[ovirt-users] Info on changing IPA server hostname in oVirt

Alon Bar-Lev alonbl at redhat.com
Wed Dec 10 22:18:10 UTC 2014 


----- Original Message -----
> From: "Gianluca Cecchi" <gianluca.cecchi at gmail.com>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: "Ondra Machacek" <omachace at redhat.com>, "users" <users at ovirt.org>
> Sent: Thursday, December 11, 2014 12:10:43 AM
> Subject: Re: [ovirt-users] Info on changing IPA server hostname in oVirt
> 
> On Wed, Dec 10, 2014 at 10:30 PM, Alon Bar-Lev <alonbl at redhat.com> wrote:
> 
> >
> >
> >
> > better to use startTLS over ldaps.
> > so yes, the above is the right setting.
> > you should import the ca certificate, see instructions here[1]
> >
> > Alon
> >
> > [1]
> > http://gerrit.ovirt.org/gitweb?p=ovirt-engine-extension-aaa-ldap.git;a=blob;f=README;hb=HEAD#l141
> 
> 
> 
> I've done it this way:
> 
> copied /etc/ipa/ca.crt on engine server renaming it ipa_ca.crt
> 
> keytool -importcert -noprompt -trustcacerts -alias iparootca -file
> /root/ipa_ca.crt -keystore ipaca.jks -storepass mysecret
> 
> put  ipaca.jks in /etc/ovirt-engine/aaa/
> 
> ldap1.properties now has
> 
> # Create keystore, import certificate chain and uncomment
> # if using ssl/tls.
> pool.default.ssl.startTLS = true
> #pool.default.ssl.truststore.file =
> ${local:_basedir}/${global:vars.server}.jks
> pool.default.ssl.truststore.file = /etc/ovirt-engine/aaa/ipaca.jks
> pool.default.ssl.truststore.password = mysecret
> 
> and restarted ovirt engine but it seems all conenctions are still through
> 389 port....

that's ok.

there are two methods of secure communications.
1. a protocol over TLS/SSL, in which you negotiate secure stream and communicate over it.
2. startTLS(and similar), in which you connect using plain protocol and instruct remote to start secure stream within the same connection.

the startTLS is more flexible and has some advantages over the secure stream, for example: you do not need two separate tcp ports, you can also fallback within same connection to plain if ssl is not supported.

you can verify that you are using secure connection using wireshark, or you can use a store without the correct ca certificate.

Alon

More information about the Users mailing list