8:46 p.m.
----- Original Message -----
From: "Punit Dambiwal" <hypunit(a)gmail.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
"Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
<fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
Tiraboschi" <stirabos(a)redhat.com>
Sent: Friday, August 15, 2014 4:43:31 AM
Subject: Re: [ovirt-users] Ovirt SSL Question
Hi Alon,
Thanks for your reply...but i didn't find 20-pki.conf file in my
ovirt-engine server....
I am using websocket proxy as standalone....and fetch the vm console with
the help of API...and then it will display to the browser with our portal
url...
this is conf.d structure, files are sorted by name, last wins.
so instead of overriding files you can add your own.
Thanks,
Punit
On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
> Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
> sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > Tiraboschi" <stirabos(a)redhat.com>
> > Sent: Thursday, August 14, 2014 12:37:01 PM
> > Subject: Re: [ovirt-users] Ovirt SSL Question
> >
> > Hi All,
> >
> > Is there any one can help me to solve this issue..
> >
> > Thanks,
> > Punit
> >
> >
> > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal < hypunit(a)gmail.com >
> wrote:
> >
> >
> >
> > Hi All,
> >
> > I have one question regarding the SSL settings in Ovirt....let me
> explain my
> > environment first :-
> >
> > 1. Ovirt engine :- mgmt.3linux.com
> > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > 3. Our Own Portal :- portal.3linux.com
> >
> > We have the above architecture...we fetch the VM console from the
> websocket
> > proxy to our own portal through API....because still we are using
> selfsigned
> > certificate...we need to trust the certificate every time,whenever we
> open
> > the VM console... (https://< web-proxy.3linux.com >:<port>)
> >
> > When we initiate the VM console through our own web portal the url (
> >
>
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > ),if we accept the SSL certificate with https://< web-proxy.3linux.com
> > >:<port> ....then it will open as expected but if we didn't accept
the
> > certificate manually...then it through failed to connect:1006 error...
> >
> > We don't want that every time end user will accept the certificate
> > manually...as our link to open VM console is different then webproxy....
> >
> > Now we want to replace the self signed certificate with valid SSL....can
> any
> > one tell me where we need to put the certificates and how to generate the
> > CSR for them and how many SSL we need to purchase to make this thing
> > workable without accepting the certificate everytime....
>
> Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf and
> override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate chain
> and matching key.
>
> You can create the request in any tool you like, what we need is the
> certificate and key.
>
> Regards,
> Alon
>
8:48 p.m.
Hi Alon,
Thanks...but still the same question....for which FQDN i need to purchase
the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
----- Original Message -----
> From: "Punit Dambiwal" <hypunit(a)gmail.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> Tiraboschi" <stirabos(a)redhat.com>
> Sent: Friday, August 15, 2014 4:43:31 AM
> Subject: Re: [ovirt-users] Ovirt SSL Question
>
> Hi Alon,
>
> Thanks for your reply...but i didn't find 20-pki.conf file in my
> ovirt-engine server....
>
> I am using websocket proxy as standalone....and fetch the vm console with
> the help of API...and then it will display to the browser with our portal
> url...
this is conf.d structure, files are sorted by name, last wins.
so instead of overriding files you can add your own.
>
> Thanks,
> Punit
>
>
> On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <alonbl(a)redhat.com>
wrote:
>
> >
> >
> > ----- Original Message -----
> > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > Tiraboschi" <stirabos(a)redhat.com>
> > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > >
> > > Hi All,
> > >
> > > Is there any one can help me to solve this issue..
> > >
> > > Thanks,
> > > Punit
> > >
> > >
> > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal < hypunit(a)gmail.com
>
> > wrote:
> > >
> > >
> > >
> > > Hi All,
> > >
> > > I have one question regarding the SSL settings in Ovirt....let me
> > explain my
> > > environment first :-
> > >
> > > 1. Ovirt engine :- mgmt.3linux.com
> > > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > > 3. Our Own Portal :- portal.3linux.com
> > >
> > > We have the above architecture...we fetch the VM console from the
> > websocket
> > > proxy to our own portal through API....because still we are using
> > selfsigned
> > > certificate...we need to trust the certificate every time,whenever we
> > open
> > > the VM console... (https://< web-proxy.3linux.com >:<port>)
> > >
> > > When we initiate the VM console through our own web portal the url (
> > >
> >
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > ),if we accept the SSL certificate with https://<
web-proxy.3linux.com
> > > >:<port> ....then it will open as expected but if we didn't
accept
the
> > > certificate manually...then it through failed to connect:1006
error...
> > >
> > > We don't want that every time end user will accept the certificate
> > > manually...as our link to open VM console is different then
webproxy....
> > >
> > > Now we want to replace the self signed certificate with valid
SSL....can
> > any
> > > one tell me where we need to put the certificates and how to
generate the
> > > CSR for them and how many SSL we need to purchase to make this thing
> > > workable without accepting the certificate everytime....
> >
> > Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf and
> > override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
chain
> > and matching key.
> >
> > You can create the request in any tool you like, what we need is the
> > certificate and key.
> >
> > Regards,
> > Alon
> >
>
8:51 p.m.
----- Original Message -----
From: "Punit Dambiwal" <hypunit(a)gmail.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
"Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
<fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
Tiraboschi" <stirabos(a)redhat.com>
Sent: Friday, August 15, 2014 4:48:13 AM
Subject: Re: [ovirt-users] Ovirt SSL Question
Hi Alon,
Thanks...but still the same question....for which FQDN i need to purchase
the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
this is standard https, the browser expects the name of the remote host, which is the
websocket proxy host.
On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
> Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
> sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > Tiraboschi" <stirabos(a)redhat.com>
> > Sent: Friday, August 15, 2014 4:43:31 AM
> > Subject: Re: [ovirt-users] Ovirt SSL Question
> >
> > Hi Alon,
> >
> > Thanks for your reply...but i didn't find 20-pki.conf file in my
> > ovirt-engine server....
> >
> > I am using websocket proxy as standalone....and fetch the vm console with
> > the help of API...and then it will display to the browser with our portal
> > url...
>
> this is conf.d structure, files are sorted by name, last wins.
> so instead of overriding files you can add your own.
>
> >
> > Thanks,
> > Punit
> >
> >
> > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <alonbl(a)redhat.com>
> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > >
> > > > Hi All,
> > > >
> > > > Is there any one can help me to solve this issue..
> > > >
> > > > Thanks,
> > > > Punit
> > > >
> > > >
> > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <
hypunit(a)gmail.com
> >
> > > wrote:
> > > >
> > > >
> > > >
> > > > Hi All,
> > > >
> > > > I have one question regarding the SSL settings in Ovirt....let me
> > > explain my
> > > > environment first :-
> > > >
> > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > > > 3. Our Own Portal :- portal.3linux.com
> > > >
> > > > We have the above architecture...we fetch the VM console from the
> > > websocket
> > > > proxy to our own portal through API....because still we are using
> > > selfsigned
> > > > certificate...we need to trust the certificate every time,whenever
we
> > > open
> > > > the VM console... (https://< web-proxy.3linux.com
>:<port>)
> > > >
> > > > When we initiate the VM console through our own web portal the url (
> > > >
> > >
>
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > > ),if we accept the SSL certificate with https://<
> web-proxy.3linux.com
> > > > >:<port> ....then it will open as expected but if we
didn't accept
> the
> > > > certificate manually...then it through failed to connect:1006
> error...
> > > >
> > > > We don't want that every time end user will accept the
certificate
> > > > manually...as our link to open VM console is different then
> webproxy....
> > > >
> > > > Now we want to replace the self signed certificate with valid
> SSL....can
> > > any
> > > > one tell me where we need to put the certificates and how to
> generate the
> > > > CSR for them and how many SSL we need to purchase to make this thing
> > > > workable without accepting the certificate everytime....
> > >
> > > Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf and
> > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
> chain
> > > and matching key.
> > >
> > > You can create the request in any tool you like, what we need is the
> > > certificate and key.
> > >
> > > Regards,
> > > Alon
> > >
> >
>
8:56 p.m.
Hi Alon,
Thanks...that means even we use the standalone websocket proxy or
standalone websockify...do i need to do the same process :-
http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Se...
On the engine, generate a certificate and key. substitute <FQDN> with the
DNS name of the host. Substitute <country>, <organization> to suite your
environment (i.e. the values must match values in the certificate authority
of your engine).
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh
--name=websocket-proxy-standalone --password=mypass
--subject="/C=<country>/O=<organization>/CN=<fqdn>"
Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and
/etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy machine
at /etc/pki/ovirt-websocket-proxy
At websocket-proxy machine
Install ovirt-engine-websocket-proxy package.
Extract keys:
cd /etc/pki/ovirt-websocket-proxy
openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out
websocket-proxy-standalone.cer
openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out
websocket-proxy-standalone.key
chown ovirt:ovirt *
chmod 0600 *
And then Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
chain and matching key. ??
On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
----- Original Message -----
> From: "Punit Dambiwal" <hypunit(a)gmail.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> Tiraboschi" <stirabos(a)redhat.com>
> Sent: Friday, August 15, 2014 4:48:13 AM
> Subject: Re: [ovirt-users] Ovirt SSL Question
>
> Hi Alon,
>
> Thanks...but still the same question....for which FQDN i need to purchase
> the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
this is standard https, the browser expects the name of the remote host,
which is the websocket proxy host.
>
>
>
>
> On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
> >
> >
> > ----- Original Message -----
> > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > Tiraboschi" <stirabos(a)redhat.com>
> > > Sent: Friday, August 15, 2014 4:43:31 AM
> > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > >
> > > Hi Alon,
> > >
> > > Thanks for your reply...but i didn't find 20-pki.conf file in my
> > > ovirt-engine server....
> > >
> > > I am using websocket proxy as standalone....and fetch the vm console
with
> > > the help of API...and then it will display to the browser with our
portal
> > > url...
> >
> > this is conf.d structure, files are sorted by name, last wins.
> > so instead of overriding files you can add your own.
> >
> > >
> > > Thanks,
> > > Punit
> > >
> > >
> > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <alonbl(a)redhat.com>
> > wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > > To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<
> > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni Segura
> > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
"sabose" <
> > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > >
> > > > > Hi All,
> > > > >
> > > > > Is there any one can help me to solve this issue..
> > > > >
> > > > > Thanks,
> > > > > Punit
> > > > >
> > > > >
> > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <
hypunit(a)gmail.com
> > >
> > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > > Hi All,
> > > > >
> > > > > I have one question regarding the SSL settings in Ovirt....let
me
> > > > explain my
> > > > > environment first :-
> > > > >
> > > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > > > > 3. Our Own Portal :- portal.3linux.com
> > > > >
> > > > > We have the above architecture...we fetch the VM console from
the
> > > > websocket
> > > > > proxy to our own portal through API....because still we are
using
> > > > selfsigned
> > > > > certificate...we need to trust the certificate every
time,whenever we
> > > > open
> > > > > the VM console... (https://< web-proxy.3linux.com
>:<port>)
> > > > >
> > > > > When we initiate the VM console through our own web portal the
url (
> > > > >
> > > >
> >
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > > > ),if we accept the SSL certificate with https://<
> > web-proxy.3linux.com
> > > > > >:<port> ....then it will open as expected but if we
didn't
accept
> > the
> > > > > certificate manually...then it through failed to connect:1006
> > error...
> > > > >
> > > > > We don't want that every time end user will accept the
certificate
> > > > > manually...as our link to open VM console is different then
> > webproxy....
> > > > >
> > > > > Now we want to replace the self signed certificate with valid
> > SSL....can
> > > > any
> > > > > one tell me where we need to put the certificates and how to
> > generate the
> > > > > CSR for them and how many SSL we need to purchase to make this
thing
> > > > > workable without accepting the certificate everytime....
> > > >
> > > > Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
and
> > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
> > chain
> > > > and matching key.
> > > >
> > > > You can create the request in any tool you like, what we need is
the
> > > > certificate and key.
> > > >
> > > > Regards,
> > > > Alon
> > > >
> > >
> >
>
9:19 p.m.
----- Original Message -----
From: "Punit Dambiwal" <hypunit(a)gmail.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
"Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
<fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
Tiraboschi" <stirabos(a)redhat.com>
Sent: Friday, August 15, 2014 4:56:36 AM
Subject: Re: [ovirt-users] Ovirt SSL Question
Hi Alon,
Thanks...that means even we use the standalone websocket proxy or
standalone websockify...do i need to do the same process :-
http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Se...
On the engine, generate a certificate and key. substitute <FQDN> with the
DNS name of the host. Substitute <country>, <organization> to suite your
environment (i.e. the values must match values in the certificate authority
of your engine).
/usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh
--name=websocket-proxy-standalone --password=mypass
--subject="/C=<country>/O=<organization>/CN=<fqdn>"
Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and
/etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy machine
at /etc/pki/ovirt-websocket-proxy
At websocket-proxy machine
Install ovirt-engine-websocket-proxy package.
Extract keys:
cd /etc/pki/ovirt-websocket-proxy
openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out
websocket-proxy-standalone.cer
openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out
websocket-proxy-standalone.key
chown ovirt:ovirt *
chmod 0600 *
And then Create /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
chain and matching key. ??
you wanted to use a certificate from 3rd party certificate authority, you do not need to
enroll a certificate from the internal certificate authority.
On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
> Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
> sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > Tiraboschi" <stirabos(a)redhat.com>
> > Sent: Friday, August 15, 2014 4:48:13 AM
> > Subject: Re: [ovirt-users] Ovirt SSL Question
> >
> > Hi Alon,
> >
> > Thanks...but still the same question....for which FQDN i need to purchase
> > the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
>
> this is standard https, the browser expects the name of the remote host,
> which is the websocket proxy host.
>
> >
> >
> >
> >
> > On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > Sent: Friday, August 15, 2014 4:43:31 AM
> > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > >
> > > > Hi Alon,
> > > >
> > > > Thanks for your reply...but i didn't find 20-pki.conf file in my
> > > > ovirt-engine server....
> > > >
> > > > I am using websocket proxy as standalone....and fetch the vm console
> with
> > > > the help of API...and then it will display to the browser with our
> portal
> > > > url...
> > >
> > > this is conf.d structure, files are sorted by name, last wins.
> > > so instead of overriding files you can add your own.
> > >
> > > >
> > > > Thanks,
> > > > Punit
> > > >
> > > >
> > > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev
<alonbl(a)redhat.com>
> > > wrote:
> > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > > > To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven
Kieske" <
> > > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni Segura
> > > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
> "sabose" <
> > > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > Is there any one can help me to solve this issue..
> > > > > >
> > > > > > Thanks,
> > > > > > Punit
> > > > > >
> > > > > >
> > > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <
> hypunit(a)gmail.com
> > > >
> > > > > wrote:
> > > > > >
> > > > > >
> > > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > I have one question regarding the SSL settings in
Ovirt....let me
> > > > > explain my
> > > > > > environment first :-
> > > > > >
> > > > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > > > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > > > > > 3. Our Own Portal :- portal.3linux.com
> > > > > >
> > > > > > We have the above architecture...we fetch the VM console
from the
> > > > > websocket
> > > > > > proxy to our own portal through API....because still we are
using
> > > > > selfsigned
> > > > > > certificate...we need to trust the certificate every
> time,whenever we
> > > > > open
> > > > > > the VM console... (https://< web-proxy.3linux.com
>:<port>)
> > > > > >
> > > > > > When we initiate the VM console through our own web portal
the
> url (
> > > > > >
> > > > >
> > >
>
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > > > > ),if we accept the SSL certificate with https://<
> > > web-proxy.3linux.com
> > > > > > >:<port> ....then it will open as expected but if
we didn't
> accept
> > > the
> > > > > > certificate manually...then it through failed to
connect:1006
> > > error...
> > > > > >
> > > > > > We don't want that every time end user will accept the
> certificate
> > > > > > manually...as our link to open VM console is different
then
> > > webproxy....
> > > > > >
> > > > > > Now we want to replace the self signed certificate with
valid
> > > SSL....can
> > > > > any
> > > > > > one tell me where we need to put the certificates and how
to
> > > generate the
> > > > > > CSR for them and how many SSL we need to purchase to make
this
> thing
> > > > > > workable without accepting the certificate everytime....
> > > > >
> > > > > Create
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> and
> > > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party
certificate
> > > chain
> > > > > and matching key.
> > > > >
> > > > > You can create the request in any tool you like, what we need
is
> the
> > > > > certificate and key.
> > > > >
> > > > > Regards,
> > > > > Alon
> > > > >
> > > >
> > >
> >
>
10:05 p.m.
Hi Alon,
Thanks understand....that means no need to enroll certificate from the
internal...just generate the CSR from standalone websocket proxy server and
receive the 3rd party SSL and install that SSL on the websocket proxy
server and then Create /etc/ovirt-engine/ovirt-
websocket-proxy.conf.d/20-pki.conf and override the SSL_CERTIFICATE and
SSL_KEY with 3rd party certificate chain and matching key. ???
Also one more question....as i don't want to use the ovirt default
websocket proxy as it doesn't fit to our requirement....we are using
websockify on the separate standalone server....it seems i need to do the
same as we can do for the websocket...m i right ??
Thanks For your help Alon...
Thanks,
Punit
On Fri, Aug 15, 2014 at 10:19 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
----- Original Message -----
> From: "Punit Dambiwal" <hypunit(a)gmail.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> Tiraboschi" <stirabos(a)redhat.com>
> Sent: Friday, August 15, 2014 4:56:36 AM
> Subject: Re: [ovirt-users] Ovirt SSL Question
>
> Hi Alon,
>
> Thanks...that means even we use the standalone websocket proxy or
> standalone websockify...do i need to do the same process :-
>
>
http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Se...
>
> On the engine, generate a certificate and key. substitute <FQDN> with the
> DNS name of the host. Substitute <country>, <organization> to suite
your
> environment (i.e. the values must match values in the certificate
authority
> of your engine).
>
> /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh
> --name=websocket-proxy-standalone --password=mypass
> --subject="/C=<country>/O=<organization>/CN=<fqdn>"
>
> Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and
> /etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy
machine
> at /etc/pki/ovirt-websocket-proxy
> At websocket-proxy machine
>
> Install ovirt-engine-websocket-proxy package.
>
> Extract keys:
>
> cd /etc/pki/ovirt-websocket-proxy
> openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out
> websocket-proxy-standalone.cer
> openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out
> websocket-proxy-standalone.key
> chown ovirt:ovirt *
> chmod 0600 *
>
> And then Create
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
> chain and matching key. ??
you wanted to use a certificate from 3rd party certificate authority, you
do not need to enroll a certificate from the internal certificate authority.
>
>
>
> On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
> >
> >
> > ----- Original Message -----
> > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > Tiraboschi" <stirabos(a)redhat.com>
> > > Sent: Friday, August 15, 2014 4:48:13 AM
> > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > >
> > > Hi Alon,
> > >
> > > Thanks...but still the same question....for which FQDN i need to
purchase
> > > the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
> >
> > this is standard https, the browser expects the name of the remote
host,
> > which is the websocket proxy host.
> >
> > >
> > >
> > >
> > >
> > > On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alonbl(a)redhat.com>
wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<
> > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni Segura
> > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
"sabose" <
> > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > Sent: Friday, August 15, 2014 4:43:31 AM
> > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > >
> > > > > Hi Alon,
> > > > >
> > > > > Thanks for your reply...but i didn't find 20-pki.conf file
in my
> > > > > ovirt-engine server....
> > > > >
> > > > > I am using websocket proxy as standalone....and fetch the vm
console
> > with
> > > > > the help of API...and then it will display to the browser with
our
> > portal
> > > > > url...
> > > >
> > > > this is conf.d structure, files are sorted by name, last wins.
> > > > so instead of overriding files you can add your own.
> > > >
> > > > >
> > > > > Thanks,
> > > > > Punit
> > > > >
> > > > >
> > > > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <
alonbl(a)redhat.com>
> > > > wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Punit Dambiwal"
<hypunit(a)gmail.com>
> > > > > > > To: users(a)ovirt.org, ahadas(a)redhat.com, "Sven
Kieske" <
> > > > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni
Segura
> > > > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
> > "sabose" <
> > > > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > > >
> > > > > > > Hi All,
> > > > > > >
> > > > > > > Is there any one can help me to solve this issue..
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Punit
> > > > > > >
> > > > > > >
> > > > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <
> > hypunit(a)gmail.com
> > > > >
> > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Hi All,
> > > > > > >
> > > > > > > I have one question regarding the SSL settings in
Ovirt....let me
> > > > > > explain my
> > > > > > > environment first :-
> > > > > > >
> > > > > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > > > > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > > > > > > 3. Our Own Portal :- portal.3linux.com
> > > > > > >
> > > > > > > We have the above architecture...we fetch the VM
console
from the
> > > > > > websocket
> > > > > > > proxy to our own portal through API....because still
we are
using
> > > > > > selfsigned
> > > > > > > certificate...we need to trust the certificate every
> > time,whenever we
> > > > > > open
> > > > > > > the VM console... (https://< web-proxy.3linux.com
>:<port>)
> > > > > > >
> > > > > > > When we initiate the VM console through our own web
portal
the
> > url (
> > > > > > >
> > > > > >
> > > >
> >
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > > > > > ),if we accept the SSL certificate with https://<
> > > > web-proxy.3linux.com
> > > > > > > >:<port> ....then it will open as expected
but if we didn't
> > accept
> > > > the
> > > > > > > certificate manually...then it through failed to
connect:1006
> > > > error...
> > > > > > >
> > > > > > > We don't want that every time end user will accept
the
> > certificate
> > > > > > > manually...as our link to open VM console is different
then
> > > > webproxy....
> > > > > > >
> > > > > > > Now we want to replace the self signed certificate
with valid
> > > > SSL....can
> > > > > > any
> > > > > > > one tell me where we need to put the certificates and
how to
> > > > generate the
> > > > > > > CSR for them and how many SSL we need to purchase to
make
this
> > thing
> > > > > > > workable without accepting the certificate
everytime....
> > > > > >
> > > > > > Create
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> > and
> > > > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party
certificate
> > > > chain
> > > > > > and matching key.
> > > > > >
> > > > > > You can create the request in any tool you like, what we
need
is
> > the
> > > > > > certificate and key.
> > > > > >
> > > > > > Regards,
> > > > > > Alon
> > > > > >
> > > > >
> > > >
> > >
> >
>
12:16 a.m.
----- Original Message -----
From: "Punit Dambiwal" <hypunit(a)gmail.com>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
"Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
<fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
Tiraboschi" <stirabos(a)redhat.com>
Sent: Friday, August 15, 2014 6:05:14 AM
Subject: Re: [ovirt-users] Ovirt SSL Question
Hi Alon,
Thanks understand....that means no need to enroll certificate from the
internal...just generate the CSR from standalone websocket proxy server and
receive the 3rd party SSL and install that SSL on the websocket proxy
server and then Create /etc/ovirt-engine/ovirt-
websocket-proxy.conf.d/20-pki.conf and override the SSL_CERTIFICATE and
SSL_KEY with 3rd party certificate chain and matching key. ???
yes.
Also one more question....as i don't want to use the ovirt
default
websocket proxy as it doesn't fit to our requirement....we are using
websockify on the separate standalone server....it seems i need to do the
same as we can do for the websocket...m i right ??
you should do this only on the active proxy.
Thanks For your help Alon...
Thanks,
Punit
On Fri, Aug 15, 2014 at 10:19 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
>
>
> ----- Original Message -----
> > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
> Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
> sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > Tiraboschi" <stirabos(a)redhat.com>
> > Sent: Friday, August 15, 2014 4:56:36 AM
> > Subject: Re: [ovirt-users] Ovirt SSL Question
> >
> > Hi Alon,
> >
> > Thanks...that means even we use the standalone websocket proxy or
> > standalone websockify...do i need to do the same process :-
> >
> >
>
http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Se...
> >
> > On the engine, generate a certificate and key. substitute <FQDN> with
the
> > DNS name of the host. Substitute <country>, <organization> to suite
your
> > environment (i.e. the values must match values in the certificate
> authority
> > of your engine).
> >
> > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh
> > --name=websocket-proxy-standalone --password=mypass
> >
--subject="/C=<country>/O=<organization>/CN=<fqdn>"
> >
> > Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and
> > /etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy
> machine
> > at /etc/pki/ovirt-websocket-proxy
> > At websocket-proxy machine
> >
> > Install ovirt-engine-websocket-proxy package.
> >
> > Extract keys:
> >
> > cd /etc/pki/ovirt-websocket-proxy
> > openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out
> > websocket-proxy-standalone.cer
> > openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes -out
> > websocket-proxy-standalone.key
> > chown ovirt:ovirt *
> > chmod 0600 *
> >
> > And then Create
> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> > and override the SSL_CERTIFICATE and SSL_KEY with 3rd party certificate
> > chain and matching key. ??
>
> you wanted to use a certificate from 3rd party certificate authority, you
> do not need to enroll a certificate from the internal certificate
> authority.
>
> >
> >
> >
> > On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > Sent: Friday, August 15, 2014 4:48:13 AM
> > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > >
> > > > Hi Alon,
> > > >
> > > > Thanks...but still the same question....for which FQDN i need to
> purchase
> > > > the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
> > >
> > > this is standard https, the browser expects the name of the remote
> host,
> > > which is the websocket proxy host.
> > >
> > > >
> > > >
> > > >
> > > >
> > > > On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev
<alonbl(a)redhat.com>
> wrote:
> > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven
Kieske" <
> > > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni Segura
> > > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
> "sabose" <
> > > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > > Sent: Friday, August 15, 2014 4:43:31 AM
> > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > >
> > > > > > Hi Alon,
> > > > > >
> > > > > > Thanks for your reply...but i didn't find 20-pki.conf
file in my
> > > > > > ovirt-engine server....
> > > > > >
> > > > > > I am using websocket proxy as standalone....and fetch the
vm
> console
> > > with
> > > > > > the help of API...and then it will display to the browser
with
> our
> > > portal
> > > > > > url...
> > > > >
> > > > > this is conf.d structure, files are sorted by name, last wins.
> > > > > so instead of overriding files you can add your own.
> > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Punit
> > > > > >
> > > > > >
> > > > > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <
> alonbl(a)redhat.com>
> > > > > wrote:
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Punit Dambiwal"
<hypunit(a)gmail.com>
> > > > > > > > To: users(a)ovirt.org, ahadas(a)redhat.com,
"Sven Kieske" <
> > > > > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni
> Segura
> > > > > > > Puimedon" <asegurap(a)redhat.com>,
"Frantisek Kobzik"
> > > > > > > > <fkobzik(a)redhat.com>, "Itamar
Heim" <iheim(a)redhat.com>,
> > > "sabose" <
> > > > > > > sabose(a)redhat.com>, barumuga(a)redhat.com,
"Simone
> > > > > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > > > >
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > Is there any one can help me to solve this
issue..
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Punit
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal
<
> > > hypunit(a)gmail.com
> > > > > >
> > > > > > > wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > Hi All,
> > > > > > > >
> > > > > > > > I have one question regarding the SSL settings
in
> Ovirt....let me
> > > > > > > explain my
> > > > > > > > environment first :-
> > > > > > > >
> > > > > > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > > > > > 2. Standalone websocket proxy :-
web-proxy.3linux.com
> > > > > > > > 3. Our Own Portal :- portal.3linux.com
> > > > > > > >
> > > > > > > > We have the above architecture...we fetch the VM
console
> from the
> > > > > > > websocket
> > > > > > > > proxy to our own portal through API....because
still we are
> using
> > > > > > > selfsigned
> > > > > > > > certificate...we need to trust the certificate
every
> > > time,whenever we
> > > > > > > open
> > > > > > > > the VM console... (https://<
web-proxy.3linux.com >:<port>)
> > > > > > > >
> > > > > > > > When we initiate the VM console through our own
web portal
> the
> > > url (
> > > > > > > >
> > > > > > >
> > > > >
> > >
>
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > > > > > > ),if we accept the SSL certificate with
https://<
> > > > > web-proxy.3linux.com
> > > > > > > > >:<port> ....then it will open as
expected but if we didn't
> > > accept
> > > > > the
> > > > > > > > certificate manually...then it through failed to
connect:1006
> > > > > error...
> > > > > > > >
> > > > > > > > We don't want that every time end user will
accept the
> > > certificate
> > > > > > > > manually...as our link to open VM console is
different then
> > > > > webproxy....
> > > > > > > >
> > > > > > > > Now we want to replace the self signed
certificate with valid
> > > > > SSL....can
> > > > > > > any
> > > > > > > > one tell me where we need to put the certificates
and how to
> > > > > generate the
> > > > > > > > CSR for them and how many SSL we need to purchase
to make
> this
> > > thing
> > > > > > > > workable without accepting the certificate
everytime....
> > > > > > >
> > > > > > > Create
> /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> > > and
> > > > > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd
party
> certificate
> > > > > chain
> > > > > > > and matching key.
> > > > > > >
> > > > > > > You can create the request in any tool you like, what
we need
> is
> > > the
> > > > > > > certificate and key.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Alon
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
1:14 a.m.
Hi Alon,
Thanks a ton for your help...I will try this and let you know if face any
problem.
Thanks,
Punit
On Fri, Aug 15, 2014 at 1:16 PM, Alon Bar-Lev <alonbl(a)redhat.com> wrote:
----- Original Message -----
> From: "Punit Dambiwal" <hypunit(a)gmail.com>
> To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
S.Kieske(a)mittwald.de>, "Dan Kenigsberg" <danken(a)redhat.com>,
> "Michal Skrivanek" <michal.skrivanek(a)redhat.com>, "Antoni
Segura
Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> <fkobzik(a)redhat.com>, "Itamar Heim" <iheim(a)redhat.com>,
"sabose" <
sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> Tiraboschi" <stirabos(a)redhat.com>
> Sent: Friday, August 15, 2014 6:05:14 AM
> Subject: Re: [ovirt-users] Ovirt SSL Question
>
> Hi Alon,
>
> Thanks understand....that means no need to enroll certificate from the
> internal...just generate the CSR from standalone websocket proxy server
and
> receive the 3rd party SSL and install that SSL on the websocket proxy
> server and then Create /etc/ovirt-engine/ovirt-
> websocket-proxy.conf.d/20-pki.conf and override the SSL_CERTIFICATE and
> SSL_KEY with 3rd party certificate chain and matching key. ???
yes.
> Also one more question....as i don't want to use the ovirt default
> websocket proxy as it doesn't fit to our requirement....we are using
> websockify on the separate standalone server....it seems i need to do the
> same as we can do for the websocket...m i right ??
you should do this only on the active proxy.
>
> Thanks For your help Alon...
>
> Thanks,
> Punit
>
>
> On Fri, Aug 15, 2014 at 10:19 AM, Alon Bar-Lev <alonbl(a)redhat.com>
wrote:
>
> >
> >
> > ----- Original Message -----
> > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske" <
> > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > "Michal Skrivanek" <michal.skrivanek(a)redhat.com>,
"Antoni Segura
> > Puimedon" <asegurap(a)redhat.com>, "Frantisek Kobzik"
> > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>, "sabose" <
> > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > Tiraboschi" <stirabos(a)redhat.com>
> > > Sent: Friday, August 15, 2014 4:56:36 AM
> > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > >
> > > Hi Alon,
> > >
> > > Thanks...that means even we use the standalone websocket proxy or
> > > standalone websockify...do i need to do the same process :-
> > >
> > >
> >
http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Se...
> > >
> > > On the engine, generate a certificate and key. substitute <FQDN>
with the
> > > DNS name of the host. Substitute <country>, <organization> to
suite
your
> > > environment (i.e. the values must match values in the certificate
> > authority
> > > of your engine).
> > >
> > > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh
> > > --name=websocket-proxy-standalone --password=mypass
> > >
--subject="/C=<country>/O=<organization>/CN=<fqdn>"
> > >
> > > Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and
> > > /etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy
> > machine
> > > at /etc/pki/ovirt-websocket-proxy
> > > At websocket-proxy machine
> > >
> > > Install ovirt-engine-websocket-proxy package.
> > >
> > > Extract keys:
> > >
> > > cd /etc/pki/ovirt-websocket-proxy
> > > openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out
> > > websocket-proxy-standalone.cer
> > > openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes
-out
> > > websocket-proxy-standalone.key
> > > chown ovirt:ovirt *
> > > chmod 0600 *
> > >
> > > And then Create
> > /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> > > and override the SSL_CERTIFICATE and SSL_KEY with 3rd party
certificate
> > > chain and matching key. ??
> >
> > you wanted to use a certificate from 3rd party certificate authority,
you
> > do not need to enroll a certificate from the internal certificate
> > authority.
> >
> > >
> > >
> > >
> > > On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alonbl(a)redhat.com>
wrote:
> > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > > From: "Punit Dambiwal" <hypunit(a)gmail.com>
> > > > > To: "Alon Bar-Lev" <alonbl(a)redhat.com>
> > > > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven Kieske"
<
> > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni Segura
> > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
"sabose" <
> > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > Sent: Friday, August 15, 2014 4:48:13 AM
> > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > >
> > > > > Hi Alon,
> > > > >
> > > > > Thanks...but still the same question....for which FQDN i need
to
> > purchase
> > > > > the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN)
??
> > > >
> > > > this is standard https, the browser expects the name of the remote
> > host,
> > > > which is the websocket proxy host.
> > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev
<alonbl(a)redhat.com
>
> > wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > > From: "Punit Dambiwal"
<hypunit(a)gmail.com>
> > > > > > > To: "Alon Bar-Lev"
<alonbl(a)redhat.com>
> > > > > > > Cc: users(a)ovirt.org, ahadas(a)redhat.com, "Sven
Kieske" <
> > > > > > S.Kieske(a)mittwald.de>, "Dan Kenigsberg"
<danken(a)redhat.com>,
> > > > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>, "Antoni
Segura
> > > > > > Puimedon" <asegurap(a)redhat.com>, "Frantisek
Kobzik"
> > > > > > > <fkobzik(a)redhat.com>, "Itamar Heim"
<iheim(a)redhat.com>,
> > "sabose" <
> > > > > > sabose(a)redhat.com>, barumuga(a)redhat.com, "Simone
> > > > > > > Tiraboschi" <stirabos(a)redhat.com>
> > > > > > > Sent: Friday, August 15, 2014 4:43:31 AM
> > > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > > >
> > > > > > > Hi Alon,
> > > > > > >
> > > > > > > Thanks for your reply...but i didn't find
20-pki.conf file
in my
> > > > > > > ovirt-engine server....
> > > > > > >
> > > > > > > I am using websocket proxy as standalone....and fetch
the vm
> > console
> > > > with
> > > > > > > the help of API...and then it will display to the
browser
with
> > our
> > > > portal
> > > > > > > url...
> > > > > >
> > > > > > this is conf.d structure, files are sorted by name, last
wins.
> > > > > > so instead of overriding files you can add your own.
> > > > > >
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Punit
> > > > > > >
> > > > > > >
> > > > > > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <
> > alonbl(a)redhat.com>
> > > > > > wrote:
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > > From: "Punit Dambiwal"
<hypunit(a)gmail.com>
> > > > > > > > > To: users(a)ovirt.org, ahadas(a)redhat.com,
"Sven Kieske" <
> > > > > > > > S.Kieske(a)mittwald.de>, "Dan
Kenigsberg" <danken(a)redhat.com
>,
> > > > > > > > > "Michal Skrivanek"
<michal.skrivanek(a)redhat.com>,
"Antoni
> > Segura
> > > > > > > > Puimedon" <asegurap(a)redhat.com>,
"Frantisek Kobzik"
> > > > > > > > > <fkobzik(a)redhat.com>, "Itamar
Heim" <iheim(a)redhat.com>,
> > > > "sabose" <
> > > > > > > > sabose(a)redhat.com>, barumuga(a)redhat.com,
"Simone
> > > > > > > > > Tiraboschi"
<stirabos(a)redhat.com>
> > > > > > > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > > > > > > Subject: Re: [ovirt-users] Ovirt SSL
Question
> > > > > > > > >
> > > > > > > > > Hi All,
> > > > > > > > >
> > > > > > > > > Is there any one can help me to solve this
issue..
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Punit
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit
Dambiwal <
> > > > hypunit(a)gmail.com
> > > > > > >
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Hi All,
> > > > > > > > >
> > > > > > > > > I have one question regarding the SSL
settings in
> > Ovirt....let me
> > > > > > > > explain my
> > > > > > > > > environment first :-
> > > > > > > > >
> > > > > > > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > > > > > > 2. Standalone websocket proxy :-
web-proxy.3linux.com
> > > > > > > > > 3. Our Own Portal :- portal.3linux.com
> > > > > > > > >
> > > > > > > > > We have the above architecture...we fetch
the VM console
> > from the
> > > > > > > > websocket
> > > > > > > > > proxy to our own portal through
API....because still we
are
> > using
> > > > > > > > selfsigned
> > > > > > > > > certificate...we need to trust the
certificate every
> > > > time,whenever we
> > > > > > > > open
> > > > > > > > > the VM console... (https://<
web-proxy.3linux.com
>:<port>)
> > > > > > > > >
> > > > > > > > > When we initiate the VM console through our
own web
portal
> > the
> > > > url (
> > > > > > > > >
> > > > > > > >
> > > > > >
> > > >
> >
https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-...
> > > > > > > > > ),if we accept the SSL certificate with
https://<
> > > > > > web-proxy.3linux.com
> > > > > > > > > >:<port> ....then it will open as
expected but if we
didn't
> > > > accept
> > > > > > the
> > > > > > > > > certificate manually...then it through
failed to
connect:1006
> > > > > > error...
> > > > > > > > >
> > > > > > > > > We don't want that every time end user
will accept the
> > > > certificate
> > > > > > > > > manually...as our link to open VM console is
different
then
> > > > > > webproxy....
> > > > > > > > >
> > > > > > > > > Now we want to replace the self signed
certificate with
valid
> > > > > > SSL....can
> > > > > > > > any
> > > > > > > > > one tell me where we need to put the
certificates and
how to
> > > > > > generate the
> > > > > > > > > CSR for them and how many SSL we need to
purchase to make
> > this
> > > > thing
> > > > > > > > > workable without accepting the certificate
everytime....
> > > > > > > >
> > > > > > > > Create
> > /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> > > > and
> > > > > > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd
party
> > certificate
> > > > > > chain
> > > > > > > > and matching key.
> > > > > > > >
> > > > > > > > You can create the request in any tool you like,
what we
need
> > is
> > > > the
> > > > > > > > certificate and key.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Alon
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
3782
days inactive
3784
days old
12 comments
3 participants
participants (3)
-
Alon Bar-Lev -
Punit Dambiwal -
Sahina Bose