Bug 1016931 - [HOWTO] Migrate SSL keystore configuration during RHEV 3.2 upgrade (3.0 -> 3.1 -> 3.2)
[HOWTO] Migrate SSL keystore configuration during RHEV 3.2 upgrade (3.0 -> 3....
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-setup (Show other bugs)
3.2.0
Unspecified Unspecified
high Severity high
: ---
: 3.3.0
Assigned To: Alon Bar-Lev
Pavel Stehlik
integration
: SupportQuestion, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-08 21:03 EDT by Bryan Yount
Modified: 2013-11-10 07:12 EST (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-25 12:36:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bryan Yount 2013-10-08 21:03:28 EDT
Description of problem:
On an environment that was originally installed as RHEV 3.0 (meaning JBoss is still the primary web server, port 8080/8443), and upgraded to 3.1, keystore files fixed and verified to work in 3.1, then upgraded to 3.2, the custom keystore file configuration was, again not respected and reverted to defaults.

Version-Release number of selected component (if applicable):
rhevm-setup-3.2.3-0.43

How reproducible:
Very

Steps to Reproduce:
1. Install RHEV 3.0
2. Install custom SSL certificate as instructed in Tech Brief article: https://access.redhat.com/site/articles/216903
3. Upgrade to RHEV 3.1
4. Copy /etc/pki/rhevm-old/example.keystore to /etc/pki/ovirt-engine/example.keystore
5. Fix the permissions to ovirt:ovirt on example.keystore
6. Edit /usr/share/ovirt-engine/service/engine-service.xml.in file and find the https connector section:

<ssl name="ssl" password="examplePassword" certificate-key-file="/etc/pki/ovirt-engine/example.keystore" key-alias="example" protocol="$getString('ENGINE_HTTPS_PROTOCOLS')" verify-client="false"/>

7. Optional for rhevm-reports: Edit /usr/share/ovirt-engine-dwh/etl/history_service.sh run properties:

RUN_PROPERTIES="-Xms256M -Xmx1024M -Djavax.net.ssl.trustStore=/etc/pki/ovirt-engine/.keystore -Djavax.net.ssl.trustStorePassword=mypass"

8.  Optional for rhevm-reports: Edit /usr/share/ovirt-engine/rhevm-reports.war/WEB-INF/applicationContext-security-web.xml and change the following entry:

<property name="trustStorePath" value="/etc/pki/ovirt-engine/example.keystore"/>
<property name="trustStorePassword" value="examplePassword"/>


Actual results:
The SSL certificate configuration is not respected during the upgrade from 3.1 to 3.2

Expected results:
The existing configuration should be preserved and properly migrated automatically for the customer. This is very important for our strategic customers who, more often than not, employ their own SSL certificates instead of the default self-signed cert.
Comment 2 Bryan Yount 2013-10-08 21:07:54 EDT
^ Step 9: Upgrade to RHEV 3.2
Comment 3 Alon Bar-Lev 2013-10-09 03:35:11 EDT
This is dup of bug#1013946, not sure why a new bug was opened.
Comment 6 Bryan Yount 2013-10-09 14:28:44 EDT
(In reply to Alon Bar-Lev from comment #3)
> This is dup of bug#1013946, not sure why a new bug was opened.

Sorry, the other bug was for 3.0 to 3.1 which is not being maintained anymore. I thought a separate bug was needed for the 3.2 installer to handle differently. Thank you for your reply.
Comment 10 Alon Bar-Lev 2013-10-25 12:36:38 EDT
Closing as WORKSFORME... Please re-open if have any more questions.

Note You need to log in before you can comment on or make changes to this bug.