Bug 1016931

Summary: [HOWTO] Migrate SSL keystore configuration during RHEV 3.2 upgrade (3.0 -> 3.1 -> 3.2)
Product: Red Hat Enterprise Virtualization Manager Reporter: Bryan Yount <byount>
Component: ovirt-engine-setupAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED WORKSFORME QA Contact: Pavel Stehlik <pstehlik>
Severity: high Docs Contact:
Priority: high    
Version: 3.2.0CC: acathrow, alonbl, avyadav, bazulay, iheim, lyarwood, Rhev-m-bugs, ssekidde, yeylon, ylavi
Target Milestone: ---Keywords: SupportQuestion, Triaged
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-25 16:36:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Bryan Yount 2013-10-09 01:03:28 UTC 
Description of problem:
On an environment that was originally installed as RHEV 3.0 (meaning JBoss is still the primary web server, port 8080/8443), and upgraded to 3.1, keystore files fixed and verified to work in 3.1, then upgraded to 3.2, the custom keystore file configuration was, again not respected and reverted to defaults.

Version-Release number of selected component (if applicable):
rhevm-setup-3.2.3-0.43

How reproducible:
Very

Steps to Reproduce:
1. Install RHEV 3.0
2. Install custom SSL certificate as instructed in Tech Brief article: https://access.redhat.com/site/articles/216903
3. Upgrade to RHEV 3.1
4. Copy /etc/pki/rhevm-old/example.keystore to /etc/pki/ovirt-engine/example.keystore
5. Fix the permissions to ovirt:ovirt on example.keystore
6. Edit /usr/share/ovirt-engine/service/engine-service.xml.in file and find the https connector section:

<ssl name="ssl" password="examplePassword" certificate-key-file="/etc/pki/ovirt-engine/example.keystore" key-alias="example" protocol="$getString('ENGINE_HTTPS_PROTOCOLS')" verify-client="false"/>

7. Optional for rhevm-reports: Edit /usr/share/ovirt-engine-dwh/etl/history_service.sh run properties:

RUN_PROPERTIES="-Xms256M -Xmx1024M -Djavax.net.ssl.trustStore=/etc/pki/ovirt-engine/.keystore -Djavax.net.ssl.trustStorePassword=mypass"

8.  Optional for rhevm-reports: Edit /usr/share/ovirt-engine/rhevm-reports.war/WEB-INF/applicationContext-security-web.xml and change the following entry:

<property name="trustStorePath" value="/etc/pki/ovirt-engine/example.keystore"/>
<property name="trustStorePassword" value="examplePassword"/>


Actual results:
The SSL certificate configuration is not respected during the upgrade from 3.1 to 3.2

Expected results:
The existing configuration should be preserved and properly migrated automatically for the customer. This is very important for our strategic customers who, more often than not, employ their own SSL certificates instead of the default self-signed cert.
Comment 2 Bryan Yount 2013-10-09 01:07:54 UTC 
^ Step 9: Upgrade to RHEV 3.2
Comment 3 Alon Bar-Lev 2013-10-09 07:35:11 UTC 
This is dup of bug#1013946, not sure why a new bug was opened.
Comment 6 Bryan Yount 2013-10-09 18:28:44 UTC 
(In reply to Alon Bar-Lev from comment #3)
> This is dup of bug#1013946, not sure why a new bug was opened.

Sorry, the other bug was for 3.0 to 3.1 which is not being maintained anymore. I thought a separate bug was needed for the 3.2 installer to handle differently. Thank you for your reply.
Comment 10 Alon Bar-Lev 2013-10-25 16:36:38 UTC 
Closing as WORKSFORME... Please re-open if have any more questions.