[ovirt-users] Ovirt SSL Question

Punit Dambiwal hypunit at gmail.com
Fri Aug 15 06:14:40 UTC 2014


Hi Alon,

Thanks a ton for your help...I will try this and let you know if face any
problem.

Thanks,
Punit


On Fri, Aug 15, 2014 at 1:16 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:

>
>
> ----- Original Message -----
> > From: "Punit Dambiwal" <hypunit at gmail.com>
> > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > Cc: users at ovirt.org, ahadas at redhat.com, "Sven Kieske" <
> S.Kieske at mittwald.de>, "Dan Kenigsberg" <danken at redhat.com>,
> > "Michal Skrivanek" <michal.skrivanek at redhat.com>, "Antoni Segura
> Puimedon" <asegurap at redhat.com>, "Frantisek Kobzik"
> > <fkobzik at redhat.com>, "Itamar Heim" <iheim at redhat.com>, "sabose" <
> sabose at redhat.com>, barumuga at redhat.com, "Simone
> > Tiraboschi" <stirabos at redhat.com>
> > Sent: Friday, August 15, 2014 6:05:14 AM
> > Subject: Re: [ovirt-users] Ovirt SSL Question
> >
> > Hi Alon,
> >
> > Thanks understand....that means no need to enroll certificate from the
> > internal...just generate the CSR from standalone websocket proxy server
> and
> > receive the 3rd party SSL and install that SSL on the websocket proxy
> > server and then Create /etc/ovirt-engine/ovirt-
> > websocket-proxy.conf.d/20-pki.conf and override the SSL_CERTIFICATE and
> > SSL_KEY with 3rd party certificate chain and matching key. ???
>
> yes.
>
> > Also one more question....as i don't want to use the ovirt default
> > websocket proxy as it doesn't fit to our requirement....we are using
> > websockify on the separate standalone server....it seems i need to do the
> > same as we can do for the websocket...m i right ??
>
> you should do this only on the active proxy.
>
> >
> > Thanks For your help Alon...
> >
> > Thanks,
> > Punit
> >
> >
> > On Fri, Aug 15, 2014 at 10:19 AM, Alon Bar-Lev <alonbl at redhat.com>
> wrote:
> >
> > >
> > >
> > > ----- Original Message -----
> > > > From: "Punit Dambiwal" <hypunit at gmail.com>
> > > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > Cc: users at ovirt.org, ahadas at redhat.com, "Sven Kieske" <
> > > S.Kieske at mittwald.de>, "Dan Kenigsberg" <danken at redhat.com>,
> > > > "Michal Skrivanek" <michal.skrivanek at redhat.com>, "Antoni Segura
> > > Puimedon" <asegurap at redhat.com>, "Frantisek Kobzik"
> > > > <fkobzik at redhat.com>, "Itamar Heim" <iheim at redhat.com>, "sabose" <
> > > sabose at redhat.com>, barumuga at redhat.com, "Simone
> > > > Tiraboschi" <stirabos at redhat.com>
> > > > Sent: Friday, August 15, 2014 4:56:36 AM
> > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > >
> > > > Hi Alon,
> > > >
> > > > Thanks...that means even we use the standalone websocket proxy or
> > > > standalone websockify...do i need to do the same process :-
> > > >
> > > >
> > >
> http://www.ovirt.org/Features/noVNC_console#Setup_Websocket_Proxy_on_a_Separate_Machine
> > > >
> > > > On the engine, generate a certificate and key. substitute <FQDN>
> with the
> > > > DNS name of the host. Substitute <country>, <organization> to suite
> your
> > > > environment (i.e. the values must match values in the certificate
> > > authority
> > > > of your engine).
> > > >
> > > > /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh
> > > > --name=websocket-proxy-standalone --password=mypass
> > > > --subject="/C=<country>/O=<organization>/CN=<fqdn>"
> > > >
> > > > Copy /etc/pki/ovirt-engine/keys/websocket-proxy-standalone.p12 and
> > > > /etc/pki/ovirt-engine/certs/engine.cer from the engine to the proxy
> > > machine
> > > > at /etc/pki/ovirt-websocket-proxy
> > > > At websocket-proxy machine
> > > >
> > > > Install ovirt-engine-websocket-proxy package.
> > > >
> > > > Extract keys:
> > > >
> > > > cd /etc/pki/ovirt-websocket-proxy
> > > > openssl pkcs12 -in websocket-proxy-standalone.p12 -nokeys -out
> > > > websocket-proxy-standalone.cer
> > > > openssl pkcs12 -in websocket-proxy-standalone.p12 -nocerts -nodes
> -out
> > > > websocket-proxy-standalone.key
> > > > chown ovirt:ovirt *
> > > > chmod 0600 *
> > > >
> > > > And then Create
> > > /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> > > > and override the SSL_CERTIFICATE and SSL_KEY with 3rd party
> certificate
> > > > chain and matching key. ??
> > >
> > > you wanted to use a certificate from 3rd party certificate authority,
> you
> > > do not need to enroll a certificate from the internal certificate
> > > authority.
> > >
> > > >
> > > >
> > > >
> > > > On Fri, Aug 15, 2014 at 9:51 AM, Alon Bar-Lev <alonbl at redhat.com>
> wrote:
> > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > > From: "Punit Dambiwal" <hypunit at gmail.com>
> > > > > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > > > Cc: users at ovirt.org, ahadas at redhat.com, "Sven Kieske" <
> > > > > S.Kieske at mittwald.de>, "Dan Kenigsberg" <danken at redhat.com>,
> > > > > > "Michal Skrivanek" <michal.skrivanek at redhat.com>, "Antoni Segura
> > > > > Puimedon" <asegurap at redhat.com>, "Frantisek Kobzik"
> > > > > > <fkobzik at redhat.com>, "Itamar Heim" <iheim at redhat.com>,
> "sabose" <
> > > > > sabose at redhat.com>, barumuga at redhat.com, "Simone
> > > > > > Tiraboschi" <stirabos at redhat.com>
> > > > > > Sent: Friday, August 15, 2014 4:48:13 AM
> > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > >
> > > > > > Hi Alon,
> > > > > >
> > > > > > Thanks...but still the same question....for which FQDN i need to
> > > purchase
> > > > > > the SSL (Ovirt engine FQDN or standalone websocket proxy FQDN) ??
> > > > >
> > > > > this is standard https, the browser expects the name of the remote
> > > host,
> > > > > which is the websocket proxy host.
> > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Fri, Aug 15, 2014 at 9:46 AM, Alon Bar-Lev <alonbl at redhat.com
> >
> > > wrote:
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > > From: "Punit Dambiwal" <hypunit at gmail.com>
> > > > > > > > To: "Alon Bar-Lev" <alonbl at redhat.com>
> > > > > > > > Cc: users at ovirt.org, ahadas at redhat.com, "Sven Kieske" <
> > > > > > > S.Kieske at mittwald.de>, "Dan Kenigsberg" <danken at redhat.com>,
> > > > > > > > "Michal Skrivanek" <michal.skrivanek at redhat.com>, "Antoni
> Segura
> > > > > > > Puimedon" <asegurap at redhat.com>, "Frantisek Kobzik"
> > > > > > > > <fkobzik at redhat.com>, "Itamar Heim" <iheim at redhat.com>,
> > > "sabose" <
> > > > > > > sabose at redhat.com>, barumuga at redhat.com, "Simone
> > > > > > > > Tiraboschi" <stirabos at redhat.com>
> > > > > > > > Sent: Friday, August 15, 2014 4:43:31 AM
> > > > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > > > >
> > > > > > > > Hi Alon,
> > > > > > > >
> > > > > > > > Thanks for your reply...but i didn't find 20-pki.conf file
> in my
> > > > > > > > ovirt-engine server....
> > > > > > > >
> > > > > > > > I am using websocket proxy as standalone....and fetch the vm
> > > console
> > > > > with
> > > > > > > > the help of API...and then it will display to the browser
> with
> > > our
> > > > > portal
> > > > > > > > url...
> > > > > > >
> > > > > > > this is conf.d structure, files are sorted by name, last wins.
> > > > > > > so instead of overriding files you can add your own.
> > > > > > >
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Punit
> > > > > > > >
> > > > > > > >
> > > > > > > > On Thu, Aug 14, 2014 at 11:13 PM, Alon Bar-Lev <
> > > alonbl at redhat.com>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > ----- Original Message -----
> > > > > > > > > > From: "Punit Dambiwal" <hypunit at gmail.com>
> > > > > > > > > > To: users at ovirt.org, ahadas at redhat.com, "Sven Kieske" <
> > > > > > > > > S.Kieske at mittwald.de>, "Dan Kenigsberg" <danken at redhat.com
> >,
> > > > > > > > > > "Michal Skrivanek" <michal.skrivanek at redhat.com>,
> "Antoni
> > > Segura
> > > > > > > > > Puimedon" <asegurap at redhat.com>, "Frantisek Kobzik"
> > > > > > > > > > <fkobzik at redhat.com>, "Itamar Heim" <iheim at redhat.com>,
> > > > > "sabose" <
> > > > > > > > > sabose at redhat.com>, barumuga at redhat.com, "Simone
> > > > > > > > > > Tiraboschi" <stirabos at redhat.com>
> > > > > > > > > > Sent: Thursday, August 14, 2014 12:37:01 PM
> > > > > > > > > > Subject: Re: [ovirt-users] Ovirt SSL Question
> > > > > > > > > >
> > > > > > > > > > Hi All,
> > > > > > > > > >
> > > > > > > > > > Is there any one can help me to solve this issue..
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Punit
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > On Wed, Aug 13, 2014 at 9:53 AM, Punit Dambiwal <
> > > > > hypunit at gmail.com
> > > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Hi All,
> > > > > > > > > >
> > > > > > > > > > I have one question regarding the SSL settings in
> > > Ovirt....let me
> > > > > > > > > explain my
> > > > > > > > > > environment first :-
> > > > > > > > > >
> > > > > > > > > > 1. Ovirt engine :- mgmt.3linux.com
> > > > > > > > > > 2. Standalone websocket proxy :- web-proxy.3linux.com
> > > > > > > > > > 3. Our Own Portal :- portal.3linux.com
> > > > > > > > > >
> > > > > > > > > > We have the above architecture...we fetch the VM console
> > > from the
> > > > > > > > > websocket
> > > > > > > > > > proxy to our own portal through API....because still we
> are
> > > using
> > > > > > > > > selfsigned
> > > > > > > > > > certificate...we need to trust the certificate every
> > > > > time,whenever we
> > > > > > > > > open
> > > > > > > > > > the VM console... (https://< web-proxy.3linux.com
> >:<port>)
> > > > > > > > > >
> > > > > > > > > > When we initiate the VM console through our own web
> portal
> > > the
> > > > > url (
> > > > > > > > > >
> > > > > > > > >
> > > > > > >
> > > > >
> > >
> https://portal.3linux.com/content/ovirt/noVNC/vm-console.php?id=6e0caf73-ae7d-493e-a51d-ecc32f507f00
> > > > > > > > > > ),if we accept the SSL certificate with https://<
> > > > > > > web-proxy.3linux.com
> > > > > > > > > > >:<port> ....then it will open as expected but if we
> didn't
> > > > > accept
> > > > > > > the
> > > > > > > > > > certificate manually...then it through failed to
> connect:1006
> > > > > > > error...
> > > > > > > > > >
> > > > > > > > > > We don't want that every time end user will accept the
> > > > > certificate
> > > > > > > > > > manually...as our link to open VM console is different
> then
> > > > > > > webproxy....
> > > > > > > > > >
> > > > > > > > > > Now we want to replace the self signed certificate with
> valid
> > > > > > > SSL....can
> > > > > > > > > any
> > > > > > > > > > one tell me where we need to put the certificates and
> how to
> > > > > > > generate the
> > > > > > > > > > CSR for them and how many SSL we need to purchase to make
> > > this
> > > > > thing
> > > > > > > > > > workable without accepting the certificate everytime....
> > > > > > > > >
> > > > > > > > > Create
> > > /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/20-pki.conf
> > > > > and
> > > > > > > > > override the SSL_CERTIFICATE and SSL_KEY with 3rd party
> > > certificate
> > > > > > > chain
> > > > > > > > > and matching key.
> > > > > > > > >
> > > > > > > > > You can create the request in any tool you like, what we
> need
> > > is
> > > > > the
> > > > > > > > > certificate and key.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Alon
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20140815/d0a0c476/attachment-0001.html>


More information about the Users mailing list