[Users] Procedure to change engine host name
Juan Hernandez
jhernand at redhat.com
Fri Oct 5 15:03:37 UTC 2012
Hi,
I see some interest on how to change the host name of the machine where
the engine runs (in release 3.1). This is a manual procedure that you
can use to do that:
0. Make a backup copy of the /etc/pki/ovirt-engine directory.
1. Regenerate the engine certificate signing request preserving the
existing private key (this is very important in order to avoid having to
decrypt/encrypt passwords stored in the database):
openssl req \
-new \
-subj '/C=US/O=Example Inc./CN=f17.example.com' \
-key /etc/pki/ovirt-engine/keys/engine_id_rsa \
-out /etc/pki/ovirt-engine/requests/engine.req
Replace "Example Inc." with the value that you provided during the
installation. If you don't forgot them they can be extracted from the
current engine certificate:
openssl x509 \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-noout \
-subject
And *VERY IMPORTANT*, replace "f17.example.com" with the new fully
qualified host name.
2. Sign again the engine certificate, to simplify this the SignReq.sh
script should be used:
cd /etc/pki/ovirt-engine
./SignReq.sh \
engine.req \
engine.cer \
1800 \
/etc/pki/ovirt-engine \
`date -d yesterday +%y%m%d%H%M%S+0000` \
NoSoup4U
Double check that the generated certificate is correct, visually and
with the following command:
openssl verify \
-CAfile /etc/pki/ovirt-engine/ca.pem \
/etc/pki/ovirt-engine/certs/engine.cer
3. Generate also a DER encoded version of the certificate:
openssl x509 \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-out /etc/pki/ovirt-engine/certs/engine.der \
-outform der
4. Export the engine private key and certificate to a PKCS12 file:
openssl pkcs12 \
-export \
-name engine \
-inkey /etc/pki/ovirt-engine/keys/engine_id_rsa \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-out /etc/pki/ovirt-engine/keys/engine.p12 \
-passout pass:NoSoup4U
5. Regenerate the keystore used by the engine, importing the old CA
certificate and the new engine certificate:
rm -f /etc/pki/ovirt-engine/.keystore
keytool \
-keystore /etc/pki/ovirt-engine/.keystore \
-import \
-alias cacert \
-storepass mypass \
-noprompt \
-file /etc/pki/ovirt-engine/ca.pem
keytool \
-keystore /etc/pki/ovirt-engine/.keystore \
-importkeystore \
-srckeystore /etc/pki/ovirt-engine/keys/engine.p12 \
-srcalias engine \
-srcstoretype PKCS12 \
-srcstorepass NoSoup4U \
-srckeypass NoSoup4U \
-destalias engine \
-deststorepass mypass \
-destkeypass mypass
6. Restart the httpd and ovirt-engine services:
service ovirt-engine restart
service httpd restart
7. If using ovirt-node as the hypervisors then for each of then check
and fix the "vdc_host_name" parameter in the
"/etc/vdsm-reg/vdsm-reg.conf" file.
Note that this procedure will leave a small trace: the CA certificate
will still contain the URL of the old host. That is a minor
invonvenience, but to solve it *all* certificates would need to be
replaced. If there is interest I can prepare a procedure to do that as well.
Feedback is welcome.
Regards,
Juan Hernandez
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
More information about the Users
mailing list