Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4

--_000_3BBB204A189E49F49EBF9ACC76AE4508ingramcontentcom_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 V2UgaGF2ZSBvVmlydCAzLjYuNyBhbmQgSSBhbSBwcmVwYXJpbmcgdG8gdXBncmFkZSB0byA0LjAu NCByZWxlYXNlLiBJIHJlYWQgdGhlIHJlbGVhc2Ugbm90ZXMgKGh0dHBzOi8vd3d3Lm92aXJ0Lm9y Zy9yZWxlYXNlLzQuMC40LykgYW5kIG5vdGVkIGNvbW1lbnQgIzQgdW5kZXIg4oCcSW5zdGFsbCAv IFVwZ3JhZGUgZnJvbSBwcmV2aW91cyB2ZXJzaW9u4oCdOg0KDQpJZiB5b3UgYXJlIHVzaW5nIEhU VFBTIGNlcnRpZmljYXRlIHNpZ25lZCBieSBjdXN0b20gY2VydGlmaWNhdGUgYXV0aG9yaXR5LCBw bGVhc2UgdGFrZSBhIGxvb2sgYXQgaHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tLzEzMzY4Mzgg Zm9yIHN0ZXBzIHdoaWNoIG5lZWQgdG8gYmUgZG9uZSBhZnRlciBtaWdyYXRpb24gdG8gNC4wLiBB bHNvIHBsZWFzZSBjb25zdWx0IGh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNvbS8xMzEzMzc5IGhv dyB0byBzZXR1cCB0aGlzIGN1c3RvbSBDQSBmb3IgdXNlIHdpdGggdmlydC12aWV3ZXIgY2xpZW50 cy4NCg0KU28gSSByZWZlcnJlZCB0byB0aGUgZmlyc3QgYnVnemlsbGEgKGh0dHBzOi8vYnVnemls bGEucmVkaGF0LmNvbS9zaG93X2J1Zy5jZ2k/aWQ9MTMzNjgzOCksIHdoZXJlIGl0IHN0YXRlcyBh cyBmb2xsb3dzOg0KDQpJZiBjdXN0b21lciB3YW50cyB0byB1c2UgY3VzdG9tIEhUVFBTIGNlcnRp ZmljYXRlIHNpZ25lZCBieSBkaWZmZXJlbnQgQ0EsIHRoZW4gaGUgaGFzIHRvIHBlcmZvcm0gZm9s bG93aW5nIHN0ZXBzOg0KDQoxLiBJbnN0YWxsIGN1c3RvbSBDQSAodGhhdCBzaWduZWQgSFRUUFMg Y2VydGlmaWNhdGUpIGludG8gaG9zdCB3aWRlIHRydXN0b3JlIChtb3JlIGluZm8gY2FuIGJlIGZv dW5kIGluIHVwZGF0ZS1jYS10cnVzdCBtYW4gcGFnZSkNCg0KMi4gQ29uZmlndXJlIEhUVFBTIGNl cnRpZmljYXRlIGluIEFwYWNoZSAodGhpcyBzdGVwIGlzIHNhbWUgYXMgaW4gcHJldmlvdXMgdmVy c2lvbnMpDQoNCjMuIENyZWF0ZSBuZXcgY29uZmlndXJhdGlvbiBmaWxlIChmb3IgZXhhbXBsZSAv ZXRjL292aXJ0LWVuZ2luZS9lbmdpbmUuY29uZi5kLzk5LWN1c3RvbS10cnVzdHN0b3JlLmNvbmYp IHdpdGggZm9sbG93aW5nIGNvbnRlbnQ6DQpFTkdJTkVfSFRUUFNfUEtJX1RSVVNUX1NUT1JFPSIv ZXRjL3BraS9qYXZhL2NhY2VydHMiIEVOR0lORV9IVFRQU19QS0lfVFJVU1RfU1RPUkVfUEFTU1dP UkQ9IiINCg0KNC4gUmVzdGFydCBvdmlydC1lbmdpbmUgc2VydmljZQ0KDQpJIGZpbmQgaXQgaHVt b3JvdXMgdGhhdCBzdGVwICMgMSBzdWdnZXN0cyByZWFkaW5nIHRoZSDigJxtYW4gcGFnZeKAnSB3 aGljaCBpcyBvbmx5IHNsaWdodGx5IGJldHRlciB0aGFuIHN1Z2dlc3RpbmcgdG8g4oCcZ29vZ2xl 4oCdIGl0Lg0KDQpIYXMgYW55b25lIHVzaW5nIGEgY3VzdG9tIENBIGZvciB0aGVpciBIVFRQUyBj ZXJ0aWZpY2F0ZSBzdWNjZXNzZnVsbHkgdXBncmFkZWQgdG8gb1ZpcnQgND8gSWYgc28gY291bGQg eW91IHNoYXJlIHlvdXIgZGV0YWlsZWQgc3RlcHM/IE9yIGNhbiBhbnlvbmUgcG9pbnQgbWUgdG8g YW4gYWN0dWFsIGV4YW1wbGUgb2YgdGhpcyBwcm9jZWR1cmU/IEnigJltIGEgbGl0dGxlIG5lcnZv dXMgYWJvdXQgdGhlIHVwZ3JhZGUgaWYgeW91IGNhbuKAmXQgYWxyZWFkeSB0ZWxsLg0KDQpUaGFu a3MsDQpEYW5pZWwNCg== --_000_3BBB204A189E49F49EBF9ACC76AE4508ingramcontentcom_ Content-Type: text/html; charset=UTF-8 Content-ID: <27B6218010F0174DA2A2868460575073@namprd12.prod.outlook.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iVGl0bGUiIGNvbnRlbnQ9IiI+DQo8bWV0YSBuYW1lPSJLZXl3b3JkcyIgY29udGVu dD0iIj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUg KGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8N CkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0 IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJ cGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8N CnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsN CgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWls eTpDYWxpYnJpO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFu LkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1jb21wb3NlOw0KCWZvbnQt ZmFtaWx5OkNhbGlicmk7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLm1zb0lucw0KCXttc28t c3R5bGUtdHlwZTpleHBvcnQtb25seTsNCgltc28tc3R5bGUtbmFtZToiIjsNCgl0ZXh0LWRlY29y YXRpb246dW5kZXJsaW5lOw0KCWNvbG9yOnRlYWw7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0 eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1mYW1pbHk6Q2FsaWJyaTt9DQpAcGFnZSBXb3Jk U2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGlu IDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9z dHlsZT4NCjwvaGVhZD4NCjxib2R5IGJnY29sb3I9IndoaXRlIiBsYW5nPSJFTi1VUyIgbGluaz0i IzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5XZSBoYXZl IG9WaXJ0IDMuNi43IGFuZCBJIGFtIHByZXBhcmluZyB0byB1cGdyYWRlIHRvIDQuMC40IHJlbGVh c2UuIEkgcmVhZCB0aGUgcmVsZWFzZSBub3RlcyAoPGEgaHJlZj0iaHR0cHM6Ly93d3cub3ZpcnQu b3JnL3JlbGVhc2UvNC4wLjQvKSI+aHR0cHM6Ly93d3cub3ZpcnQub3JnL3JlbGVhc2UvNC4wLjQv KTwvYT4gYW5kIG5vdGVkIGNvbW1lbnQgIzQNCiB1bmRlciDigJxJbnN0YWxsIC8gVXBncmFkZSBm cm9tIHByZXZpb3VzIHZlcnNpb27igJ06PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxpPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0Ij5JZiB5b3UgYXJlIHVzaW5nIEhUVFBTIGNlcnRpZmljYXRlIHNpZ25lZCBi eSBjdXN0b20gY2VydGlmaWNhdGUgYXV0aG9yaXR5LCBwbGVhc2UgdGFrZSBhIGxvb2sgYXQgaHR0 cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tLzEzMzY4MzggZm9yIHN0ZXBzIHdoaWNoIG5lZWQgdG8g YmUgZG9uZSBhZnRlciBtaWdyYXRpb24gdG8gNC4wLiBBbHNvIHBsZWFzZSBjb25zdWx0DQogaHR0 cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tLzEzMTMzNzkgaG93IHRvIHNldHVwIHRoaXMgY3VzdG9t IENBIGZvciB1c2Ugd2l0aCB2aXJ0LXZpZXdlciBjbGllbnRzLjxvOnA+PC9vOnA+PC9zcGFuPjwv aT48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48aT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9pPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5TbyBJIHJlZmVycmVkIHRvIHRoZSBm aXJzdCBidWd6aWxsYSAoPGEgaHJlZj0iaHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tL3Nob3df YnVnLmNnaT9pZD0xMzM2ODM4KSI+aHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tL3Nob3dfYnVn LmNnaT9pZD0xMzM2ODM4KTwvYT4sIHdoZXJlIGl0IHN0YXRlcyBhcyBmb2xsb3dzOjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+SWYgY3VzdG9tZXIgd2FudHMgdG8g dXNlIGN1c3RvbSBIVFRQUyBjZXJ0aWZpY2F0ZSBzaWduZWQgYnkgZGlmZmVyZW50IENBLCB0aGVu IGhlIGhhcyB0byBwZXJmb3JtIGZvbGxvd2luZyBzdGVwczoNCjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdCI+MS4gSW5zdGFsbCBjdXN0b20gQ0EgKHRoYXQgc2lnbmVk IEhUVFBTIGNlcnRpZmljYXRlKSBpbnRvIGhvc3Qgd2lkZSB0cnVzdG9yZSAobW9yZSBpbmZvIGNh biBiZSBmb3VuZCBpbiB1cGRhdGUtY2EtdHJ1c3QgbWFuIHBhZ2UpDQo8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjIuIENvbmZpZ3VyZSBIVFRQUyBjZXJ0aWZpY2F0 ZSBpbiBBcGFjaGUgKHRoaXMgc3RlcCBpcyBzYW1lIGFzIGluIHByZXZpb3VzIHZlcnNpb25zKQ0K PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4zLiBDcmVhdGUgbmV3 IGNvbmZpZ3VyYXRpb24gZmlsZSAoZm9yIGV4YW1wbGUgL2V0Yy9vdmlydC1lbmdpbmUvZW5naW5l LmNvbmYuZC85OS1jdXN0b20tdHJ1c3RzdG9yZS5jb25mKSB3aXRoIGZvbGxvd2luZyBjb250ZW50 Og0KPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkVOR0lORV9IVFRQU19QS0lfVFJVU1RfU1RPUkU9JnF1b3Q7 L2V0Yy9wa2kvamF2YS9jYWNlcnRzJnF1b3Q7IEVOR0lORV9IVFRQU19QS0lfVFJVU1RfU1RPUkVf UEFTU1dPUkQ9JnF1b3Q7JnF1b3Q7DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQiPjQuIFJlc3RhcnQgb3ZpcnQtZW5naW5lIHNlcnZpY2U8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkkgZmluZCBpdCBodW1vcm91cyB0aGF0IHN0ZXAg IyAxIHN1Z2dlc3RzIHJlYWRpbmcgdGhlIOKAnG1hbiBwYWdl4oCdIHdoaWNoIGlzIG9ubHkgc2xp Z2h0bHkgYmV0dGVyIHRoYW4gc3VnZ2VzdGluZyB0byDigJxnb29nbGXigJ0gaXQuDQo8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkhhcyBhbnlvbmUgdXNpbmcgYSBj dXN0b20gQ0EgZm9yIHRoZWlyIEhUVFBTIGNlcnRpZmljYXRlIHN1Y2Nlc3NmdWxseSB1cGdyYWRl ZCB0byBvVmlydCA0PyBJZiBzbyBjb3VsZCB5b3Ugc2hhcmUgeW91ciBkZXRhaWxlZCBzdGVwcz8g T3IgY2FuIGFueW9uZSBwb2ludCBtZSB0byBhbiBhY3R1YWwgZXhhbXBsZSBvZiB0aGlzIHByb2Nl ZHVyZT8gSeKAmW0gYSBsaXR0bGUNCiBuZXJ2b3VzIGFib3V0IHRoZSB1cGdyYWRlIGlmIHlvdSBj YW7igJl0IGFscmVhZHkgdGVsbC4gPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0Ij5UaGFua3MsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkRhbmllbDxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_3BBB204A189E49F49EBF9ACC76AE4508ingramcontentcom_--

I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate). On Wed, Oct 26, 2016, 16:58 Beckman, Daniel < Daniel.Beckman@ingramcontent.com> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:
*If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 <https://bugzilla.redhat.com/1336838> for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 <https://bugzilla.redhat.com/1313379> how to setup this custom CA for use with virt-viewer clients.*
So I referred to the first bugzilla ( https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps:
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page)
2. Configure HTTPS certificate in Apache (this step is same as in previous versions)
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content:
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
4. Restart ovirt-engine service
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it.
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell.
Thanks,
Daniel _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello, Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*. Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" : http://pastebin.com/9JS05JtJ Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong? Regards, Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT

Here is a complete set of instructions that works for me You can skip the first few steps of generating the certificate. Ravi Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456" Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass Restart engine and httpd =================== service httpd restart service ovirt-engine restart On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" :
Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd. On the hypervisor Host server (not the Manager/engine server): /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/libvirt/clientcert.pem Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>. On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori@redhat.com> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.
Ravi
Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem
Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem
Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client
Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der
Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der
Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
Restart engine and httpd =================== service httpd restart service ovirt-engine restart
On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" :
Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

Since you replace ca.pem you need to replace the private key of ca.pem Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w@qrk.us> wrote:
Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.
On the hypervisor Host server (not the Manager/engine server): /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/libvirt/clientcert.pem
Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>.
On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori@redhat.com> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.
Ravi
Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem
Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem
Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client
Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der
Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der
Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
Restart engine and httpd =================== service httpd restart service ovirt-engine restart
On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" :
Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

That makes sense, but it is also disappointing to realize that oVirt Manager will only trust certificates that itself has issued, and that there is no support for Manager to trust VDSM server certificates issued by another authority. If I understand you correctly, then the *only* way to install a VDSM host certificate is by registering with Manager at which time a certificate is automatically issued and installed by Manager's built-in certificate authority. On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori@redhat.com> wrote: Since you replace ca.pem you need to replace the private key of ca.pem Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w@qrk.us> wrote: Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd. On the hypervisor Host server (not the Manager/engine server): /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/libvirt/clientcert.pem Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>. On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori@redhat.com> wrote: Here is a complete set of instructions that works for me You can skip the first few steps of generating the certificate. Ravi Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456" Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass Restart engine and httpd =================== service httpd restart service ovirt-engine restart On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote: Le 27/10/2016 à 00:14, Kenneth Bingham a écrit : I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate). Hello, Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*. Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" : http://pastebin.com/9JS05JtJ Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong? Regards, Nicolas ECARNOT On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote: We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____ __ __ /If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/ /__ __/ So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____ __ __ If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____ __ __ 1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____ __ __ 2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____ __ __ 3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____ ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____ __ __ 4. Restart ovirt-engine service____ __ __ I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____ __ __ Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____ __ __ Thanks,____ Daniel____ _______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users -- Nicolas ECARNOT _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

So first of all, we don't support replacing oVirt internal CA which is used to sign host certificates. This internal CA is also used to sign HTTPS certificate by default, but you can provided your own HTTPS certificate signed by custom CA. The correct steps how to do that are (assuming you have you custom CA certififcate in PEM format and HTTPS ceritificate along with private key in PKCS12 format): 1. Add your commercially issued certificate to the host-wide trust store. cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors update-ca-trust 2. Remove Apache CA link pointing to oVirt internal rm /etc/pki/ovirt-engine/apache-ca.pem 3. Install your custom certificate (including complete certificate chain) mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem 4. Extract private key and certificate openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer 5. Restart Apache service httpd restart 6. Create a new trust store configuration file. vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf Add the following content and save the file. ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" 7. Restart the ovirt-engine service. systemctl restart ovirt-engine.service Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x Also it's expected that CA certificate (including whole CA chain) is properly installed in all clients that access oVirt using HTTP and/or Spice. Martin Perina On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w@qrk.us> wrote:
That makes sense, but it is also disappointing to realize that oVirt Manager will only trust certificates that itself has issued, and that there is no support for Manager to trust VDSM server certificates issued by another authority.
If I understand you correctly, then the *only* way to install a VDSM host certificate is by registering with Manager at which time a certificate is automatically issued and installed by Manager's built-in certificate authority.
On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori@redhat.com> wrote:
Since you replace ca.pem you need to replace the private key of ca.pem
Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w@qrk.us> wrote:
Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.
On the hypervisor Host server (not the Manager/engine server): /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/libvirt/clientcert.pem
Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>.
On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori@redhat.com> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.
Ravi
Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem
Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem
Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client
Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der
Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der
Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
Restart engine and httpd =================== service httpd restart service ovirt-engine restart
On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" :
Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mperina@redhat.com> wrote:
So first of all, we don't support replacing oVirt internal CA which is used to sign host certificates. This internal CA is also used to sign HTTPS certificate by default, but you can provided your own HTTPS certificate signed by custom CA. The correct steps how to do that are (assuming you have you custom CA certififcate in PEM format and HTTPS ceritificate along with private key in PKCS12 format):
1. Add your commercially issued certificate to the host-wide trust store. cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors update-ca-trust
2. Remove Apache CA link pointing to oVirt internal rm /etc/pki/ovirt-engine/apache-ca.pem
3. Install your custom certificate (including complete certificate chain) mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12 The above command was missing in original steps, thanks Didi for pointing this out.
4. Extract private key and certificate
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes
/etc/pki/ovirt-engine/keys/apache.key.nopass openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
5. Restart Apache service httpd restart
6. Create a new trust store configuration file. vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Add the following content and save the file.
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
7. Restart the ovirt-engine service. systemctl restart ovirt-engine.service
Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x
Also it's expected that CA certificate (including whole CA chain) is properly installed in all clients that access oVirt using HTTP and/or Spice.
Martin Perina
On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w@qrk.us> wrote:
That makes sense, but it is also disappointing to realize that oVirt Manager will only trust certificates that itself has issued, and that there is no support for Manager to trust VDSM server certificates issued by another authority.
If I understand you correctly, then the *only* way to install a VDSM host certificate is by registering with Manager at which time a certificate is automatically issued and installed by Manager's built-in certificate authority.
On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori@redhat.com> wrote:
Since you replace ca.pem you need to replace the private key of ca.pem
Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w@qrk.us> wrote:
Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.
On the hypervisor Host server (not the Manager/engine server): /etc/pki/vdsm/certs/vdsmcert.pem /etc/pki/vdsm/libvirt-spice/server-cert.pem /etc/pki/libvirt/clientcert.pem
Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist <https://gist.github.com/qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea>.
On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori@redhat.com> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.
Ravi
Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem
Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem
Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client
Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der
Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der
Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
Restart engine and httpd =================== service httpd restart service ovirt-engine restart
On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" :
Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users

--_000_EE70AB7EAF3A4C29B95EA9FBCAC70078ingramcontentcom_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 VGhhbmtzIHZlcnkgbXVjaCBmb3IgdGhlIGRldGFpbGVkIGluc3RydWN0aW9ucyEgSSB3YXMgYWJs ZSB0byB1cGdyYWRlIGZyb20gMy42LjcgdG8gNC4wLjQgc3VjY2Vzc2Z1bGx5LiBIZXJlIGFyZSBz b21lIGFkZGl0aW9uYWwgbm90ZXMgZm9yIHRob3NlIChsaWtlIG1lKSB3aG8gd2VyZSBhbHJlYWR5 IHVzaW5nIGEgY3VzdG9tIEhUVFBTIGNlcnRpZmljYXRlIGluIDMuNjoNCg0KT24gc3RlcCAjMyDi gJxi4oCdIC0tIG12IFlPVVItM1JELVBBUlQtQ0VSVC5wMTIg4oCL4oCL4oCLL2V0Yy9wa2kvb3Zp cnQtZW5naW5lL2tleXMvYXBhY2hlLnAxMuKAiyDigJMgSSBkaWRu4oCZdCBuZWVkIHRvIHBlcmZv cm0gdGhpcyBhcyB0aGUgZmlsZSB3YXMgYWxyZWFkeSB0aGVyZSBmcm9tIG15IHByZXZpb3VzIDMu NiBjb25maWd1cmF0aW9uOyBzZXR1cCBoYWQgbm90IHJlbW92ZWQgaXQuDQoNCk9uIHN0ZXAgIzQg 4oCTIGV4dHJhY3RpbmcgcHJpdmF0ZSBrZXkgYW5kIGNlcnRpZmljYXRlIOKAkyBJIGRpZG7igJl0 IG5lZWQgdG8gcGVyZm9ybSB0aGlzIGVpdGhlcjsgZXhpc3RpbmcgZmlsZXMgd2VyZSBsZWZ0IGlu dGFjdCBmcm9tIHZlcnNpb24gMy42Lg0KDQpSZXN0YXJ0aW5nIEFwYWNoZSBhbmQgb1ZpcnQgc2Vy dmljZSB3YXMgbm90IGVub3VnaCB0byBicmluZyB1cCB0aGUgd2ViIGFkbWluIHBvcnRhbCBpbiBt eSBjYXNlLiBJIGhhZCB0byByZWJvb3QgdGhlIHNlcnZlciBydW5uaW5nIG9WaXJ0IGVuZ2luZSwg YWZ0ZXIgd2hpY2ggdGhlIHdlYiBhZG1pbiBwb3J0YWwgd2FzIGFjY2Vzc2libGUuDQoNCkkgcmVj b21tZW5kIGJhY2tpbmcgdXAgL2V0Yy9wa2kgaW4gYWRkaXRpb24gdG8gL2V0Yy9vdmlydC1lbmdp bmUgcHJpb3IgdG8gcnVubmluZyBzZXR1cC4NCg0KQmVzdCwNCkRhbmllbA0KDQpGcm9tOiA8dXNl cnMtYm91bmNlc0BvdmlydC5vcmc+IG9uIGJlaGFsZiBvZiBNYXJ0aW4gUGVyaW5hIDxtcGVyaW5h QHJlZGhhdC5jb20+DQpEYXRlOiBUdWVzZGF5LCBOb3ZlbWJlciAxLCAyMDE2IGF0IDY6MjkgQU0N ClRvOiBLZW5uZXRoIEJpbmdoYW0gPHdAcXJrLnVzPg0KQ2M6IHVzZXJzIDx1c2Vyc0BvdmlydC5v cmc+DQpTdWJqZWN0OiBSZTogW292aXJ0LXVzZXJzXSBVcGdyYWRpbmcgb1ZpcnQgMy42IHdpdGgg ZXhpc3RpbmcgSFRUUFMgY2VydGlmaWNhdGUgc2lnbmVkIGJ5IGN1c3RvbSBDQSB0byBvVmlydCA0 DQoNCg0KDQpPbiBUdWUsIE5vdiAxLCAyMDE2IGF0IDExOjQ5IEFNLCBNYXJ0aW4gUGVyaW5hIDxt cGVyaW5hQHJlZGhhdC5jb208bWFpbHRvOm1wZXJpbmFAcmVkaGF0LmNvbT4+IHdyb3RlOg0KU28g Zmlyc3Qgb2YgYWxsLCB3ZSBkb24ndCBzdXBwb3J0IHJlcGxhY2luZyBvVmlydCBpbnRlcm5hbCBD QSB3aGljaCBpcyB1c2VkIHRvIHNpZ24gaG9zdCBjZXJ0aWZpY2F0ZXMuIFRoaXMgaW50ZXJuYWwg Q0EgaXMgYWxzbyB1c2VkIHRvIHNpZ24gSFRUUFMgY2VydGlmaWNhdGUgYnkgZGVmYXVsdCwgYnV0 IHlvdSBjYW4gcHJvdmlkZWQgeW91ciBvd24gSFRUUFMgY2VydGlmaWNhdGUgc2lnbmVkIGJ5IGN1 c3RvbSBDQS4gVGhlIGNvcnJlY3Qgc3RlcHMgaG93IHRvIGRvIHRoYXQgYXJlIChhc3N1bWluZyB5 b3UgaGF2ZSB5b3UgY3VzdG9tIENBIGNlcnRpZmlmY2F0ZSBpbiBQRU0gZm9ybWF0IGFuZCBIVFRQ UyBjZXJpdGlmaWNhdGUgYWxvbmcgd2l0aCBwcml2YXRlIGtleSBpbiBQS0NTMTIgZm9ybWF0KToN Cg0KMS4gIEFkZCB5b3VyIGNvbW1lcmNpYWxseSBpc3N1ZWQgY2VydGlmaWNhdGUgdG8gdGhlIGhv c3Qtd2lkZSB0cnVzdCBzdG9yZS4NCiAgICAgICBjcCBZT1VSLTNSRC1QQVJUWS1DQS1DRVJULnBl bSAvZXRjL3BraS9jYS10cnVzdC9zb3VyY2UvYW5jaG9ycw0KICAgICAgIHVwZGF0ZS1jYS10cnVz dA0KMi4gUmVtb3ZlIEFwYWNoZSBDQSBsaW5rIHBvaW50aW5nIHRvIG9WaXJ0IGludGVybmFsDQog ICAgICAgcm0gL2V0Yy9wa2kvb3ZpcnQtZW5naW5lL2FwYWNoZS1jYS5wZW0NCjMuIEluc3RhbGwg eW91ciBjdXN0b20gY2VydGlmaWNhdGUgKGluY2x1ZGluZyBjb21wbGV0ZSBjZXJ0aWZpY2F0ZSBj aGFpbikNCiAgICAgICBtdiBZT1VSLTNSRC1QQVJUWS1DQS1DRVJULnBlbSAvZXRjL3BraS9vdmly dC1lbmdpbmUvYXBhY2hlLWNhLnBlbQ0KDQogICAgICAgICAgbXYgWU9VUi0zUkQtUEFSVC1DRVJU LnAxMiDigIvigIvigIsvZXRjL3BraS9vdmlydC1lbmdpbmUva2V5cy9hcGFjaGUucDEy4oCLDQoN ClRoZSBhYm92ZSBjb21tYW5kIHdhcyBtaXNzaW5nIGluIG9yaWdpbmFsIHN0ZXBzLCB0aGFua3Mg RGlkaSBmb3IgcG9pbnRpbmcgdGhpcyBvdXQuDQrigIsNCg0KDQo0LiBFeHRyYWN0IHByaXZhdGUg a2V5IGFuZCBjZXJ0aWZpY2F0ZQ0KDQrigIsgICAgIOKAiw0Kb3BlbnNzbCBwa2NzMTIgLWluIC9l dGMvcGtpL292aXJ0LWVuZ2luZS9rZXlzL2FwYWNoZS5wMTIgLW5vY2VydHMgLW5vZGVzID4gL2V0 Yy9wa2kvb3ZpcnQtZW5naW5lL2tleXMvYXBhY2hlLmtleS5ub3Bhc3MNCuKAiyAgICAgICDigIsN Cm9wZW5zc2wgcGtjczEyIC1pbiAvZXRjL3BraS9vdmlydC1lbmdpbmUva2V5cy9hcGFjaGUucDEy IC1ub2tleXMgPiAvZXRjL3BraS9vdmlydC1lbmdpbmUvY2VydHMvYXBhY2hlLmNlcg0K4oCLNS4g UmVzdGFydCBBcGFjaGUNCiAgICAgIHNlcnZpY2UgaHR0cGQgcmVzdGFydA0KDQo2LiBDcmVhdGUg YSBuZXcgdHJ1c3Qgc3RvcmUgY29uZmlndXJhdGlvbiBmaWxlLg0KICAgICAgdmkgL2V0Yy9vdmly dC1lbmdpbmUvZW5naW5lLmNvbmYuZC85OS1jdXN0b20tdHJ1c3RzdG9yZS5jb25mDQoNCiAgIEFk ZCB0aGUgZm9sbG93aW5nIGNvbnRlbnQgYW5kIHNhdmUgdGhlIGZpbGUuDQoNCiAgICAgIEVOR0lO RV9IVFRQU19QS0lfVFJVU1RfU1RPUkU9Ii9ldGMvcGtpL2phdmEvY2FjZXJ0cyINCiAgICAgIEVO R0lORV9IVFRQU19QS0lfVFJVU1RfU1RPUkVfUEFTU1dPUkQ9IiINCg0KNy4gUmVzdGFydCB0aGUg b3ZpcnQtZW5naW5lIHNlcnZpY2UuDQogICAgICBzeXN0ZW1jdGwgcmVzdGFydCBvdmlydC1lbmdp bmUuc2VydmljZeKAiw0KDQrigItTdGVwcyAxLiwgNi4gYW5kIDcuIGFyZSBuZXcgdG8gNC4wLCBv dGhlciBzdGVwcyBhcmUgc2FtZSBhcyBpbiBvVmlydCAzLnjigIsNCg0K4oCLQWxzbyBpdCdzIGV4 cGVjdGVkIHRoYXQgQ0EgY2VydGlmaWNhdGUgKGluY2x1ZGluZyB3aG9sZSBDQSBjaGFpbikgaXMg cHJvcGVybHkgaW5zdGFsbGVkIGluIGFsbCBjbGllbnRzIHRoYXQgYWNjZXNzIG9WaXJ0IHVzaW5n IEhUVFAgYW5kL29yIFNwaWNlLuKAiw0KDQrigItNYXJ0aW4gUGVyaW5h4oCLDQoNCg0KDQoNCk9u IFRodSwgT2N0IDI3LCAyMDE2IGF0IDEwOjM4IFBNLCBLZW5uZXRoIEJpbmdoYW0gPHdAcXJrLnVz PG1haWx0bzp3QHFyay51cz4+IHdyb3RlOg0KVGhhdCBtYWtlcyBzZW5zZSwgYnV0IGl0IGlzIGFs c28gZGlzYXBwb2ludGluZyB0byByZWFsaXplIHRoYXQgb1ZpcnQgTWFuYWdlciB3aWxsIG9ubHkg dHJ1c3QgY2VydGlmaWNhdGVzIHRoYXQgaXRzZWxmIGhhcyBpc3N1ZWQsIGFuZCB0aGF0IHRoZXJl IGlzIG5vIHN1cHBvcnQgZm9yIE1hbmFnZXIgdG8gdHJ1c3QgVkRTTSBzZXJ2ZXIgY2VydGlmaWNh dGVzIGlzc3VlZCBieSBhbm90aGVyIGF1dGhvcml0eS4NCg0KSWYgSSB1bmRlcnN0YW5kIHlvdSBj b3JyZWN0bHksIHRoZW4gdGhlICpvbmx5KiB3YXkgdG8gaW5zdGFsbCBhIFZEU00gaG9zdCBjZXJ0 aWZpY2F0ZSBpcyBieSByZWdpc3RlcmluZyB3aXRoIE1hbmFnZXIgYXQgd2hpY2ggdGltZSBhIGNl cnRpZmljYXRlIGlzIGF1dG9tYXRpY2FsbHkgaXNzdWVkIGFuZCBpbnN0YWxsZWQgYnkgTWFuYWdl cidzIGJ1aWx0LWluIGNlcnRpZmljYXRlIGF1dGhvcml0eS4NCg0KDQpPbiBUaHUsIE9jdCAyNywg MjAxNiBhdCAzOjI3IFBNIFJhdmkgTm9yaSA8cm5vcmlAcmVkaGF0LmNvbTxtYWlsdG86cm5vcmlA cmVkaGF0LmNvbT4+IHdyb3RlOg0KU2luY2UgeW91IHJlcGxhY2UgY2EucGVtIHlvdSBuZWVkIHRv IHJlcGxhY2UgdGhlIHByaXZhdGUga2V5IG9mIGNhLnBlbQ0KUGxlYXNlIGNvcHkgdGhlIHByaXZh dGUga2V5IG9mICAvZXRjL3BraS9vdmlydC1lbmdpbmUvY2EucGVtIHRvIC9ldGMvcGtpL292aXJ0 LWVuZ2luZS9wcml2YXRlL2NhLnBlbSBhbmQgbGV0IG1lIGtub3cgaWYgZXZlcnl0aGluZyB3b3Jr cw0KDQpPbiBUaHUsIE9jdCAyNywgMjAxNiBhdCAyOjQ3IFBNLCBLZW5uZXRoIEJpbmdoYW0gPHdA cXJrLnVzPG1haWx0bzp3QHFyay51cz4+IHdyb3RlOg0KDQpUaGFua3MgUmF2aSwgdGhhdCdzIGhl bHBmdWwgYW5kIEkgYXBwcmVjaWF0ZSB0aGUgcHJlY2lzaW9uIGFuZCBhdHRlbnRpb24gdG8gZGV0 YWlsLiBJIHBlcmZvcm1lZCBzaW1pbGFyIHN0ZXBzIHRvIGluc3RhbGwgYSBjdXN0b20gY2VydGlm aWNhdGUgZm9yIHRoZSBvVmlydCBNYW5hZ2VyIEdVSS4gQnV0IHdoYXQgYWJvdXQgY29uZmlndXJp bmcgb3ZpcnQtZW5naW5lIHRvIHRydXN0IGEgY2VydGlmaWNhdGUgaXNzdWVkIGJ5IHRoZSBzYW1l IENBIGFuZCBwcmVzZW50ZWQgYnkgdGhlIFZEU00gaG9zdD8gT24gdGhlIGh5cGVydmlzb3IgaG9z dCwgSSB1c2VkIHRoZSBleGlzdGluZyBwcml2YXRlIGtleSB0byBnZW5lcmF0ZSB0aGUgQ1NSLCBp c3N1ZWQgdGhlIHNlcnZlciBjZXJ0aWZpY2F0ZSwgYW5kIGluc3RhbGxlZCBpbiB0aHJlZSBsb2Nh dGlvbnMgYmVmb3JlIGJvdW5jaW5nIHZkc21kLg0KDQpPbiB0aGUgaHlwZXJ2aXNvciBIb3N0IHNl cnZlciAobm90IHRoZSBNYW5hZ2VyL2VuZ2luZSBzZXJ2ZXIpOg0KL2V0Yy9wa2kvdmRzbS9jZXJ0 cy92ZHNtY2VydC5wZW0NCi9ldGMvcGtpL3Zkc20vbGlidmlydC1zcGljZS9zZXJ2ZXItY2VydC5w ZW0NCi9ldGMvcGtpL2xpYnZpcnQvY2xpZW50Y2VydC5wZTxodHRwOi8vY2xpZW50Y2VydC5wZT5t DQoNCk5vdywgdGhhdCBob3N0IGlzICJub24gcmVzcG9uc2l2ZSIgaW4gTWFuYWdlciBiZWNhdXNl IG92aXJ0LWVuZ2luZSBkb2VzIG5vdCB0cnVzdCB0aGUgbmV3IGNlcnRpZmljYXRlIGV2ZW4gdGhv dWdoIEkgYWxyZWFkeSBwZXJmb3JtZWQgYWxsIG9mIHRoZSBzdGVwcyB0aGF0IHlvdSBkZXNjcmli ZSBhYm92ZSBleGNlcHQgdGhhdCBJIGluc3RhbGxlZCB0aGUgaXNzdWVyJ3MgQ0EgY2VydGlmaWNh dGUgYXMgdGhlIHRydXN0ZWQgZW50aXR5LiBJJ3ZlIGRvY3VtZW50ZWQgYWxsIG9mIHRoZSBzdGVw cyBJIHRvb2sgaW4gdGhpcyBHaXN0PGh0dHBzOi8vZ2lzdC5naXRodWIuY29tL3Fya291cmllci85 YzlhYzNlOGIxOTBkY2I5MWQzNzY3MTc5ZDVhMzllYT4uDQoNCg0KDQpPbiBUaHUsIE9jdCAyNywg MjAxNiBhdCAyOjEyIFBNIFJhdmkgTm9yaSA8cm5vcmlAcmVkaGF0LmNvbTxtYWlsdG86cm5vcmlA cmVkaGF0LmNvbT4+IHdyb3RlOg0KSGVyZSBpcyBhIGNvbXBsZXRlIHNldCBvZiBpbnN0cnVjdGlv bnMgdGhhdCB3b3JrcyBmb3IgbWUNCllvdSBjYW4gc2tpcCB0aGUgZmlyc3QgZmV3IHN0ZXBzIG9m IGdlbmVyYXRpbmcgdGhlIGNlcnRpZmljYXRlLg0KDQpSYXZpDQoNCg0KR2VuZXJhdGUgYSBzZWxm LXNpZ25lZCBjZXJ0aWZpY2F0ZSB1c2luZyBvcGVuc3NsDQo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQ0Kb3BlbnNzbCByZXEgLXg1MDkgLXNoYTI1NiAtbm9kZXMgLWRheXMg MzY1IC1uZXdrZXkgcnNhOjIwNDggLWtleW91dCBwcml2YXRlS2V5LmtleSAtb3V0IGNlcnRpZmlj YXRlLnBlbQ0KDQpDb252ZXJ0IGEgUEVNIGNlcnRpZmljYXRlIGZpbGUgYW5kIGEgcHJpdmF0ZSBr ZXkgdG8gUEtDUyMxMiAoLnAxMikNCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09DQpvcGVuc3NsIHBrY3MxMiAtZXhwb3J0IC1vdXQgY2VydGlmaWNh dGUucDEyIC1pbmtleSBwcml2YXRlS2V5LmtleSAtaW4gY2VydGlmaWNhdGUucGVtDQoNCkV4dHJh Y3QgdGhlIGtleSBmcm9tIHRoZSBidW5kbGUNCj09PT09PT09PT09PT09PT09PT09PT09PT0NCm9w ZW5zc2wgcGtjczEyIC1pbiAgY2VydGlmaWNhdGUucDEyIC1ub2NlcnRzIC1ub2RlcyA+IGFwYWNo ZS5rZXkubm9wYXNzDQoNCkV4dHJhY3QgdGhlIGNlcnRpZmljYXRlIGZyb20gdGhlIGJ1bmRsZQ0K PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpvcGVuc3NsIHBrY3MxMiAtaW4gY2VydGlm aWNhdGUucDEyIC1ub2tleXMgPiBhcGFjaGUuY2VyDQoNCkNyZWF0ZSBhIG5ldyBLZXlzdG9yZSBm b3IgdGVzdGluZw0KPT09PT09PT09PT09PT09PT09PT09PT09PT0NCmtleXRvb2wgLWtleXN0b3Jl IGNsaWVudGtleXN0b3JlIC1nZW5rZXkgLWFsaWFzIGNsaWVudA0KDQpDb252ZXJ0IC5wZW0gdG8g LmRlcg0KPT09PT09PT09PT09PT09PQ0Kb3BlbnNzbCB4NTA5IC1vdXRmb3JtIGRlciAtaW4gY2Vy dGlmaWNhdGUucGVtIC1vdXQgY2VydGlmaWNhdGUuZGVyDQoNCkltcG9ydCBjZXJ0aWZpY2F0ZXMg dG8ga2V5c3RvcmUNCj09PT09PT09PT09PT09PT09PT09PT09DQprZXl0b29sIC1pbXBvcnQgLWFs aWFzIGFwYWNoZSAta2V5c3RvcmUgLi9jbGllbnRrZXlzdG9yZSAtZmlsZSAuL2NlcnRpZmljYXRl LmRlcg0KDQpDcmVhdGUgQ3VzdG9tIGNvbmYgZm9yIG92aXJ0DQo9PT09PT09PT09PT09PT09PT09 PT09DQp2aSAvZXRjL292aXJ0LWVuZ2luZS9lbmdpbmUuY29uZi5kLzk5LWN1c3RvbS10cnVzdHN0 b3JlLmNvbmYNCg0KU2V0IGxvY2F0aW9uIG9mIHRydXN0c3RvcmUgYW5kIGl0cyBwYXNzd29yZA0K PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQpFTkdJTkVfSFRUUFNfUEtJX1RSVVNU X1NUT1JFPSIvaG9tZS9ybm9yaS9Eb3dubG9hZHMvQ2VydC9jbGllbnRrZXlzdG9yZSINCkVOR0lO RV9IVFRQU19QS0lfVFJVU1RfU1RPUkVfUEFTU1dPUkQ9IjEyMzQ1NiINCg0KQ29weSB0aGUgY3Vz dG9tIGNlcnRpZmljYXRlcw0KPT09PT09PT09PT09PT09PT09PT09PQ0Kcm0gL2V0Yy9wa2kvb3Zp cnQtZW5naW5lL2FwYWNoZS1jYS5wZW0NCmNwIGNlcnRpZmljYXRlLnBlbSAvZXRjL3BraS9vdmly dC1lbmdpbmUvYXBhY2hlLWNhLnBlbQ0KY3AgY2VydGlmaWNhdGUucDEyIC9ldGMvcGtpL292aXJ0 LWVuZ2luZS9rZXlzL2FwYWNoZS5wMTINCmNwIGFwYWNoZS5jZXIgL2V0Yy9wa2kvb3ZpcnQtZW5n aW5lL2NlcnRzL2FwYWNoZS5jZXINCmNwIGFwYWNoZS5rZXkubm9wYXNzIC9ldGMvcGtpL292aXJ0 LWVuZ2luZS9rZXlzL2FwYWNoZS5rZXkubm9wYXNzDQoNClJlc3RhcnQgZW5naW5lIGFuZCBodHRw ZA0KPT09PT09PT09PT09PT09PT09PQ0Kc2VydmljZSBodHRwZCByZXN0YXJ0DQpzZXJ2aWNlIG92 aXJ0LWVuZ2luZSByZXN0YXJ0DQoNCk9uIFRodSwgT2N0IDI3LCAyMDE2IGF0IDU6MzAgQU0sIE5p Y29sYXMgRWNhcm5vdCA8bmljb2xhc0BlY2Fybm90Lm5ldDxtYWlsdG86bmljb2xhc0BlY2Fybm90 Lm5ldD4+IHdyb3RlOg0KTGUgMjcvMTAvMjAxNiDDoCAwMDoxNCwgS2VubmV0aCBCaW5naGFtIGEg w6ljcml0IDoNCkkgZGlkIGluc3RhbGwgYSBzZXJ2ZXIgY2VydGlmaWNhdGUgZnJvbSBhIHByaXZh dGUgQ0Egb24gdGhlIGVuZ2luZQ0Kc2VydmVyIGZvciB0aGUgb1ZpcnQgNCBNYW5hZ2VyIEdVSSwg YnV0IGhhdmVuJ3QgZmlndXJlZCBvdXQgaG93IHRvDQpjb25maWd1cmUgZW5naW5lIHRvIHRydXN0 IHRoZSBzYW1lIENBIHdoaWNoIGFsc28gaXNzdWVkIHRoZSBzZXJ2ZXINCmNlcnRpZmljYXRlIHBy ZXNlbnRlZCBieSB2ZHNtLiBUaGlzIGlzIGltcG9ydGFudCBmb3IgdXMgYmVjYXVzZSB0aGlzIGlz DQp0aGUgc2FtZSBzZXJ2ZXIgY2VydGlmaWNhdGUgcHJlc2VudGVkIGJ5IHRoZSBob3N0IHdoZW4g dXNpbmcgdGhlIGNvbnNvbGUNCihlLmcuIHdlYnNvY2tldCBjb25zb2xlIGZhbGxzIHNpbGVudGx5 IGlmIHRoZSB1c2VyIGFnZW50IGRvZXNuJ3QgdHJ1c3QNCnRoZSBjb25zb2xlIHNlcnZlcidzIGNl cnRpZmljYXRlKS4NCg0KSGVsbG8sDQoNCk1heWJlIHJlbGF0ZWQgYnVnIDogb24gYW4gb1ZpcnQg NCwgSSBmb2xsb3dlZCB0aGUgc2FtZSBwcm9jZWR1cmUgYmVsb3cgdG8gaW5zdGFsbCBhIGN1c3Rv bSBDQSwgd2l0aCAqU1VDQ0VTUyouDQoNClRvZGF5LCBJIGhhZCB0byByZWluc3RhbGwgb25lIG9m IHRoZSBob3N0cywgYW5kIGl0IGlzIGZhaWxpbmcgd2l0aCA6DQoiQ0EgY2VydGlmaWNhdGUgYW5k IENBIHByaXZhdGUga2V5IGRvIG5vdCBtYXRjaCIgOg0KDQpodHRwOi8vcGFzdGViaW4uY29tLzlK UzA1SnRKDQoNCldoaWNoIGNlcnRpZmljYXRlIGRpZCB3ZSAoS2VubmV0aCBhbmQgSSkgZGlkIHdl IG1pcy11c2VkPw0KV2hhdCBkaWQgd2UgZG8gd3Jvbmc/DQoNClJlZ2FyZHMsDQoNCk5pY29sYXMg RUNBUk5PVA0KDQoNCk9uIFdlZCwgT2N0IDI2LCAyMDE2LCAxNjo1OCBCZWNrbWFuLCBEYW5pZWwN CjxEYW5pZWwuQmVja21hbkBpbmdyYW1jb250ZW50LmNvbTxtYWlsdG86RGFuaWVsLkJlY2ttYW5A aW5ncmFtY29udGVudC5jb20+DQo8bWFpbHRvOkRhbmllbC5CZWNrbWFuQGluZ3JhbWNvbnRlbnQu Y29tPG1haWx0bzpEYW5pZWwuQmVja21hbkBpbmdyYW1jb250ZW50LmNvbT4+PiB3cm90ZToNCg0K ICAgIFdlIGhhdmUgb1ZpcnQgMy42LjcgYW5kIEkgYW0gcHJlcGFyaW5nIHRvIHVwZ3JhZGUgdG8g NC4wLjQgcmVsZWFzZS4NCiAgICBJIHJlYWQgdGhlIHJlbGVhc2Ugbm90ZXMgKGh0dHBzOi8vd3d3 Lm92aXJ0Lm9yZy9yZWxlYXNlLzQuMC40LykgYW5kDQogICAgbm90ZWQgY29tbWVudCAjNCB1bmRl ciDigJxJbnN0YWxsIC8gVXBncmFkZSBmcm9tIHByZXZpb3VzIHZlcnNpb27igJ06X19fXw0KDQog ICAgX18gX18NCg0KICAgIC9JZiB5b3UgYXJlIHVzaW5nIEhUVFBTIGNlcnRpZmljYXRlIHNpZ25l ZCBieSBjdXN0b20gY2VydGlmaWNhdGUNCiAgICBhdXRob3JpdHksIHBsZWFzZSB0YWtlIGEgbG9v ayBhdCBodHRwczovL2J1Z3ppbGxhLnJlZGhhdC5jb20vMTMzNjgzOA0KICAgIGZvciBzdGVwcyB3 aGljaCBuZWVkIHRvIGJlIGRvbmUgYWZ0ZXIgbWlncmF0aW9uIHRvIDQuMC4gQWxzbyBwbGVhc2UN CiAgICBjb25zdWx0IGh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNvbS8xMzEzMzc5IGhvdyB0byBz ZXR1cCB0aGlzIGN1c3RvbQ0KICAgIENBIGZvciB1c2Ugd2l0aCB2aXJ0LXZpZXdlciBjbGllbnRz Ll9fX18vDQoNCiAgICAvX18gX18vDQoNCiAgICBTbyBJIHJlZmVycmVkIHRvIHRoZSBmaXJzdCBi dWd6aWxsYQ0KICAgIChodHRwczovL2J1Z3ppbGxhLnJlZGhhdC5jb20vc2hvd19idWcuY2dpP2lk PTEzMzY4MzgpLCB3aGVyZSBpdA0KICAgIHN0YXRlcyBhcyBmb2xsb3dzOl9fX18NCg0KICAgIF9f IF9fDQoNCiAgICBJZiBjdXN0b21lciB3YW50cyB0byB1c2UgY3VzdG9tIEhUVFBTIGNlcnRpZmlj YXRlIHNpZ25lZCBieQ0KICAgIGRpZmZlcmVudCBDQSwgdGhlbiBoZSBoYXMgdG8gcGVyZm9ybSBm b2xsb3dpbmcgc3RlcHM6IF9fX18NCg0KICAgIF9fIF9fDQoNCiAgICAxLiBJbnN0YWxsIGN1c3Rv bSBDQSAodGhhdCBzaWduZWQgSFRUUFMgY2VydGlmaWNhdGUpIGludG8gaG9zdCB3aWRlDQogICAg dHJ1c3RvcmUgKG1vcmUgaW5mbyBjYW4gYmUgZm91bmQgaW4gdXBkYXRlLWNhLXRydXN0IG1hbiBw YWdlKSBfX19fDQoNCiAgICBfXyBfXw0KDQogICAgMi4gQ29uZmlndXJlIEhUVFBTIGNlcnRpZmlj YXRlIGluIEFwYWNoZSAodGhpcyBzdGVwIGlzIHNhbWUgYXMgaW4NCiAgICBwcmV2aW91cyB2ZXJz aW9ucykgX19fXw0KDQogICAgX18gX18NCg0KICAgIDMuIENyZWF0ZSBuZXcgY29uZmlndXJhdGlv biBmaWxlIChmb3IgZXhhbXBsZQ0KICAgIC9ldGMvb3ZpcnQtZW5naW5lL2VuZ2luZS5jb25mLmQv OTktY3VzdG9tLXRydXN0c3RvcmUuY29uZikgd2l0aA0KICAgIGZvbGxvd2luZyBjb250ZW50OiBf X19fDQoNCiAgICBFTkdJTkVfSFRUUFNfUEtJX1RSVVNUX1NUT1JFPSIvZXRjL3BraS9qYXZhL2Nh Y2VydHMiDQogICAgRU5HSU5FX0hUVFBTX1BLSV9UUlVTVF9TVE9SRV9QQVNTV09SRD0iIiBfX19f DQoNCiAgICBfXyBfXw0KDQogICAgNC4gUmVzdGFydCBvdmlydC1lbmdpbmUgc2VydmljZV9fX18N Cg0KICAgIF9fIF9fDQoNCiAgICBJIGZpbmQgaXQgaHVtb3JvdXMgdGhhdCBzdGVwICMgMSBzdWdn ZXN0cyByZWFkaW5nIHRoZSDigJxtYW4gcGFnZeKAnQ0KICAgIHdoaWNoIGlzIG9ubHkgc2xpZ2h0 bHkgYmV0dGVyIHRoYW4gc3VnZ2VzdGluZyB0byDigJxnb29nbGXigJ0gaXQuIF9fX18NCg0KICAg IF9fIF9fDQoNCiAgICBIYXMgYW55b25lIHVzaW5nIGEgY3VzdG9tIENBIGZvciB0aGVpciBIVFRQ UyBjZXJ0aWZpY2F0ZQ0KICAgIHN1Y2Nlc3NmdWxseSB1cGdyYWRlZCB0byBvVmlydCA0PyBJZiBz byBjb3VsZCB5b3Ugc2hhcmUgeW91cg0KICAgIGRldGFpbGVkIHN0ZXBzPyBPciBjYW4gYW55b25l IHBvaW50IG1lIHRvIGFuIGFjdHVhbCBleGFtcGxlIG9mIHRoaXMNCiAgICBwcm9jZWR1cmU/IEni gJltIGEgbGl0dGxlIG5lcnZvdXMgYWJvdXQgdGhlIHVwZ3JhZGUgaWYgeW91IGNhbuKAmXQNCiAg ICBhbHJlYWR5IHRlbGwuIF9fX18NCg0KICAgIF9fIF9fDQoNCiAgICBUaGFua3MsX19fXw0KDQog ICAgRGFuaWVsX19fXw0KDQogICAgX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX18NCiAgICBVc2VycyBtYWlsaW5nIGxpc3QNCiAgICBVc2Vyc0BvdmlydC5vcmc8 bWFpbHRvOlVzZXJzQG92aXJ0Lm9yZz4gPG1haWx0bzpVc2Vyc0BvdmlydC5vcmc8bWFpbHRvOlVz ZXJzQG92aXJ0Lm9yZz4+DQogICAgaHR0cDovL2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xpc3Rp bmZvL3VzZXJzDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXw0KVXNlcnMgbWFpbGluZyBsaXN0DQpVc2Vyc0BvdmlydC5vcmc8bWFpbHRvOlVzZXJz QG92aXJ0Lm9yZz4NCmh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5mby91c2Vy cw0KDQoNCi0tDQpOaWNvbGFzIEVDQVJOT1QNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NClVzZXJzIG1haWxpbmcgbGlzdA0KVXNlcnNAb3ZpcnQub3Jn PG1haWx0bzpVc2Vyc0BvdmlydC5vcmc+DQpodHRwOi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4v bGlzdGluZm8vdXNlcnMNCg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fDQpVc2VycyBtYWlsaW5nIGxpc3QNClVzZXJzQG92aXJ0Lm9yZzxtYWlsdG86 VXNlcnNAb3ZpcnQub3JnPg0KaHR0cDovL2xpc3RzLm92aXJ0Lm9yZy9tYWlsbWFuL2xpc3RpbmZv L3VzZXJzDQoNCg0K --_000_EE70AB7EAF3A4C29B95EA9FBCAC70078ingramcontentcom_ Content-Type: text/html; charset=UTF-8 Content-ID: <D15E1E1FBFB2884EBC7FA71BBB40E4CF@namprd12.prod.outlook.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iVGl0bGUiIGNvbnRlbnQ9IiI+DQo8bWV0YSBuYW1lPSJLZXl3b3JkcyIgY29udGVu dD0iIj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUg KGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8N CkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6QXJpYWw7DQoJcGFub3NlLTE6MiAxMSA2IDQgMiAy IDIgMiAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ291cmllciBOZXciOw0KCXBh bm9zZS0xOjIgNyAzIDkgMiAyIDUgMiA0IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToi Q2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZh Y2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIg NDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwg ZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglm b250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iO30NCmE6bGlu aywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJs dWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlw ZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsN Cgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmNvZGUNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0Kc3Bhbi5nbWFpbC1tMjQ4ODA4MDI4 NTUyOTMyNjYwOWdtYWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4Z21haWxtc2cNCgl7bXNvLXN0eWxl LW5hbWU6Z21haWwtbV8yNDg4MDgwMjg1NTI5MzI2NjA5Z21haWwtbV8tNTk0NDc4MDI4NTY0NDIz MjI4Z21haWxfbXNnO30NCnNwYW4uZ21haWwtbTI0ODgwODAyODU1MjkzMjY2MDlnbWFpbC1tLTU5 NDQ3ODAyODU2NDQyMzIyOG03NDQwMjAwNjY4ODg4Nzk0OTYxbTI2MTE0MDkwMDAzNzA4NTA3Nzdt LTk4MDg3OTc1NTYzNjM0NDk0MGdtYWlsbXNnDQoJe21zby1zdHlsZS1uYW1lOmdtYWlsLW1fMjQ4 ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW1fLTU5NDQ3ODAyODU2NDQyMzIyOG1fNzQ0MDIwMDY2ODg4 ODc5NDk2MW1fMjYxMTQwOTAwMDM3MDg1MDc3N21fLTk4MDg3OTc1NTYzNjM0NDk0MGdtYWlsX21z Zzt9DQpzcGFuLmdtYWlsLW0yNDg4MDgwMjg1NTI5MzI2NjA5Z21haWwtbS01OTQ0NzgwMjg1NjQ0 MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2MW0yNjExNDA5MDAwMzcwODUwNzc3bS05ODA4Nzk3NTU2 MzYzNDQ5NDBtLTQ3ODk0MjMzODA2MjgyNzEyNzlob2VuemINCgl7bXNvLXN0eWxlLW5hbWU6Z21h aWwtbV8yNDg4MDgwMjg1NTI5MzI2NjA5Z21haWwtbV8tNTk0NDc4MDI4NTY0NDIzMjI4bV83NDQw MjAwNjY4ODg4Nzk0OTYxbV8yNjExNDA5MDAwMzcwODUwNzc3bV8tOTgwODc5NzU1NjM2MzQ0OTQw bV8tNDc4OTQyMzM4MDYyODI3MTI3OWhvZW56Yjt9DQpzcGFuLmdtYWlsLW0yNDg4MDgwMjg1NTI5 MzI2NjA5Z21haWwtaG9lbnpiDQoJe21zby1zdHlsZS1uYW1lOmdtYWlsLW1fMjQ4ODA4MDI4NTUy OTMyNjYwOWdtYWlsLWhvZW56Yjt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28tc3R5bGUtdHlw ZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseTpDYWxpYnJpOw0KCWNvbG9yOndpbmRvd3Rl eHQ7fQ0Kc3Bhbi5tc29JbnMNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJbXNvLXN0 eWxlLW5hbWU6IiI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTsNCgljb2xvcjp0ZWFsO30N Ci5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6 ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1h cmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6 V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keSBiZ2NvbG9yPSJ3aGl0 ZSIgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0i V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNhbGlicmkiPlRoYW5rcyB2ZXJ5IG11Y2ggZm9yIHRoZSBk ZXRhaWxlZCBpbnN0cnVjdGlvbnMhIEkgd2FzIGFibGUgdG8gdXBncmFkZSBmcm9tIDMuNi43IHRv IDQuMC40IHN1Y2Nlc3NmdWxseS4gSGVyZSBhcmUgc29tZSBhZGRpdGlvbmFsIG5vdGVzIGZvciB0 aG9zZSAobGlrZSBtZSkgd2hvIHdlcmUgYWxyZWFkeSB1c2luZyBhIGN1c3RvbQ0KIEhUVFBTIGNl cnRpZmljYXRlIGluIDMuNjo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDYWxpYnJpIj48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDYWxpYnJpIj5PbiBzdGVwICMzIOKA nGLigJ0gLS0gbXYgWU9VUi0zUkQtUEFSVC1DRVJULnAxMiDigIvigIvigIsvZXRjL3BraS9vdmly dC1lbmdpbmUva2V5cy9hcGFjaGUucDEy4oCLIOKAkyBJIGRpZG7igJl0IG5lZWQgdG8gcGVyZm9y bSB0aGlzIGFzIHRoZSBmaWxlIHdhcyBhbHJlYWR5IHRoZXJlIGZyb20gbXkgcHJldmlvdXMgMy42 IGNvbmZpZ3VyYXRpb247IHNldHVwDQogaGFkIG5vdCByZW1vdmVkIGl0LiA8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTpDYWxpYnJpIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTpDYWxpYnJpIj5PbiBzdGVwICM0IOKAkyBleHRyYWN0aW5nIHByaXZhdGUga2V5IGFuZCBj ZXJ0aWZpY2F0ZSDigJMgSSBkaWRu4oCZdCBuZWVkIHRvIHBlcmZvcm0gdGhpcyBlaXRoZXI7IGV4 aXN0aW5nIGZpbGVzIHdlcmUgbGVmdCBpbnRhY3QgZnJvbSB2ZXJzaW9uIDMuNi4NCjxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNhbGlicmkiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OkNhbGlicmkiPlJlc3RhcnRpbmcgQXBhY2hlIGFuZCBvVmlydCBzZXJ2aWNlIHdh cyBub3QgZW5vdWdoIHRvIGJyaW5nIHVwIHRoZSB3ZWIgYWRtaW4gcG9ydGFsIGluIG15IGNhc2Uu IEkgaGFkIHRvIHJlYm9vdCB0aGUgc2VydmVyIHJ1bm5pbmcgb1ZpcnQgZW5naW5lLCBhZnRlciB3 aGljaCB0aGUgd2ViIGFkbWluIHBvcnRhbCB3YXMgYWNjZXNzaWJsZS4NCjxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OkNhbGlicmkiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OkNhbGlicmkiPkkgcmVjb21tZW5kIGJhY2tpbmcgdXAgL2V0Yy9wa2kgaW4gYWRkaXRpb24g dG8gL2V0Yy9vdmlydC1lbmdpbmUgcHJpb3IgdG8gcnVubmluZyBzZXR1cC4NCjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OkNhbGlicmkiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OkNhbGlicmkiPkJlc3QsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q2FsaWJy aSI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q2FsaWJyaSI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpz b2xpZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OkNhbGlicmk7Y29sb3I6Ymxh Y2siPkZyb206IDwvc3Bhbj4NCjwvYj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6Q2FsaWJyaTtj b2xvcjpibGFjayI+Jmx0O3VzZXJzLWJvdW5jZXNAb3ZpcnQub3JnJmd0OyBvbiBiZWhhbGYgb2Yg TWFydGluIFBlcmluYSAmbHQ7bXBlcmluYUByZWRoYXQuY29tJmd0Ozxicj4NCjxiPkRhdGU6IDwv Yj5UdWVzZGF5LCBOb3ZlbWJlciAxLCAyMDE2IGF0IDY6MjkgQU08YnI+DQo8Yj5UbzogPC9iPktl bm5ldGggQmluZ2hhbSAmbHQ7d0BxcmsudXMmZ3Q7PGJyPg0KPGI+Q2M6IDwvYj51c2VycyAmbHQ7 dXNlcnNAb3ZpcnQub3JnJmd0Ozxicj4NCjxiPlN1YmplY3Q6IDwvYj5SZTogW292aXJ0LXVzZXJz XSBVcGdyYWRpbmcgb1ZpcnQgMy42IHdpdGggZXhpc3RpbmcgSFRUUFMgY2VydGlmaWNhdGUgc2ln bmVkIGJ5IGN1c3RvbSBDQSB0byBvVmlydCA0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt ZmFtaWx5OkFyaWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5PbiBUdWUsIE5vdiAxLCAyMDE2IGF0IDExOjQ5IEFNLCBNYXJ0aW4g UGVyaW5hICZsdDs8YSBocmVmPSJtYWlsdG86bXBlcmluYUByZWRoYXQuY29tIiB0YXJnZXQ9Il9i bGFuayI+bXBlcmluYUByZWRoYXQuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8 YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAx LjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1y aWdodDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWJvdHRvbToxMi4wcHQiPlNvIGZpcnN0IG9mIGFsbCwgd2UgZG9uJ3Qgc3VwcG9ydCByZXBs YWNpbmcgb1ZpcnQgaW50ZXJuYWwgQ0Egd2hpY2ggaXMgdXNlZCB0byBzaWduIGhvc3QgY2VydGlm aWNhdGVzLiBUaGlzIGludGVybmFsIENBIGlzIGFsc28gdXNlZCB0byBzaWduIEhUVFBTIGNlcnRp ZmljYXRlIGJ5IGRlZmF1bHQsIGJ1dCB5b3UgY2FuIHByb3ZpZGVkIHlvdXIgb3duIEhUVFBTDQog Y2VydGlmaWNhdGUgc2lnbmVkIGJ5IGN1c3RvbSBDQS4gVGhlIGNvcnJlY3Qgc3RlcHMgaG93IHRv IGRvIHRoYXQgYXJlIChhc3N1bWluZyB5b3UgaGF2ZSB5b3UgY3VzdG9tIENBIGNlcnRpZmlmY2F0 ZSBpbiBQRU0gZm9ybWF0IGFuZCBIVFRQUyBjZXJpdGlmaWNhdGUgYWxvbmcgd2l0aCBwcml2YXRl IGtleSBpbiBQS0NTMTIgZm9ybWF0KTo8YnI+DQo8YnI+DQoxLiZuYnNwOyBBZGQgeW91ciBjb21t ZXJjaWFsbHkgaXNzdWVkIGNlcnRpZmljYXRlIHRvIHRoZSBob3N0LXdpZGUgdHJ1c3Qgc3RvcmUu PGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IGNwIFlPVVItM1JELVBB UlRZLUNBLUNFUlQucGVtIC9ldGMvcGtpL2NhLXRydXN0L3NvdXJjZS9hbmNob3JzPGJyPg0KJm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHVwZGF0ZS1jYS10cnVzdDxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1ib3R0b206MTIuMHB0Ij4yLiBSZW1vdmUgQXBhY2hlIENBIGxpbmsgcG9pbnRpbmcgdG8gb1Zp cnQgaW50ZXJuYWw8YnI+DQombmJzcDsgJm5ic3A7ICZuYnNwOyZuYnNwOyBybSAvZXRjL3BraS9v dmlydC1lbmdpbmUvYXBhY2hlLWNhLnBlbTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+My4gSW5zdGFsbCB5b3VyIGN1c3RvbSBjZXJ0aWZpY2F0ZSAo aW5jbHVkaW5nIGNvbXBsZXRlIGNlcnRpZmljYXRlIGNoYWluKTxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij48YnI+DQo8L3Nw YW4+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IG12IFlPVVItM1JELVBBUlRZ LUNBLUNFUlQucGVtIC9ldGMvcGtpL292aXJ0LWVuZ2luZS9hcGFjaGUtY2EucGVtPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpBcmlhbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IG12IFlPVVItM1JELVBBUlQtQ0VSVC5w MTIg4oCL4oCL4oCLL2V0Yy9wa2kvb3ZpcnQtZW5naW5lL2tleXMvYXBhY2hlLnAxMuKAizxicj4N Cjxicj4NClRoZSBhYm92ZSBjb21tYW5kIHdhcyBtaXNzaW5nIGluIG9yaWdpbmFsIHN0ZXBzLCB0 aGFua3MgRGlkaSBmb3IgcG9pbnRpbmcgdGhpcyBvdXQuPGJyPg0K4oCLPG86cD48L286cD48L3Nw YW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNv bGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0 LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjQu IEV4dHJhY3QgcHJpdmF0ZSBrZXkgYW5kIGNlcnRpZmljYXRlPGJyPg0KJm5ic3A7IDxvOnA+PC9v OnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPuKAiyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyDigIs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ b3BlbnNzbCBwa2NzMTIgLWluIC9ldGMvcGtpL292aXJ0LWVuZ2luZS9rZXlzL2FwYWNoZS5wMTIg LW5vY2VydHMgLW5vZGVzICZndDsgL2V0Yy9wa2kvb3ZpcnQtZW5naW5lL2tleXMvYXBhY2hlLmtl eS5ub3Bhc3M8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj7igIsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg4oCLPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+ b3BlbnNzbCBwa2NzMTIgLWluIC9ldGMvcGtpL292aXJ0LWVuZ2luZS9rZXlzL2FwYWNoZS5wMTIg LW5va2V5cyAmZ3Q7IC9ldGMvcGtpL292aXJ0LWVuZ2luZS9jZXJ0cy9hcGFjaGUuY2VyPG86cD48 L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+4oCLNS4gUmVzdGFydCBBcGFj aGU8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgc2VydmljZSBodHRwZCByZXN0 YXJ0PGJyPg0KPGJyPg0KNi4gQ3JlYXRlIGEgbmV3IHRydXN0IHN0b3JlIGNvbmZpZ3VyYXRpb24g ZmlsZS48YnI+DQombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgdmkgL2V0Yy9vdmlydC1l bmdpbmUvZW5naW5lLmNvbmYuZC85OS1jdXN0b20tdHJ1c3RzdG9yZS5jb25mPGJyPg0KPGJyPg0K Jm5ic3A7Jm5ic3A7IEFkZCB0aGUgZm9sbG93aW5nIGNvbnRlbnQgYW5kIHNhdmUgdGhlIGZpbGUu PGJyPg0KPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEVOR0lORV9IVFRQU19Q S0lfVFJVU1RfU1RPUkU9JnF1b3Q7L2V0Yy9wa2kvamF2YS9jYWNlcnRzJnF1b3Q7PGJyPg0KJm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IEVOR0lORV9IVFRQU19QS0lfVFJVU1RfU1RPUkVf UEFTU1dPUkQ9JnF1b3Q7JnF1b3Q7PGJyPg0KPGJyPg0KNy4gUmVzdGFydCB0aGUgb3ZpcnQtZW5n aW5lIHNlcnZpY2UuPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IHN5c3RlbWN0 bCByZXN0YXJ0IG92aXJ0LWVuZ2luZS5zZXJ2aWNl4oCLPG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PG86cD4m bmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtZmFtaWx5OkFyaWFsIj7igItTdGVwcyAxLiwgNi4gYW5kIDcuIGFyZSBuZXcgdG8gNC4w LCBvdGhlciBzdGVwcyBhcmUgc2FtZSBhcyBpbiBvVmlydCAzLnjigIs8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTpB cmlhbCI+4oCLQWxzbyBpdCdzIGV4cGVjdGVkIHRoYXQgQ0EgY2VydGlmaWNhdGUgKGluY2x1ZGlu ZyB3aG9sZSBDQSBjaGFpbikgaXMgcHJvcGVybHkgaW5zdGFsbGVkIGluIGFsbCBjbGllbnRzIHRo YXQgYWNjZXNzIG9WaXJ0IHVzaW5nIEhUVFAgYW5kL29yIFNwaWNlLuKAizxvOnA+PC9vOnA+PC9z cGFuPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5 OkFyaWFsIj7igItNYXJ0aW4gUGVyaW5h4oCLPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBUaHUsIE9jdCAyNywgMjAxNiBhdCAxMDozOCBQTSwg S2VubmV0aCBCaW5naGFtICZsdDs8YSBocmVmPSJtYWlsdG86d0BxcmsudXMiIHRhcmdldD0iX2Js YW5rIj53QHFyay51czwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGlu ZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhdCBtYWtlcyBzZW5zZSwgYnV0 IGl0IGlzIGFsc28gZGlzYXBwb2ludGluZyB0byByZWFsaXplIHRoYXQgb1ZpcnQgTWFuYWdlciB3 aWxsIG9ubHkgdHJ1c3QgY2VydGlmaWNhdGVzIHRoYXQgaXRzZWxmIGhhcyBpc3N1ZWQsIGFuZCB0 aGF0IHRoZXJlIGlzIG5vIHN1cHBvcnQgZm9yIE1hbmFnZXIgdG8gdHJ1c3QgVkRTTSBzZXJ2ZXIg Y2VydGlmaWNhdGVzIGlzc3VlZCBieSBhbm90aGVyIGF1dGhvcml0eS4NCjxvOnA+PC9vOnA+PC9w Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SWYgSSB1bmRlcnN0YW5kIHlvdSBjb3Jy ZWN0bHksIHRoZW4gdGhlICpvbmx5KiB3YXkgdG8gaW5zdGFsbCBhIFZEU00gaG9zdCBjZXJ0aWZp Y2F0ZSBpcyBieSByZWdpc3RlcmluZyB3aXRoIE1hbmFnZXIgYXQgd2hpY2ggdGltZSBhIGNlcnRp ZmljYXRlIGlzIGF1dG9tYXRpY2FsbHkgaXNzdWVkIGFuZCBpbnN0YWxsZWQgYnkgTWFuYWdlcidz IGJ1aWx0LWluIGNlcnRpZmljYXRlIGF1dGhvcml0eS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBUaHUsIE9jdCAyNywgMjAxNiBhdCAz OjI3IFBNIFJhdmkgTm9yaSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnJub3JpQHJlZGhhdC5jb20iIHRh cmdldD0iX2JsYW5rIj5ybm9yaUByZWRoYXQuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz b2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6 NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+U2luY2UgeW91IHJlcGxhY2UgY2EucGVt IHlvdSBuZWVkIHRvIHJlcGxhY2UgdGhlIHByaXZhdGUga2V5IG9mIGNhLnBlbTxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5QbGVhc2UgY29weSB0aGUgcHJpdmF0 ZSBrZXkgb2YmbmJzcDsgL2V0Yy9wa2kvb3ZpcnQtZW5naW5lL2NhLnBlbSB0byAvZXRjL3BraS9v dmlydC1lbmdpbmUvcHJpdmF0ZS9jYS5wZW0gYW5kIGxldCBtZSBrbm93IGlmIGV2ZXJ5dGhpbmcg d29ya3M8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIFRo dSwgT2N0IDI3LCAyMDE2IGF0IDI6NDcgUE0sIEtlbm5ldGggQmluZ2hhbSA8c3BhbiBjbGFzcz0i Z21haWwtbTI0ODgwODAyODU1MjkzMjY2MDlnbWFpbC1tLTU5NDQ3ODAyODU2NDQyMzIyOGdtYWls bXNnIj4NCiZsdDs8YSBocmVmPSJtYWlsdG86d0BxcmsudXMiIHRhcmdldD0iX2JsYW5rIj53QHFy ay51czwvYT4mZ3Q7PC9zcGFuPiB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6 MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhbmtzIFJhdmksIHRoYXQncyBoZWxwZnVsIGFuZCBJIGFw cHJlY2lhdGUgdGhlIHByZWNpc2lvbiBhbmQgYXR0ZW50aW9uIHRvIGRldGFpbC4gSSBwZXJmb3Jt ZWQgc2ltaWxhciBzdGVwcyB0byBpbnN0YWxsIGEgY3VzdG9tIGNlcnRpZmljYXRlIGZvciB0aGUg b1ZpcnQgTWFuYWdlciBHVUkuIEJ1dCB3aGF0IGFib3V0IGNvbmZpZ3VyaW5nIG92aXJ0LWVuZ2lu ZSB0byB0cnVzdCBhIGNlcnRpZmljYXRlIGlzc3VlZA0KIGJ5IHRoZSBzYW1lIENBIGFuZCBwcmVz ZW50ZWQgYnkgdGhlIFZEU00gaG9zdD8gT24gdGhlIGh5cGVydmlzb3IgaG9zdCwgSSB1c2VkIHRo ZSBleGlzdGluZyBwcml2YXRlIGtleSB0byBnZW5lcmF0ZSB0aGUgQ1NSLCBpc3N1ZWQgdGhlIHNl cnZlciBjZXJ0aWZpY2F0ZSwgYW5kIGluc3RhbGxlZCBpbiB0aHJlZSBsb2NhdGlvbnMgYmVmb3Jl IGJvdW5jaW5nIHZkc21kLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5PbiB0aGUgaHlwZXJ2aXNvciBIb3N0IHNlcnZlciAobm90IHRoZSBNYW5h Z2VyL2VuZ2luZSBzZXJ2ZXIpOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+L2V0Yy9wa2kvdmRzbS9jZXJ0cy92ZHNtY2VydC5wZW08bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi9ldGMvcGtpL3Zkc20v bGlidmlydC1zcGljZS9zZXJ2ZXItY2VydC5wZW08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi9ldGMvcGtpL2xpYnZpcnQvPGEgaHJlZj0iaHR0cDov L2NsaWVudGNlcnQucGUiPmNsaWVudGNlcnQucGU8L2E+bTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Ob3csIHRoYXQgaG9zdCBpcyAmcXVvdDtu b24gcmVzcG9uc2l2ZSZxdW90OyBpbiBNYW5hZ2VyIGJlY2F1c2Ugb3ZpcnQtZW5naW5lIGRvZXMg bm90IHRydXN0IHRoZSBuZXcgY2VydGlmaWNhdGUgZXZlbiB0aG91Z2ggSSBhbHJlYWR5IHBlcmZv cm1lZCBhbGwgb2YgdGhlIHN0ZXBzIHRoYXQgeW91IGRlc2NyaWJlIGFib3ZlIGV4Y2VwdCB0aGF0 IEkgaW5zdGFsbGVkIHRoZSBpc3N1ZXIncyBDQSBjZXJ0aWZpY2F0ZSBhcyB0aGUgdHJ1c3RlZA0K IGVudGl0eS4gSSd2ZSBkb2N1bWVudGVkIGFsbCBvZiB0aGUgc3RlcHMgSSB0b29rIDxhIGhyZWY9 Imh0dHBzOi8vZ2lzdC5naXRodWIuY29tL3Fya291cmllci85YzlhYzNlOGIxOTBkY2I5MWQzNzY3 MTc5ZDVhMzllYSIgdGFyZ2V0PSJfYmxhbmsiPg0KaW4gdGhpcyBHaXN0PC9hPi48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+T24gVGh1LCBPY3QgMjcsIDIwMTYgYXQgMjoxMiBQTSBSYXZpIE5vcmkgJmx0OzxhIGhy ZWY9Im1haWx0bzpybm9yaUByZWRoYXQuY29tIiB0YXJnZXQ9Il9ibGFuayI+cm5vcmlAcmVkaGF0 LmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBz dHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5n OjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW4iPg0K PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbTox Mi4wcHQiPkhlcmUgaXMgYSBjb21wbGV0ZSBzZXQgb2YgaW5zdHJ1Y3Rpb25zIHRoYXQgd29ya3Mg Zm9yIG1lPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5Zb3UgY2FuIHNraXAgdGhlIGZpcnN0IGZldyBzdGVwcyBvZiBnZW5lcmF0aW5nIHRoZSBjZXJ0 aWZpY2F0ZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5S YXZpPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJy Pg0KR2VuZXJhdGUgYSBzZWxmLXNpZ25lZCBjZXJ0aWZpY2F0ZSB1c2luZyBvcGVuc3NsPGJyPg0K PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT08YnI+DQpvcGVuc3NsIHJlcSAt eDUwOSAtc2hhMjU2IC1ub2RlcyAtZGF5cyAzNjUgLW5ld2tleSByc2E6MjA0OCAta2V5b3V0IHBy aXZhdGVLZXkua2V5IC1vdXQgY2VydGlmaWNhdGUucGVtPGJyPg0KPGJyPg0KQ29udmVydCBhIFBF TSBjZXJ0aWZpY2F0ZSBmaWxlIGFuZCBhIHByaXZhdGUga2V5IHRvIFBLQ1MjMTIgKC5wMTIpPGJy Pg0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT08 YnI+DQpvcGVuc3NsIHBrY3MxMiAtZXhwb3J0IC1vdXQgY2VydGlmaWNhdGUucDEyIC1pbmtleSBw cml2YXRlS2V5LmtleSAtaW4gY2VydGlmaWNhdGUucGVtPGJyPg0KPGJyPg0KRXh0cmFjdCB0aGUg a2V5IGZyb20gdGhlIGJ1bmRsZSA8YnI+DQo9PT09PT09PT09PT09PT09PT09PT09PT09PGJyPg0K b3BlbnNzbCBwa2NzMTIgLWluJm5ic3A7IGNlcnRpZmljYXRlLnAxMiAtbm9jZXJ0cyAtbm9kZXMg Jmd0OyBhcGFjaGUua2V5Lm5vcGFzczxicj4NCjxicj4NCkV4dHJhY3QgdGhlIGNlcnRpZmljYXRl IGZyb20gdGhlIGJ1bmRsZTxicj4NCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PTxicj4N Cm9wZW5zc2wgcGtjczEyIC1pbiBjZXJ0aWZpY2F0ZS5wMTIgLW5va2V5cyAmZ3Q7IGFwYWNoZS5j ZXI8YnI+DQo8YnI+DQpDcmVhdGUgYSBuZXcgS2V5c3RvcmUgZm9yIHRlc3Rpbmc8YnI+DQo9PT09 PT09PT09PT09PT09PT09PT09PT09PTxicj4NCmtleXRvb2wgLWtleXN0b3JlIGNsaWVudGtleXN0 b3JlIC1nZW5rZXkgLWFsaWFzIGNsaWVudDxicj4NCjxicj4NCkNvbnZlcnQgLnBlbSB0byAuZGVy PGJyPg0KPT09PT09PT09PT09PT09PTxicj4NCm9wZW5zc2wgeDUwOSAtb3V0Zm9ybSBkZXIgLWlu IGNlcnRpZmljYXRlLnBlbSAtb3V0IGNlcnRpZmljYXRlLmRlcjxicj4NCjxicj4NCkltcG9ydCBj ZXJ0aWZpY2F0ZXMgdG8ga2V5c3RvcmU8YnI+DQo9PT09PT09PT09PT09PT09PT09PT09PTxicj4N CmtleXRvb2wgLWltcG9ydCAtYWxpYXMgYXBhY2hlIC1rZXlzdG9yZSAuL2NsaWVudGtleXN0b3Jl IC1maWxlIC4vY2VydGlmaWNhdGUuZGVyPGJyPg0KPGJyPg0KQ3JlYXRlIEN1c3RvbSBjb25mIGZv ciBvdmlydDxicj4NCj09PT09PT09PT09PT09PT09PT09PT08YnI+DQp2aSAvZXRjL292aXJ0LWVu Z2luZS9lbmdpbmUuY29uZi5kLzk5LWN1c3RvbS10cnVzdHN0b3JlLmNvbmY8YnI+DQo8YnI+DQpT ZXQgbG9jYXRpb24gb2YgdHJ1c3RzdG9yZSBhbmQgaXRzIHBhc3N3b3JkPGJyPg0KPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PGJyPg0KRU5HSU5FX0hUVFBTX1BLSV9UUlVTVF9TVE9S RT0mcXVvdDsvaG9tZS9ybm9yaS9Eb3dubG9hZHMvQ2VydC9jbGllbnRrZXlzdG9yZSZxdW90Ozxi cj4NCkVOR0lORV9IVFRQU19QS0lfVFJVU1RfU1RPUkVfUEFTU1dPUkQ9JnF1b3Q7MTIzNDU2JnF1 b3Q7PGJyPg0KPGJyPg0KQ29weSB0aGUgY3VzdG9tIGNlcnRpZmljYXRlczxicj4NCj09PT09PT09 PT09PT09PT09PT09PT08YnI+DQpybSAvZXRjL3BraS9vdmlydC1lbmdpbmUvYXBhY2hlLWNhLnBl bTxicj4NCmNwIGNlcnRpZmljYXRlLnBlbSAvZXRjL3BraS9vdmlydC1lbmdpbmUvYXBhY2hlLWNh LnBlbTxicj4NCmNwIGNlcnRpZmljYXRlLnAxMiAvZXRjL3BraS9vdmlydC1lbmdpbmUva2V5cy9h cGFjaGUucDEyPGJyPg0KY3AgYXBhY2hlLmNlciAvZXRjL3BraS9vdmlydC1lbmdpbmUvY2VydHMv YXBhY2hlLmNlcjxicj4NCmNwIGFwYWNoZS5rZXkubm9wYXNzIC9ldGMvcGtpL292aXJ0LWVuZ2lu ZS9rZXlzL2FwYWNoZS5rZXkubm9wYXNzPGJyPg0KPGJyPg0KUmVzdGFydCBlbmdpbmUgYW5kIGh0 dHBkPGJyPg0KPT09PT09PT09PT09PT09PT09PTxicj4NCnNlcnZpY2UgaHR0cGQgcmVzdGFydDxi cj4NCnNlcnZpY2Ugb3ZpcnQtZW5naW5lIHJlc3RhcnQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+T24gVGh1LCBPY3QgMjcsIDIwMTYgYXQgNToz MCBBTSwgTmljb2xhcyBFY2Fybm90IDxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUyOTMy NjYwOWdtYWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYxMTQw OTAwMDM3MDg1MDc3N20tOTgwODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPg0KJmx0OzxhIGhyZWY9 Im1haWx0bzpuaWNvbGFzQGVjYXJub3QubmV0IiB0YXJnZXQ9Il9ibGFuayI+bmljb2xhc0BlY2Fy bm90Lm5ldDwvYT4mZ3Q7PC9zcGFuPiB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3Rl IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRp bmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBjbGFzcz0iZ21haWwtbTI0ODgwODAyODU1Mjkz MjY2MDlnbWFpbC1tLTU5NDQ3ODAyODU2NDQyMzIyOG03NDQwMjAwNjY4ODg4Nzk0OTYxbTI2MTE0 MDkwMDAzNzA4NTA3NzdtLTk4MDg3OTc1NTYzNjM0NDk0MGdtYWlsbXNnIj5MZSAyNy8xMC8yMDE2 IMOgIDAwOjE0LCBLZW5uZXRoIEJpbmdoYW0gYSDDqWNyaXQgOjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0ND Q0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFy Z2luLXJpZ2h0OjBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JIGRpZCBpbnN0YWxsIGEgc2Vy dmVyIGNlcnRpZmljYXRlIGZyb20gYSBwcml2YXRlIENBIG9uIHRoZSBlbmdpbmU8YnI+DQpzZXJ2 ZXIgZm9yIHRoZSBvVmlydCA0IE1hbmFnZXIgR1VJLCBidXQgaGF2ZW4ndCBmaWd1cmVkIG91dCBo b3cgdG88YnI+DQpjb25maWd1cmUgZW5naW5lIHRvIHRydXN0IHRoZSBzYW1lIENBIHdoaWNoIGFs c28gaXNzdWVkIHRoZSBzZXJ2ZXI8YnI+DQpjZXJ0aWZpY2F0ZSBwcmVzZW50ZWQgYnkgdmRzbS4g VGhpcyBpcyBpbXBvcnRhbnQgZm9yIHVzIGJlY2F1c2UgdGhpcyBpczxicj4NCnRoZSBzYW1lIHNl cnZlciBjZXJ0aWZpY2F0ZSBwcmVzZW50ZWQgYnkgdGhlIGhvc3Qgd2hlbiB1c2luZyB0aGUgY29u c29sZTxicj4NCihlLmcuIHdlYnNvY2tldCBjb25zb2xlIGZhbGxzIHNpbGVudGx5IGlmIHRoZSB1 c2VyIGFnZW50IGRvZXNuJ3QgdHJ1c3Q8YnI+DQp0aGUgY29uc29sZSBzZXJ2ZXIncyBjZXJ0aWZp Y2F0ZSkuPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPjxicj4NCkhlbGxvLDxicj4NCjxicj4NCk1h eWJlIHJlbGF0ZWQgYnVnIDogb24gYW4gb1ZpcnQgNCwgSSBmb2xsb3dlZCB0aGUgc2FtZSBwcm9j ZWR1cmUgYmVsb3cgdG8gaW5zdGFsbCBhIGN1c3RvbSBDQSwgd2l0aCAqU1VDQ0VTUyouPGJyPg0K PGJyPg0KVG9kYXksIEkgaGFkIHRvIHJlaW5zdGFsbCBvbmUgb2YgdGhlIGhvc3RzLCBhbmQgaXQg aXMgZmFpbGluZyB3aXRoIDo8YnI+DQomcXVvdDtDQSBjZXJ0aWZpY2F0ZSBhbmQgQ0EgcHJpdmF0 ZSBrZXkgZG8gbm90IG1hdGNoJnF1b3Q7IDo8YnI+DQo8YnI+DQo8YSBocmVmPSJodHRwOi8vcGFz dGViaW4uY29tLzlKUzA1SnRKIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL3Bhc3RlYmluLmNvbS85 SlMwNUp0SjwvYT48YnI+DQo8YnI+DQpXaGljaCBjZXJ0aWZpY2F0ZSBkaWQgd2UgKEtlbm5ldGgg YW5kIEkpIGRpZCB3ZSBtaXMtdXNlZD88YnI+DQpXaGF0IGRpZCB3ZSBkbyB3cm9uZz88YnI+DQo8 YnI+DQpSZWdhcmRzLDxicj4NCjxicj4NCk5pY29sYXMgRUNBUk5PVDxvOnA+PC9vOnA+PC9wPg0K PGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0Mg MS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4t cmlnaHQ6MGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy LjBwdCI+PGJyPg0KPGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgwMjg1NTI5MzI2NjA5 Z21haWwtbS01OTQ0NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2MW0yNjExNDA5MDAw MzcwODUwNzc3bS05ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1zZyI+T24gV2VkLCBPY3QgMjYsIDIw MTYsIDE2OjU4IEJlY2ttYW4sIERhbmllbDwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZ21haWwt bTI0ODgwODAyODU1MjkzMjY2MDlnbWFpbC1tLTU5NDQ3ODAyODU2NDQyMzIyOG03NDQwMjAwNjY4 ODg4Nzk0OTYxbTI2MTE0MDkwMDAzNzA4NTA3NzdtLTk4MDg3OTc1NTYzNjM0NDk0MGdtYWlsbXNn Ij4mbHQ7PGEgaHJlZj0ibWFpbHRvOkRhbmllbC5CZWNrbWFuQGluZ3JhbWNvbnRlbnQuY29tIiB0 YXJnZXQ9Il9ibGFuayI+RGFuaWVsLkJlY2ttYW5AaW5ncmFtY29udGVudC5jb208L2E+PC9zcGFu Pjxicj4NCjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW0tNTk0 NDc4MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYxMTQwOTAwMDM3MDg1MDc3N20t OTgwODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPiZsdDttYWlsdG86PGEgaHJlZj0ibWFpbHRvOkRh bmllbC5CZWNrbWFuQGluZ3JhbWNvbnRlbnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+RGFuaWVsLkJl Y2ttYW5AaW5ncmFtY29udGVudC5jb208L2E+Jmd0OyZndDsgd3JvdGU6PC9zcGFuPjxicj4NCjxi cj4NCjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW0tNTk0NDc4 MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYxMTQwOTAwMDM3MDg1MDc3N20tOTgw ODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPiZuYnNwOyAmbmJzcDsgV2UgaGF2ZSBvVmlydCAzLjYu NyBhbmQgSSBhbSBwcmVwYXJpbmcgdG8gdXBncmFkZSB0byA0LjAuNCByZWxlYXNlLjwvc3Bhbj48 YnI+DQo8c3BhbiBjbGFzcz0iZ21haWwtbTI0ODgwODAyODU1MjkzMjY2MDlnbWFpbC1tLTU5NDQ3 ODAyODU2NDQyMzIyOG03NDQwMjAwNjY4ODg4Nzk0OTYxbTI2MTE0MDkwMDAzNzA4NTA3NzdtLTk4 MDg3OTc1NTYzNjM0NDk0MGdtYWlsbXNnIj4mbmJzcDsgJm5ic3A7IEkgcmVhZCB0aGUgcmVsZWFz ZSBub3RlcyAoPGEgaHJlZj0iaHR0cHM6Ly93d3cub3ZpcnQub3JnL3JlbGVhc2UvNC4wLjQvIiB0 YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cub3ZpcnQub3JnL3JlbGVhc2UvNC4wLjQvPC9hPikN CiBhbmQ8L3NwYW4+PGJyPg0KJm5ic3A7ICZuYnNwOyBub3RlZCBjb21tZW50ICM0IHVuZGVyIOKA nEluc3RhbGwgLyBVcGdyYWRlIGZyb20gcHJldmlvdXMgdmVyc2lvbuKAnTpfX19fPGJyPg0KPGJy Pg0KJm5ic3A7ICZuYnNwOyBfXyBfXzxicj4NCjxicj4NCiZuYnNwOyAmbmJzcDsgL0lmIHlvdSBh cmUgdXNpbmcgSFRUUFMgY2VydGlmaWNhdGUgc2lnbmVkIGJ5IGN1c3RvbSBjZXJ0aWZpY2F0ZTxi cj4NCjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW0tNTk0NDc4 MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYxMTQwOTAwMDM3MDg1MDc3N20tOTgw ODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPiZuYnNwOyAmbmJzcDsgYXV0aG9yaXR5LCBwbGVhc2Ug dGFrZSBhIGxvb2sgYXQNCjxhIGhyZWY9Imh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNvbS8xMzM2 ODM4IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tLzEzMzY4Mzg8 L2E+PC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUyOTMyNjYwOWdt YWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYxMTQwOTAwMDM3 MDg1MDc3N20tOTgwODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPiZuYnNwOyAmbmJzcDsgZm9yIHN0 ZXBzIHdoaWNoIG5lZWQgdG8gYmUgZG9uZSBhZnRlciBtaWdyYXRpb24gdG8gNC4wLiBBbHNvIHBs ZWFzZTwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZ21haWwtbTI0ODgwODAyODU1MjkzMjY2MDln bWFpbC1tLTU5NDQ3ODAyODU2NDQyMzIyOG03NDQwMjAwNjY4ODg4Nzk0OTYxbTI2MTE0MDkwMDAz NzA4NTA3NzdtLTk4MDg3OTc1NTYzNjM0NDk0MGdtYWlsbXNnIj4mbmJzcDsgJm5ic3A7IGNvbnN1 bHQNCjxhIGhyZWY9Imh0dHBzOi8vYnVnemlsbGEucmVkaGF0LmNvbS8xMzEzMzc5IiB0YXJnZXQ9 Il9ibGFuayI+aHR0cHM6Ly9idWd6aWxsYS5yZWRoYXQuY29tLzEzMTMzNzk8L2E+IGhvdyB0byBz ZXR1cCB0aGlzIGN1c3RvbTwvc3Bhbj48YnI+DQombmJzcDsgJm5ic3A7IENBIGZvciB1c2Ugd2l0 aCB2aXJ0LXZpZXdlciBjbGllbnRzLl9fX18vPGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwOyAvX18g X18vPGJyPg0KPGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgwMjg1NTI5MzI2NjA5Z21h aWwtbS01OTQ0NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2MW0yNjExNDA5MDAwMzcw ODUwNzc3bS05ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1zZyI+Jm5ic3A7ICZuYnNwOyBTbyBJIHJl ZmVycmVkIHRvIHRoZSBmaXJzdCBidWd6aWxsYTwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZ21h aWwtbTI0ODgwODAyODU1MjkzMjY2MDlnbWFpbC1tLTU5NDQ3ODAyODU2NDQyMzIyOG03NDQwMjAw NjY4ODg4Nzk0OTYxbTI2MTE0MDkwMDAzNzA4NTA3NzdtLTk4MDg3OTc1NTYzNjM0NDk0MGdtYWls bXNnIj4mbmJzcDsgJm5ic3A7ICg8YSBocmVmPSJodHRwczovL2J1Z3ppbGxhLnJlZGhhdC5jb20v c2hvd19idWcuY2dpP2lkPTEzMzY4MzgiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL2J1Z3ppbGxh LnJlZGhhdC5jb20vc2hvd19idWcuY2dpP2lkPTEzMzY4Mzg8L2E+KSwNCiB3aGVyZSBpdDwvc3Bh bj48YnI+DQombmJzcDsgJm5ic3A7IHN0YXRlcyBhcyBmb2xsb3dzOl9fX188YnI+DQo8YnI+DQom bmJzcDsgJm5ic3A7IF9fIF9fPGJyPg0KPGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgw Mjg1NTI5MzI2NjA5Z21haWwtbS01OTQ0NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2 MW0yNjExNDA5MDAwMzcwODUwNzc3bS05ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1zZyI+Jm5ic3A7 ICZuYnNwOyBJZiBjdXN0b21lciB3YW50cyB0byB1c2UgY3VzdG9tIEhUVFBTIGNlcnRpZmljYXRl IHNpZ25lZCBieTwvc3Bhbj48YnI+DQombmJzcDsgJm5ic3A7IGRpZmZlcmVudCBDQSwgdGhlbiBo ZSBoYXMgdG8gcGVyZm9ybSBmb2xsb3dpbmcgc3RlcHM6IF9fX188YnI+DQo8YnI+DQombmJzcDsg Jm5ic3A7IF9fIF9fPGJyPg0KPGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgwMjg1NTI5 MzI2NjA5Z21haWwtbS01OTQ0NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2MW0yNjEx NDA5MDAwMzcwODUwNzc3bS05ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1zZyI+Jm5ic3A7ICZuYnNw OyAxLiBJbnN0YWxsIGN1c3RvbSBDQSAodGhhdCBzaWduZWQgSFRUUFMgY2VydGlmaWNhdGUpIGlu dG8gaG9zdCB3aWRlPC9zcGFuPjxicj4NCiZuYnNwOyAmbmJzcDsgdHJ1c3RvcmUgKG1vcmUgaW5m byBjYW4gYmUgZm91bmQgaW4gdXBkYXRlLWNhLXRydXN0IG1hbiBwYWdlKSBfX19fPGJyPg0KPGJy Pg0KJm5ic3A7ICZuYnNwOyBfXyBfXzxicj4NCjxicj4NCjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4 ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3 OTQ5NjFtMjYxMTQwOTAwMDM3MDg1MDc3N20tOTgwODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPiZu YnNwOyAmbmJzcDsgMi4gQ29uZmlndXJlIEhUVFBTIGNlcnRpZmljYXRlIGluIEFwYWNoZSAodGhp cyBzdGVwIGlzIHNhbWUgYXMgaW48L3NwYW4+PGJyPg0KJm5ic3A7ICZuYnNwOyBwcmV2aW91cyB2 ZXJzaW9ucykgX19fXzxicj4NCjxicj4NCiZuYnNwOyAmbmJzcDsgX18gX188YnI+DQo8YnI+DQo8 c3BhbiBjbGFzcz0iZ21haWwtbTI0ODgwODAyODU1MjkzMjY2MDlnbWFpbC1tLTU5NDQ3ODAyODU2 NDQyMzIyOG03NDQwMjAwNjY4ODg4Nzk0OTYxbTI2MTE0MDkwMDAzNzA4NTA3NzdtLTk4MDg3OTc1 NTYzNjM0NDk0MGdtYWlsbXNnIj4mbmJzcDsgJm5ic3A7IDMuIENyZWF0ZSBuZXcgY29uZmlndXJh dGlvbiBmaWxlIChmb3IgZXhhbXBsZTwvc3Bhbj48YnI+DQo8c3BhbiBjbGFzcz0iZ21haWwtbTI0 ODgwODAyODU1MjkzMjY2MDlnbWFpbC1tLTU5NDQ3ODAyODU2NDQyMzIyOG03NDQwMjAwNjY4ODg4 Nzk0OTYxbTI2MTE0MDkwMDAzNzA4NTA3NzdtLTk4MDg3OTc1NTYzNjM0NDk0MGdtYWlsbXNnIj4m bmJzcDsgJm5ic3A7IC9ldGMvb3ZpcnQtZW5naW5lL2VuZ2luZS5jb25mLmQvOTktY3VzdG9tLXRy dXN0c3RvcmUuY29uZikgd2l0aDwvc3Bhbj48YnI+DQombmJzcDsgJm5ic3A7IGZvbGxvd2luZyBj b250ZW50OiBfX19fPGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwOyBFTkdJTkVfSFRUUFNfUEtJX1RS VVNUX1NUT1JFPSZxdW90Oy9ldGMvcGtpL2phdmEvY2FjZXJ0cyZxdW90Ozxicj4NCiZuYnNwOyAm bmJzcDsgRU5HSU5FX0hUVFBTX1BLSV9UUlVTVF9TVE9SRV9QQVNTV09SRD0mcXVvdDsmcXVvdDsg X19fXzxicj4NCjxicj4NCiZuYnNwOyAmbmJzcDsgX18gX188YnI+DQo8YnI+DQombmJzcDsgJm5i c3A7IDQuIFJlc3RhcnQgb3ZpcnQtZW5naW5lIHNlcnZpY2VfX19fPGJyPg0KPGJyPg0KJm5ic3A7 ICZuYnNwOyBfXyBfXzxicj4NCjxicj4NCjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUy OTMyNjYwOWdtYWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYx MTQwOTAwMDM3MDg1MDc3N20tOTgwODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPiZuYnNwOyAmbmJz cDsgSSBmaW5kIGl0IGh1bW9yb3VzIHRoYXQgc3RlcCAjIDEgc3VnZ2VzdHMgcmVhZGluZyB0aGUg 4oCcbWFuIHBhZ2XigJ08L3NwYW4+PGJyPg0KJm5ic3A7ICZuYnNwOyB3aGljaCBpcyBvbmx5IHNs aWdodGx5IGJldHRlciB0aGFuIHN1Z2dlc3RpbmcgdG8g4oCcZ29vZ2xl4oCdIGl0LiBfX19fPGJy Pg0KPGJyPg0KJm5ic3A7ICZuYnNwOyBfXyBfXzxicj4NCjxicj4NCjxzcGFuIGNsYXNzPSJnbWFp bC1tMjQ4ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4bTc0NDAyMDA2 Njg4ODg3OTQ5NjFtMjYxMTQwOTAwMDM3MDg1MDc3N20tOTgwODc5NzU1NjM2MzQ0OTQwZ21haWxt c2ciPiZuYnNwOyAmbmJzcDsgSGFzIGFueW9uZSB1c2luZyBhIGN1c3RvbSBDQSBmb3IgdGhlaXIg SFRUUFMgY2VydGlmaWNhdGU8L3NwYW4+PGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgw Mjg1NTI5MzI2NjA5Z21haWwtbS01OTQ0NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2 MW0yNjExNDA5MDAwMzcwODUwNzc3bS05ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1zZyI+Jm5ic3A7 ICZuYnNwOyBzdWNjZXNzZnVsbHkgdXBncmFkZWQgdG8gb1ZpcnQgND8gSWYgc28gY291bGQgeW91 IHNoYXJlIHlvdXI8L3NwYW4+PGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgwMjg1NTI5 MzI2NjA5Z21haWwtbS01OTQ0NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2MW0yNjEx NDA5MDAwMzcwODUwNzc3bS05ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1zZyI+Jm5ic3A7ICZuYnNw OyBkZXRhaWxlZCBzdGVwcz8gT3IgY2FuIGFueW9uZSBwb2ludCBtZSB0byBhbiBhY3R1YWwgZXhh bXBsZSBvZiB0aGlzPC9zcGFuPjxicj4NCjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUy OTMyNjYwOWdtYWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYx MTQwOTAwMDM3MDg1MDc3N20tOTgwODc5NzU1NjM2MzQ0OTQwZ21haWxtc2ciPiZuYnNwOyAmbmJz cDsgcHJvY2VkdXJlPyBJ4oCZbSBhIGxpdHRsZSBuZXJ2b3VzIGFib3V0IHRoZSB1cGdyYWRlIGlm IHlvdSBjYW7igJl0PC9zcGFuPjxicj4NCiZuYnNwOyAmbmJzcDsgYWxyZWFkeSB0ZWxsLiBfX19f PGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwOyBfXyBfXzxicj4NCjxicj4NCiZuYnNwOyAmbmJzcDsg VGhhbmtzLF9fX188YnI+DQo8YnI+DQombmJzcDsgJm5ic3A7IERhbmllbF9fX188YnI+DQo8YnI+ DQombmJzcDsgJm5ic3A7IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fPGJyPg0KJm5ic3A7ICZuYnNwOyBVc2VycyBtYWlsaW5nIGxpc3Q8YnI+DQombmJzcDsg Jm5ic3A7IDxhIGhyZWY9Im1haWx0bzpVc2Vyc0BvdmlydC5vcmciIHRhcmdldD0iX2JsYW5rIj5V c2Vyc0BvdmlydC5vcmc8L2E+ICZsdDttYWlsdG86PGEgaHJlZj0ibWFpbHRvOlVzZXJzQG92aXJ0 Lm9yZyIgdGFyZ2V0PSJfYmxhbmsiPlVzZXJzQG92aXJ0Lm9yZzwvYT4mZ3Q7PGJyPg0KJm5ic3A7 ICZuYnNwOyA8YSBocmVmPSJodHRwOi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4vbGlzdGluZm8v dXNlcnMiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vbGlzdHMub3ZpcnQub3JnL21haWxtYW4vbGlz dGluZm8vdXNlcnM8L2E+PGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPHNwYW4gY2xhc3M9ImdtYWls LW0yNDg4MDgwMjg1NTI5MzI2NjA5Z21haWwtbS01OTQ0NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2 ODg4ODc5NDk2MW0yNjExNDA5MDAwMzcwODUwNzc3bS05ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1z ZyI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188L3NwYW4+ PGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgwMjg1NTI5MzI2NjA5Z21haWwtbS01OTQ0 NzgwMjg1NjQ0MjMyMjhtNzQ0MDIwMDY2ODg4ODc5NDk2MW0yNjExNDA5MDAwMzcwODUwNzc3bS05 ODA4Nzk3NTU2MzYzNDQ5NDBnbWFpbG1zZyI+VXNlcnMgbWFpbGluZyBsaXN0PC9zcGFuPjxicj4N CjxzcGFuIGNsYXNzPSJnbWFpbC1tMjQ4ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW0tNTk0NDc4MDI4 NTY0NDIzMjI4bTc0NDAyMDA2Njg4ODg3OTQ5NjFtMjYxMTQwOTAwMDM3MDg1MDc3N20tOTgwODc5 NzU1NjM2MzQ0OTQwZ21haWxtc2ciPjxhIGhyZWY9Im1haWx0bzpVc2Vyc0BvdmlydC5vcmciIHRh cmdldD0iX2JsYW5rIj5Vc2Vyc0BvdmlydC5vcmc8L2E+PC9zcGFuPjxicj4NCjxzcGFuIGNsYXNz PSJnbWFpbC1tMjQ4ODA4MDI4NTUyOTMyNjYwOWdtYWlsLW0tNTk0NDc4MDI4NTY0NDIzMjI4bTc0 NDAyMDA2Njg4ODg3OTQ5NjFtMjYxMTQwOTAwMDM3MDg1MDc3N20tOTgwODc5NzU1NjM2MzQ0OTQw Z21haWxtc2ciPjxhIGhyZWY9Imh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5m by91c2VycyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9s aXN0aW5mby91c2VyczwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+PGJyPg0KPGJy Pg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgwMjg1NTI5MzI2NjA5Z21haWwtaG9lbnpiIj4t LSA8L3NwYW4+PGJyPg0KPHNwYW4gY2xhc3M9ImdtYWlsLW0yNDg4MDgwMjg1NTI5MzI2NjA5Z21h aWwtaG9lbnpiIj5OaWNvbGFzIEVDQVJOT1QgPC9zcGFuPjwvc3Bhbj48c3BhbiBjbGFzcz0iZ21h aWwtbTI0ODgwODAyODU1MjkzMjY2MDlnbWFpbC1ob2VuemIiPjxzcGFuIHN0eWxlPSJjb2xvcjoj ODg4ODg4Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+PGJyPg0KX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpVc2VycyBtYWls aW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86VXNlcnNAb3ZpcnQub3JnIiB0YXJnZXQ9Il9i bGFuayI+VXNlcnNAb3ZpcnQub3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHA6Ly9saXN0cy5vdmly dC5vcmcvbWFpbG1hbi9saXN0aW5mby91c2VycyIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly9saXN0 cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5mby91c2VyczwvYT48L3NwYW4+PG86cD48L286cD48 L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9k aXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEy LjBwdCI+PGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X188YnI+DQpVc2VycyBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86VXNlcnNAb3Zp cnQub3JnIiB0YXJnZXQ9Il9ibGFuayI+VXNlcnNAb3ZpcnQub3JnPC9hPjxicj4NCjxhIGhyZWY9 Imh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5mby91c2VycyIgdGFyZ2V0PSJf YmxhbmsiPmh0dHA6Ly9saXN0cy5vdmlydC5vcmcvbWFpbG1hbi9saXN0aW5mby91c2VyczwvYT48 bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0K PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_EE70AB7EAF3A4C29B95EA9FBCAC70078ingramcontentcom_--

On Wed, Nov 2, 2016 at 10:49 PM, Beckman, Daniel <Daniel.Beckman@ingramcontent.com> wrote:
Thanks very much for the detailed instructions! I was able to upgrade from 3.6.7 to 4.0.4 successfully. Here are some additional notes for those (like me) who were already using a custom HTTPS certificate in 3.6:
On step #3 “b” -- mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12 – I didn’t need to perform this as the file was already there from my previous 3.6 configuration; setup had not removed it.
On step #4 – extracting private key and certificate – I didn’t need to perform this either; existing files were left intact from version 3.6.
Restarting Apache and oVirt service was not enough to bring up the web admin portal in my case. I had to reboot the server running oVirt engine, after which the web admin portal was accessible.
I recommend backing up /etc/pki in addition to /etc/ovirt-engine prior to running setup.
Thanks a lot for the report! Perhaps you'd like to push a patch to github to update the following page? http://www.ovirt.org/develop/release-management/features/infra/pki/ Best regards,
Best,
Daniel
From: <users-bounces@ovirt.org> on behalf of Martin Perina <mperina@redhat.com> Date: Tuesday, November 1, 2016 at 6:29 AM To: Kenneth Bingham <w@qrk.us> Cc: users <users@ovirt.org> Subject: Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4
On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mperina@redhat.com> wrote:
So first of all, we don't support replacing oVirt internal CA which is used to sign host certificates. This internal CA is also used to sign HTTPS certificate by default, but you can provided your own HTTPS certificate signed by custom CA. The correct steps how to do that are (assuming you have you custom CA certififcate in PEM format and HTTPS ceritificate along with private key in PKCS12 format):
1. Add your commercially issued certificate to the host-wide trust store. cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors update-ca-trust
2. Remove Apache CA link pointing to oVirt internal rm /etc/pki/ovirt-engine/apache-ca.pem
3. Install your custom certificate (including complete certificate chain) mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12
The above command was missing in original steps, thanks Didi for pointing this out.
4. Extract private key and certificate
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
5. Restart Apache service httpd restart
6. Create a new trust store configuration file. vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Add the following content and save the file.
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
7. Restart the ovirt-engine service. systemctl restart ovirt-engine.service
Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x
Also it's expected that CA certificate (including whole CA chain) is properly installed in all clients that access oVirt using HTTP and/or Spice.
Martin Perina
On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w@qrk.us> wrote:
That makes sense, but it is also disappointing to realize that oVirt Manager will only trust certificates that itself has issued, and that there is no support for Manager to trust VDSM server certificates issued by another authority.
If I understand you correctly, then the *only* way to install a VDSM host certificate is by registering with Manager at which time a certificate is automatically issued and installed by Manager's built-in certificate authority.
On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori@redhat.com> wrote:
Since you replace ca.pem you need to replace the private key of ca.pem
Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w@qrk.us> wrote:
Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.
On the hypervisor Host server (not the Manager/engine server):
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/libvirt/clientcert.pem
Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist.
On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori@redhat.com> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.
Ravi
Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem
Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem
Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client
Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der
Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der
Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
Restart engine and httpd =================== service httpd restart service ovirt-engine restart
On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" :
Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi

Do I understand correctly? This procedure allows the oVirt administrator to install for the Manager HTTP UI a server certificate issued by an authority other than the built-in certificate authority that is always created when Manager is installed. It is not possible to also install for VDSM or the console server a server certificate that is issued by such an external certificate authority. Only certificates issued by the built-in authority may be bound to the VDSM and console services, and so it is necessary to import the signing certificate of that built-in authority into the admin's browser trust store before connecting to the console server (e.g., novnc websocket console). If that is correct then I will propose that we make it more convenient to obtain the signing cert in the browser and whether it might be possible to at least install an externally issued server certificate for the console service so that the explicit trust of Manager's built-in CA is unnecessary. On Thu, Nov 3, 2016 at 2:09 AM Yedidyah Bar David <didi@redhat.com> wrote:
Thanks very much for the detailed instructions! I was able to upgrade from 3.6.7 to 4.0.4 successfully. Here are some additional notes for those (like me) who were already using a custom HTTPS certificate in 3.6:
On step #3 “b” -- mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12 – I didn’t need to perform this as
On Wed, Nov 2, 2016 at 10:49 PM, Beckman, Daniel <Daniel.Beckman@ingramcontent.com> wrote: the
file was already there from my previous 3.6 configuration; setup had not removed it.
On step #4 – extracting private key and certificate – I didn’t need to perform this either; existing files were left intact from version 3.6.
Restarting Apache and oVirt service was not enough to bring up the web admin portal in my case. I had to reboot the server running oVirt engine, after which the web admin portal was accessible.
I recommend backing up /etc/pki in addition to /etc/ovirt-engine prior to running setup.
Thanks a lot for the report!
Perhaps you'd like to push a patch to github to update the following page?
http://www.ovirt.org/develop/release-management/features/infra/pki/
Best regards,
Best,
Daniel
From: <users-bounces@ovirt.org> on behalf of Martin Perina <mperina@redhat.com> Date: Tuesday, November 1, 2016 at 6:29 AM To: Kenneth Bingham <w@qrk.us> Cc: users <users@ovirt.org> Subject: Re: [ovirt-users] Upgrading oVirt 3.6 with existing HTTPS certificate signed by custom CA to oVirt 4
On Tue, Nov 1, 2016 at 11:49 AM, Martin Perina <mperina@redhat.com>
wrote:
So first of all, we don't support replacing oVirt internal CA which is
used
to sign host certificates. This internal CA is also used to sign HTTPS certificate by default, but you can provided your own HTTPS certificate signed by custom CA. The correct steps how to do that are (assuming you have you custom CA certififcate in PEM format and HTTPS ceritificate along with private key in PKCS12 format):
1. Add your commercially issued certificate to the host-wide trust store. cp YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ca-trust/source/anchors update-ca-trust
2. Remove Apache CA link pointing to oVirt internal rm /etc/pki/ovirt-engine/apache-ca.pem
3. Install your custom certificate (including complete certificate chain) mv YOUR-3RD-PARTY-CA-CERT.pem /etc/pki/ovirt-engine/apache-ca.pem
mv YOUR-3RD-PART-CERT.p12 /etc/pki/ovirt-engine/keys/apache.p12
The above command was missing in original steps, thanks Didi for pointing this out.
4. Extract private key and certificate
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes
/etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
5. Restart Apache service httpd restart
6. Create a new trust store configuration file. vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Add the following content and save the file.
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
7. Restart the ovirt-engine service. systemctl restart ovirt-engine.service
Steps 1., 6. and 7. are new to 4.0, other steps are same as in oVirt 3.x
Also it's expected that CA certificate (including whole CA chain) is properly installed in all clients that access oVirt using HTTP and/or Spice.
Martin Perina
On Thu, Oct 27, 2016 at 10:38 PM, Kenneth Bingham <w@qrk.us> wrote:
That makes sense, but it is also disappointing to realize that oVirt Manager will only trust certificates that itself has issued, and that there is no support for Manager to trust VDSM server certificates issued by another authority.
If I understand you correctly, then the *only* way to install a VDSM host certificate is by registering with Manager at which time a certificate is automatically issued and installed by Manager's built-in certificate authority.
On Thu, Oct 27, 2016 at 3:27 PM Ravi Nori <rnori@redhat.com> wrote:
Since you replace ca.pem you need to replace the private key of ca.pem
Please copy the private key of /etc/pki/ovirt-engine/ca.pem to /etc/pki/ovirt-engine/private/ca.pem and let me know if everything works
On Thu, Oct 27, 2016 at 2:47 PM, Kenneth Bingham <w@qrk.us> wrote:
Thanks Ravi, that's helpful and I appreciate the precision and attention to detail. I performed similar steps to install a custom certificate for the oVirt Manager GUI. But what about configuring ovirt-engine to trust a certificate issued by the same CA and presented by the VDSM host? On the hypervisor host, I used the existing private key to generate the CSR, issued the server certificate, and installed in three locations before bouncing vdsmd.
On the hypervisor Host server (not the Manager/engine server):
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
/etc/pki/libvirt/clientcert.pem
Now, that host is "non responsive" in Manager because ovirt-engine does not trust the new certificate even though I already performed all of the steps that you describe above except that I installed the issuer's CA certificate as the trusted entity. I've documented all of the steps I took in this Gist.
On Thu, Oct 27, 2016 at 2:12 PM Ravi Nori <rnori@redhat.com> wrote:
Here is a complete set of instructions that works for me
You can skip the first few steps of generating the certificate.
Ravi
Generate a self-signed certificate using openssl ====================================== openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.pem
Convert a PEM certificate file and a private key to PKCS#12 (.p12) ===================================================== openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.pem
Extract the key from the bundle ========================= openssl pkcs12 -in certificate.p12 -nocerts -nodes > apache.key.nopass
Extract the certificate from the bundle ============================== openssl pkcs12 -in certificate.p12 -nokeys > apache.cer
Create a new Keystore for testing ========================== keytool -keystore clientkeystore -genkey -alias client
Convert .pem to .der ================ openssl x509 -outform der -in certificate.pem -out certificate.der
Import certificates to keystore ======================= keytool -import -alias apache -keystore ./clientkeystore -file ./certificate.der
Create Custom conf for ovirt ====================== vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
Set location of truststore and its password ================================= ENGINE_HTTPS_PKI_TRUST_STORE="/home/rnori/Downloads/Cert/clientkeystore" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="123456"
Copy the custom certificates ====================== rm /etc/pki/ovirt-engine/apache-ca.pem cp certificate.pem /etc/pki/ovirt-engine/apache-ca.pem cp certificate.p12 /etc/pki/ovirt-engine/keys/apache.p12 cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass
Restart engine and httpd =================== service httpd restart service ovirt-engine restart
On Thu, Oct 27, 2016 at 5:30 AM, Nicolas Ecarnot <nicolas@ecarnot.net> wrote:
Le 27/10/2016 à 00:14, Kenneth Bingham a écrit :
I did install a server certificate from a private CA on the engine server for the oVirt 4 Manager GUI, but haven't figured out how to configure engine to trust the same CA which also issued the server certificate presented by vdsm. This is important for us because this is the same server certificate presented by the host when using the console (e.g. websocket console falls silently if the user agent doesn't trust the console server's certificate).
Hello,
Maybe related bug : on an oVirt 4, I followed the same procedure below to install a custom CA, with *SUCCESS*.
Today, I had to reinstall one of the hosts, and it is failing with : "CA certificate and CA private key do not match" :
Which certificate did we (Kenneth and I) did we mis-used? What did we do wrong?
Regards,
Nicolas ECARNOT
On Wed, Oct 26, 2016, 16:58 Beckman, Daniel <Daniel.Beckman@ingramcontent.com <mailto:Daniel.Beckman@ingramcontent.com>> wrote:
We have oVirt 3.6.7 and I am preparing to upgrade to 4.0.4 release. I read the release notes (https://www.ovirt.org/release/4.0.4/) and noted comment #4 under “Install / Upgrade from previous version”:____
__ __
/If you are using HTTPS certificate signed by custom certificate authority, please take a look at https://bugzilla.redhat.com/1336838 for steps which need to be done after migration to 4.0. Also please consult https://bugzilla.redhat.com/1313379 how to setup this custom CA for use with virt-viewer clients.____/
/__ __/
So I referred to the first bugzilla (https://bugzilla.redhat.com/show_bug.cgi?id=1336838), where it states as follows:____
__ __
If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: ____
__ __
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) ____
__ __
2. Configure HTTPS certificate in Apache (this step is same as in previous versions) ____
__ __
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ____
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" ____
__ __
4. Restart ovirt-engine service____
__ __
I find it humorous that step # 1 suggests reading the “man page” which is only slightly better than suggesting to “google” it. ____
__ __
Has anyone using a custom CA for their HTTPS certificate successfully upgraded to oVirt 4? If so could you share your detailed steps? Or can anyone point me to an actual example of this procedure? I’m a little nervous about the upgrade if you can’t already tell. ____
__ __
Thanks,____
Daniel____
_______________________________________________ Users mailing list Users@ovirt.org <mailto:Users@ovirt.org> http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Nicolas ECARNOT
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (6)
-
Beckman, Daniel
-
Kenneth Bingham
-
Martin Perina
-
Nicolas Ecarnot
-
Ravi Nori
-
Yedidyah Bar David