2:18 p.m.
After the upgrad, I'm unable to log in, I'm getting the following error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path
to requested target
Where should I look to correct that ?
2:22 p.m.
Hi,
are you using HTTPS certificate signed by external CA? If so please follow
steps described in Doc Text of
https://bugzilla.redhat.com/show_bug.cgi?id=1336838
Thanks
Martin Perina
On Wed, Aug 3, 2016 at 1:18 PM, Fabrice Bacchella <
fabrice.bacchella(a)icloud.com> wrote:
After the upgrad, I'm unable to log in, I'm getting the
following error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path
to requested target
Where should I look to correct that ?
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
3:49 p.m.
Indeed, the certificate for the web interface is not coming from ovirt's internal PKI,
but from our own internal one.
I have a custom trust store not located in /etc/pki/java/cacerts, I did try to add
ENGINE_PROPERTIES="${ENGINE_PROPERTIES} javax.net.ssl.trustStore=.../allmyca.jks
javax.net.ssl.trustStorePassword=''" in a file in
/etc/ovirt-engine/engine.conf.d but it didn't help.
Can I add them in /etc/pki/ovirt-engine/.truststore ?
Le 3 août 2016 à 13:22, Martin Perina <mperina(a)redhat.com> a écrit :
Hi,
are you using HTTPS certificate signed by external CA? If so please follow steps
described in Doc Text of
https://bugzilla.redhat.com/show_bug.cgi?id=1336838
Thanks
Martin Perina
On Wed, Aug 3, 2016 at 1:18 PM, Fabrice Bacchella <fabrice.bacchella(a)icloud.com>
wrote:
After the upgrad, I'm unable to log in, I'm getting the following error:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path
to requested target
Where should I look to correct that ?
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
4:09 p.m.
Hi,
please follow steps as described in BZ:
1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf (you
may choose different filename but it has to end with '.conf' suffix) with
following content:
ENGINE_HTTPS_PKI_TRUST_STORE="<full path to your java keystore>"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="<password to your java
keystore>"
2. Restart the engine
If the above doesn't work please attach server.log/engine.log
Thanks
Martin Perina
On Wed, Aug 3, 2016 at 2:49 PM, Fabrice Bacchella <
fabrice.bacchella(a)icloud.com> wrote:
Indeed, the certificate for the web interface is not coming from
ovirt's
internal PKI, but from our own internal one.
I have a custom trust store not located in /etc/pki/java/cacerts, I did
try to add ENGINE_PROPERTIES="${ENGINE_PROPERTIES}
javax.net.ssl.trustStore=.../allmyca.jks
javax.net.ssl.trustStorePassword=''" in a file in
/etc/ovirt-engine/engine.conf.d but it didn't help.
Can I add them in /etc/pki/ovirt-engine/.truststore ?
>
> Le 3 août 2016 à 13:22, Martin Perina <mperina(a)redhat.com> a écrit :
>
> Hi,
>
> are you using HTTPS certificate signed by external CA? If so please
follow steps described in Doc Text of
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1336838
>
> Thanks
>
> Martin Perina
>
>
> On Wed, Aug 3, 2016 at 1:18 PM, Fabrice Bacchella <
fabrice.bacchella(a)icloud.com> wrote:
> After the upgrad, I'm unable to log in, I'm getting the following error:
>
> sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path
> to requested target
>
>
> Where should I look to correct that ?
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
6:25 p.m.
Next step :
The UI says, even with a restarted navigator:
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 60)):
expected a valid value (number, String, array, object, 'true', 'false' or
'null') at [Source: java.io.StringReader@74749f78; line: 3, column: 2]
I shift-reload, got a welcome screen, click on "Administration portal". I then
got a warning. The vhost for ovirt is "ovirt.mydomain", but I got a redirect
to:
https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?&app_url=https...
that then redirect to:
https://realhost.mydomain:443/ovirt-engine/sso/oauth/authorize?client_id=...
And it fail with again with still:
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 60)):
expected a valid value (number, String, array, object, 'true', 'false' or
'null') at [Source: java.io.StringReader@328a4512; line: 3, column: 2]
Many requests were send to ovirt.mydomain, but just one to realhost.mydomain:443, I
don't know why.
I didn't ask for any SSO, I already use my own (CAS), it was working well and the
update never ask for activating something new.
Le 3 août 2016 à 15:09, Martin Perina <mperina(a)redhat.com> a
écrit :
Hi,
please follow steps as described in BZ:
1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf (you may choose
different filename but it has to end with '.conf' suffix) with following content:
ENGINE_HTTPS_PKI_TRUST_STORE="<full path to your java keystore>"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="<password to your java
keystore>"
2. Restart the engine
If the above doesn't work please attach server.log/engine.log
Thanks
Martin Perina
8:34 p.m.
On Wed, Aug 3, 2016 at 5:25 PM, Fabrice Bacchella <
fabrice.bacchella(a)icloud.com> wrote:
Next step :
The UI says, even with a restarted navigator:
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
60)): expected a valid value (number, String, array, object, 'true',
'false' or 'null') at [Source: java.io.StringReader@74749f78; line: 3,
column: 2]
I haven't seen this error before, could you please share server.log and
engine.log?
I shift-reload, got a welcome screen, click on "Administration portal". I
then got a warning. The vhost for ovirt is "ovirt.mydomain", but I got a
redirect to:
https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?&app_url=https...
that then redirect to:
https://realhost.mydomain:443/ovirt-engine/sso/oauth/authorize?client_id=...
And it fail with again with still:
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
60)): expected a valid value (number, String, array, object, 'true',
'false' or 'null') at [Source: java.io.StringReader@328a4512; line: 3,
column: 2]
Many requests were send to ovirt.mydomain, but just one to
realhost.mydomain:443, I don't know why.
You need to have correctly set up engine FQDN and it has to be resolvable.
If you don't have correctly set engine FQDN, you can fix that
using ovirt-engine-rename tool, more info can be found at:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-hos...
Also be aware that you need to use that engine FQDN to access oVirt 4.0
I didn't ask for any SSO, I already use my own (CAS), it was
working well
and the update never ask for activating something new.
This is one of the oVirt 4.0 features, we have implemented OAUTH SSO for
all engine parts: webadmin, userportal and restapi. If you are using CAS
(althought it's officially supported by oVirt), that probably means you
have configured cas authentication on Apache, passing authenticated
username using aaa-misc as authn extension and aaa-ldap as authz extension
(to get group memberships for authenticated user). If that's true then
please take a look at
https://bugzilla.redhat.com/show_bug.cgi?id=1342192
there are some changes on Apache configuration (the bug is for kerberos,
but I suspect similar config is needed also for cas module in apache).
> Le 3 août 2016 à 15:09, Martin Perina <mperina(a)redhat.com> a écrit :
>
> Hi,
> please follow steps as described in BZ:
>
> 1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf (you
may choose different filename but it has to end with '.conf' suffix) with
following content:
>
> ENGINE_HTTPS_PKI_TRUST_STORE="<full path to your java keystore>"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="<password to your java
keystore>"
>
> 2. Restart the engine
>
> If the above doesn't work please attach server.log/engine.log
>
> Thanks
>
> Martin Perina
6:30 p.m.
Good morning ,
"You need to have correctly set up engine FQDN and it has to be resolvable.
If you don't have correctly set engine FQDN, you can fix that using
ovirt-engine-rename tool, more info can be found at:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-
hostname/ "
can I make the procedure with host and vms in production?
Thanks.
2016-08-03 14:34 GMT-03:00 Martin Perina <mperina(a)redhat.com>:
On Wed, Aug 3, 2016 at 5:25 PM, Fabrice Bacchella <
fabrice.bacchella(a)icloud.com> wrote:
> Next step :
>
> The UI says, even with a restarted navigator:
>
> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
> 60)): expected a valid value (number, String, array, object, 'true',
> 'false' or 'null') at [Source: java.io.StringReader@74749f78; line:
3,
> column: 2]
>
I haven't seen this error before, could you please share server.log and
engine.log?
>
>
> I shift-reload, got a welcome screen, click on "Administration portal". I
> then got a warning. The vhost for ovirt is "ovirt.mydomain", but I got a
> redirect to:
> https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?&
> app_url=https%3A%2F%2Fovirt.mydomain%2Fovirt-engine%
> 2Fwebadmin%2F%3Flocale%3Den_US&locale=en_US
> that then redirect to:
> https://realhost.mydomain:443/ovirt-engine/sso/oauth/
> authorize?client_id=ovirt-engine-core&response_type=
> code&redirect_uri=https%3A%2F%2Fovirt.mydomain%3A443%
> 2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callback&scope=
> ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%
> 3Asequence-priority%3D%7E&state=5ku3vXkfb10
>
> And it fail with again with still:
> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
> 60)): expected a valid value (number, String, array, object, 'true',
> 'false' or 'null') at [Source: java.io.StringReader@328a4512; line:
3,
> column: 2]
> Many requests were send to ovirt.mydomain, but just one to
> realhost.mydomain:443, I don't know why.
>
You need to have correctly set up engine FQDN and it has to be
resolvable. If you don't have correctly set engine FQDN, you can fix that
using ovirt-engine-rename tool, more info can be found at:
https://www.ovirt.org/documentation/how-to/networking/changing-engine-
hostname/
Also be aware that you need to use that engine FQDN to access oVirt 4.0
> I didn't ask for any SSO, I already use my own (CAS), it was working well
> and the update never ask for activating something new.
>
This is one of the oVirt 4.0 features, we have implemented OAUTH SSO for
all engine parts: webadmin, userportal and restapi. If you are using CAS
(althought it's officially supported by oVirt), that probably means you
have configured cas authentication on Apache, passing authenticated
username using aaa-misc as authn extension and aaa-ldap as authz extension
(to get group memberships for authenticated user). If that's true then
please take a look at
https://bugzilla.redhat.com/show_bug.cgi?id=1342192
there are some changes on Apache configuration (the bug is for kerberos,
but I suspect similar config is needed also for cas module in apache).
>
> > Le 3 août 2016 à 15:09, Martin Perina <mperina(a)redhat.com> a écrit :
> >
> > Hi,
> > please follow steps as described in BZ:
> >
> > 1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
> (you may choose different filename but it has to end with '.conf' suffix)
> with following content:
> >
> > ENGINE_HTTPS_PKI_TRUST_STORE="<full path to your java
keystore>"
> > ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="<password to your java
> keystore>"
> >
> > 2. Restart the engine
> >
> > If the above doesn't work please attach server.log/engine.log
> >
> > Thanks
> >
> > Martin Perina
>
>
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
1:50 a.m.
--Apple-Mail=_FD9339EF-8F59-4AFB-9484-EACD0D63D5BA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
I'm not sure it's a good idea if you're running 4.0. This procedure does =
half of the job as it don't touch the custom java trust store and =
missing parts are mandatory for ovirt 4. So I'm now stuck with an =
unreachable UI after
an upgrade and I don't know if I can roll back.=20
Le 10 ao=C3=BBt 2016 =C3=A0 17:30, Marcelo Leandro =
<marceloltmm(a)gmail.com> a =C3=A9crit :
=20
Good morning ,
=20
"You need to have correctly set up engine FQDN and it has to be =
resolvable.
If you don't have correctly set engine FQDN, you can fix =
that =E2=80=8B=E2=80=8Busing ovirt=E2=80=8B-engine-rename tool, more =
info can be found at:
=20
=
https://www.ovirt.org/documentation/how-to/networking/changing-engine-host=
name/ =
<https://www.ovirt.org/documentation/how-to/networking/changing-engine-hos=
tname/> "
=20
can I make the procedure with host and vms in production?
=20
Thanks.
=20
2016-08-03 14:34 GMT-03:00 Martin Perina <mperina(a)redhat.com =
<mailto:mperina@redhat.com>>:
=20
=20
On Wed, Aug 3, 2016 at 5:25 PM, Fabrice Bacchella =
<fabrice.bacchella(a)icloud.com <mailto:fabrice.bacchella@icloud.com> =
wrote:
Next step :
=20
The UI says, even with a restarted navigator:
=20
org.codehaus.jackson.JsonParseException: Unexpected character ('<' =
(code 60)): expected a valid value (number, String, array, object, =
'true', 'false' or 'null') at [Source:
java.io.StringReader@74749f78; =
line: 3, column: 2]
=20
=E2=80=8BI haven't seen this error before, could you please share =
server.log
and engine.log?
=E2=80=8B=20
=20
=20
I shift-reload, got a welcome screen, click on "Administration =
portal".
I then got a warning. The vhost for ovirt is "ovirt.mydomain", =
but I got a redirect to:
=
https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?&app_url=3Dhtt...
%2F%2Fovirt.mydomain%2Fovirt-engine%2Fwebadmin%2F%3Flocale%3Den_US&locale=3D=
en_US =
<https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?&app_url=3Dhtt...
A%2F%2Fovirt.mydomain%2Fovirt-engine%2Fwebadmin%2F%3Flocale%3Den_US&locale=
=3Den_US>
> that then redirect to:
=
https://realhost.mydomain:443/ovirt-engine/sso/oauth/authorize?client_id=3D=
ovirt-engine-core&response_type=3Dcode&redirect_uri=3Dhttps%3A%2F%2Fovirt.=
mydomain%3A443%2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callback&scope=3Do=
virt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E=
&state=3D5ku3vXkfb10 =
<https://realhost.mydomain/ovirt-engine/sso/oauth/authorize?client_id=3Dov=
irt-engine-core&response_type=3Dcode&redirect_uri=3Dhttps%3A%2F%2Fovirt.my=
domain%3A443%2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callback&scope=3Dovi=
rt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E&s=
tate=3D5ku3vXkfb10>
=20
And it fail with again with still:
org.codehaus.jackson.JsonParseException: Unexpected character ('<' =
(code 60)): expected a valid value (number, String, array, object, =
'true', 'false' or 'null') at [Source:
java.io.StringReader@328a4512; =
line: 3, column: 2]=E2=80=8B=20
=20
Many requests were send to ovirt.mydomain, but just one to =
realhost.mydomain:443,
I don't know why.
=20
=E2=80=8BYou need to have correctly set up engine FQDN and it has to =
be
resolvable. If you don't have correctly set engine FQDN, you can fix =
that =E2=80=8B=E2=80=8Busing ovirt=E2=80=8B-engine-rename tool, more =
info can be found at:
=20
=
https://www.ovirt.org/documentation/how-to/networking/changing-engine-host=
name/ =
<https://www.ovirt.org/documentation/how-to/networking/changing-engine-hos=
tname/>
=20
Also be aware that you need to use that engine FQDN to access oVirt =
4.0
=20
=20
I didn't ask for any SSO, I already use my own (CAS), it was working =
well and
the update never ask for activating something new.
=20
=E2=80=8BThis is one of the oVirt 4.0 features=E2=80=8B, we have =
implemented
OAUTH SSO for all engine parts: webadmin, userportal and =
restapi. If you are using CAS (althought it's officially supported by =
oVirt), that probably means you have configured cas authentication on =
Apache, passing authenticated username using aaa-misc as authn extension =
and aaa-ldap as authz extension (to get group memberships for =
authenticated user). If that's true then please take a look at=20
<https://bugzilla.redhat.com/show_bug.cgi?id=3D1342192>
=20
there are some changes on Apache configuration (the bug is for =
kerberos, but I
suspect similar config is needed also for cas module in =
apache).
=20
=20
=20
> Le 3 ao=C3=BBt 2016 =C3=A0 15:09, Martin Perina <mperina(a)redhat.com =
<mailto:mperina@redhat.com>> a =C3=A9crit :
>
> Hi,
> please follow steps as described in BZ:
>
> 1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf =
(you may
choose different filename but it has to end with '.conf' =
suffix) with following content:
>
> ENGINE_HTTPS_PKI_TRUST_STORE=3D"<full path to your java
keystore>"
> ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=3D"<password to your java =
keystore>"
>
> 2. Restart the engine
>
> If the above doesn't work please attach server.log/engine.log
>
> Thanks
>
> Martin Perina
=20
=20
=20
_______________________________________________
Users mailing list
Users(a)ovirt.org <mailto:Users@ovirt.org>
http://lists.ovirt.org/mailman/listinfo/users =
<http://lists.ovirt.org/mailman/listinfo/users>
=20
=20
--Apple-Mail=_FD9339EF-8F59-4AFB-9484-EACD0D63D5BA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type"
content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D""><div class=3D"">I'm not sure it's a good
idea if you're =
running 4.0. This procedure does half of the job as it don't touch the =
custom java trust store and missing parts are mandatory for ovirt 4. So =
I'm now stuck with an unreachable UI after</div><div
class=3D"">an =
upgrade and I don't know if I can roll back. </div><br =
class=3D""><div><blockquote type=3D"cite"
class=3D""><div class=3D"">Le =
10 ao=C3=BBt 2016 =C3=A0 17:30, Marcelo Leandro <<a =
href=3D"mailto:marceloltmm@gmail.com" =
class=3D"">marceloltmm(a)gmail.com</a>&gt; a =C3=A9crit
:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div
dir=3D"ltr" =
class=3D""><div class=3D""><div
class=3D"">Good morning ,<br =
class=3D""><br class=3D"">"You
need to have correctly set up engine FQDN and it has to be resolvable.=20=
If you don't have correctly set engine FQDN, you can fix that =
=E2=80=8B=E2=80=8Busing ovirt=E2=80=8B-engine-rename tool, more info can =
be found at:<br class=3D""><br class=3D""><a =
href=3D"https://www.ovirt.org/documentation/how-to/networking/changi...
ine-hostname/" target=3D"_blank"
class=3D"">https://www.ovirt.org/<wbr =
class=3D"">documentation/how-to/<wbr
class=3D"">networking/<span =
class=3D"">changing</span>-engine-<wbr
class=3D""><span =
class=3D"">hostname</span>/</a> "<br
class=3D""><br class=3D""></div>can =
I make the procedure with host and vms in production?<br class=3D""><br
=
class=3D""></div>Thanks.<br
class=3D""></div><div =
class=3D"gmail_extra"><br class=3D""><div
class=3D"gmail_quote">2016-08-03=
14:34 GMT-03:00 Martin Perina <span dir=3D"ltr"
class=3D""><<a =
href=3D"mailto:mperina@redhat.com" target=3D"_blank" =
class=3D"">mperina@redhat.com</a>></span>:<br
class=3D""><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex"><div dir=3D"ltr"
class=3D""><div =
class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif"><br
class=3D""></div><div=
class=3D"gmail_extra"><br class=3D""><div
class=3D"gmail_quote"><span =
class=3D"">On Wed, Aug 3, 2016 at 5:25 PM, Fabrice Bacchella <span =
dir=3D"ltr" class=3D""><<a
href=3D"mailto:fabrice.bacchella@icloud.com"=
target=3D"_blank"
class=3D"">fabrice.bacchella(a)icloud.com</a>&gt;</span =
wrote:<br class=3D""><blockquote
class=3D"gmail_quote" style=3D"margin:0px=
0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">Next step :<br class=3D"">
<br class=3D"">
The UI says, even with a restarted navigator:<br class=3D"">
<br class=3D"">
org.codehaus.jackson.<wbr class=3D"">JsonParseException: Unexpected =
character ('<' (code 60)): expected a valid value (number, String, =
array, object, 'true', 'false' or 'null') at [Source: =
java.io.StringReader@74749f78; line: 3, column: 2]<br =
class=3D""></blockquote></span><div
class=3D""><br class=3D""><div =
class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;display:inline">=E2=80=8BI=
haven't seen this error before, could you please share server.log and =
engine.log?<br
class=3D"">=E2=80=8B</div> </div><span =
class=3D""><blockquote class=3D"gmail_quote"
style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br class=3D"">
<br class=3D"">
I shift-reload, got a welcome screen, click on "Administration portal". =
I then got a warning. The vhost for ovirt is "ovirt.mydomain", but I got =
a redirect to:<br class=3D"">
<a =
href=3D"https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?&app_ur=
l=3Dhttps%3A%2F%2Fovirt.mydomain%2Fovirt-engine%2Fwebadmin%2F%3Flocale%3De=
n_US&locale=3Den_US" rel=3D"noreferrer" target=3D"_blank"
=
class=3D"">https://ovirt.mydomain/ovirt-<wbr =
class=3D"">engine/webadmin/sso/login?&<wbr =
class=3D"">app_url=3Dhttps%3A%2F%2Fovirt.<wbr =
class=3D"">mydomain%2Fovirt-engine%<wbr =
class=3D"">2Fwebadmin%2F%3Flocale%3Den_<wbr =
class=3D"">US&locale=3Den_US</a><br
class=3D"">
that then redirect to:<br class=3D"">
<a =
href=3D"https://realhost.mydomain/ovirt-engine/sso/oauth/authorize?client_=
id=3Dovirt-engine-core&response_type=3Dcode&redirect_uri=3Dhttps%3=
A%2F%2Fovirt.mydomain%3A443%2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callb=
ack&scope=3Dovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequen=
ce-priority%3D%7E&state=3D5ku3vXkfb10" rel=3D"noreferrer" =
target=3D"_blank" class=3D"">https://realhost.mydomain:443/<wbr
=
class=3D"">ovirt-engine/sso/oauth/<wbr =
class=3D"">authorize?client_id=3Dovirt-<wbr =
class=3D"">engine-core&response_type=3D<wbr =
class=3D"">code&redirect_uri=3Dhttps%3A%2F%<wbr =
class=3D"">2Fovirt.mydomain%3A443%<wbr =
class=3D"">2Fovirt-engine%2Fwebadmin%<wbr =
class=3D"">2Fsso%2Foauth2-callback&scope=3D<wbr =
class=3D"">ovirt-app-admin+ovirt-app-<wbr =
class=3D"">portal+ovirt-ext%3Dauth%<wbr =
class=3D"">3Asequence-priority%3D%7E&<wbr =
class=3D"">state=3D5ku3vXkfb10</a><br class=3D"">
<br class=3D"">
And it fail with again with still:<br class=3D"">
org.codehaus.jackson.<wbr class=3D"">JsonParseException: Unexpected =
character ('<' (code 60)): expected a valid value (number, String, =
array, object, 'true', 'false' or 'null') at [Source: =
java.io.StringReader@328a4512; line: 3, column: =
2]=E2=80=8B </blockquote><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">
<br class=3D"">
Many requests were send to ovirt.mydomain, but just one to =
realhost.mydomain:443, I don't know why.<br =
class=3D""></blockquote></span><div
class=3D""><br class=3D""><div =
class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;display:inline">=E2=80=8BY=
ou need to have correctly set up engine FQDN and it has to be =
resolvable. If you don't have correctly set engine FQDN, you can fix =
that =E2=80=8B</div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;display:inline">=E2=80=8Bu=
sing ovirt=E2=80=8B-engine-rename tool, more info can be found at:<br =
class=3D""><br class=3D""><a =
href=3D"https://www.ovirt.org/documentation/how-to/networking/changi...
ine-hostname/" target=3D"_blank"
class=3D"">https://www.ovirt.org/<wbr =
class=3D"">documentation/how-to/<wbr =
class=3D"">networking/changing-engine-<wbr
class=3D"">hostname/</a><br =
class=3D""><br class=3D""></div><div
class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;display:inline">Also be =
aware that you need to use that engine FQDN to access oVirt 4.0<br =
class=3D""><br class=3D""></div></div><span
class=3D""><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">
<br class=3D"">
I didn't ask for any SSO, I already use my own (CAS), it was working =
well and the update never ask for activating something new.<br =
class=3D""></blockquote></span><div
class=3D""><br class=3D""><div =
class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;display:inline">=E2=80=8BT=
his is one of the oVirt 4.0 features=E2=80=8B, we have implemented OAUTH =
SSO for all engine parts: webadmin, userportal and restapi. If you are =
using CAS (althought it's officially supported by oVirt), that probably =
means you have configured cas authentication on Apache, passing =
authenticated username using aaa-misc as authn extension and aaa-ldap as =
authz extension (to get group memberships for authenticated user). If =
that's true then please take a look at <br class=3D""><br
class=3D""><a =
href=3D"https://bugzilla.redhat.com/show_bug.cgi?id=3D1342192" =
target=3D"_blank" class=3D"">https://bugzilla.redhat.com/<wbr =
class=3D"">show_bug.cgi?id=3D1342192</a><br
class=3D""><br =
class=3D""></div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;display:inline">there =
are some changes on Apache configuration (the bug is for kerberos, but I =
suspect similar config is needed also for cas module in apache).<br =
class=3D""></div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;display:inline"><br =
class=3D""></div></div><span
class=3D""><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">
<br class=3D"">
<br class=3D"">
> Le 3 ao=C3=BBt 2016 =C3=A0 15:09, Martin Perina <<a =
href=3D"mailto:mperina@redhat.com" target=3D"_blank" =
class=3D"">mperina(a)redhat.com</a>&gt; a =C3=A9crit :<br
class=3D"">
><br class=3D"">
> Hi,<br class=3D"">
> please follow steps as described in BZ:<br class=3D"">
><br class=3D"">
> 1. Create /etc/ovirt-engine/engine.conf.<wbr =
class=3D"">d/99-custom-truststore.conf (you may choose different =
filename but it has to end with '.conf' suffix) with following =
content:<br class=3D"">
><br class=3D"">
> ENGINE_HTTPS_PKI_TRUST_STORE=3D<wbr
class=3D"">"<full =
path to your java keystore>"<br class=3D"">
> ENGINE_HTTPS_PKI_TRUST_STORE_<wbr =
class=3D"">PASSWORD=3D"<password to your java
keystore>"<br =
class=3D"">
><br class=3D"">
> 2. Restart the engine<br class=3D"">
><br class=3D"">
> If the above doesn't work please attach server.log/engine.log<br =
class=3D"">
><br class=3D"">
> Thanks<br class=3D"">
><br class=3D"">
> Martin Perina<br class=3D"">
<br class=3D"">
</blockquote></span></div><br
class=3D""></div></div>
<br class=3D"">______________________________<wbr =
class=3D"">_________________<br class=3D"">
Users mailing list<br class=3D"">
<a href=3D"mailto:Users@ovirt.org"
class=3D"">Users(a)ovirt.org</a><br =
class=3D"">
<a href=3D"http://lists.ovirt.org/mailman/listinfo/users" =
rel=3D"noreferrer" target=3D"_blank" =
class=3D"">http://lists.ovirt.org/<wbr =
class=3D"">mailman/listinfo/users</a><br class=3D"">
<br class=3D""></blockquote></div><br
class=3D""></div>
</div></blockquote></div><br
class=3D""></body></html>=
--Apple-Mail=_FD9339EF-8F59-4AFB-9484-EACD0D63D5BA--
3026
days inactive
3033
days old
7 comments
3 participants
participants (3)
-
Fabrice Bacchella -
Marcelo Leandro -
Martin Perina