Bug 1336845
| Summary: | [RFE] - Document Single Sign-On which uses HTTPS connection to communicate between webadmin/userportal and SSO module. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | David Jaša <djasa> |
| Component: | Documentation | Assignee: | Tahlia Richardson <trichard> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Julie <juwu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 3.6.0 | CC: | gveitmic, lbopf, lsurette, michal.skrivanek, mkalinin, mperina, mwest, nicolas, oourfali, rbalakri, rnori, srevivo, ykaul, ylavi |
| Target Milestone: | ovirt-4.0.4 | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
oVirt 4.0 introduces Single Sign-On feature, which uses HTTPS connection to communicate between webadmin/userportal and SSO module.
Consequence:
If custom HTTPS certificate signed by custom CA is used in Apache, then users won't be able to login to webadmin/userportal after upgrade from 3.6 to 4.0.
Fix:
New configuration variables ENGINE_HTTPS_PKI_TRUST_STORE and ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD have been added to engine PKI configuration. By default those variables are set to use trust store with internal oVirt CA. If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps:
1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page)
2. Configure HTTPS certificate in Apache (this step is same as in previous versions)
3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content:
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
4. Restart ovirt-engine service
Result:
New installation:
If user wants to use custom HTTPS certificate on Apache, he has to perform above configuration steps 1. - 4.
Upgraded installation with custom HTTPS certificate:
If user configured custom HTTPS certificate on Apache on previous version, he needs to perform above steps 1., 3. and 4. right after successfully finished upgrade
Upgraded installation without custom HTTPS certificate:
No special steps are required.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-02 00:41:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Docs | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1336838 | ||
| Bug Blocks: | 1156381 | ||
|
Description
David Jaša
2016-05-17 14:47:01 UTC
Ravi, after finishing work on BZ1336838 please append steps required for SSO feature in RHEV 4.0 to work properly when customer is using HTTPS certificate signed by its own CA, so those steps can be added to RHEV 4.0 doc. Works when using key store with password. When using system keystore that doesn't use password with no password (setting empty or none ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD variable). Why moving to 4.1? So we won't support customers using their own CA in 4.0? Please retarget to 4.0 (In reply to Michal Skrivanek from comment #3) > Why moving to 4.1? So we won't support customers using their own CA in 4.0? > Please retarget to 4.0 We do not have the resources needed to resolve non urgent issue at this time. I suggest working on the KBase for the time being. Assigning to Tahlia for review. *** Bug 1374585 has been marked as a duplicate of this bug. *** FWIW: Hello, I confirm that the workaround described on top is working with 4.0.4.4-1.el7.centos (and empty password certs). *** Bug 1146712 has been marked as a duplicate of this bug. *** Checked the updated text. Moving this bug to VERIFIED. Cheers, Julie |