Red Hat Bugzilla – Bug 1016931
[HOWTO] Migrate SSL keystore configuration during RHEV 3.2 upgrade (3.0 -> 3.1 -> 3.2)
Last modified: 2013-11-10 07:12:45 EST
Description of problem:
On an environment that was originally installed as RHEV 3.0 (meaning JBoss is still the primary web server, port 8080/8443), and upgraded to 3.1, keystore files fixed and verified to work in 3.1, then upgraded to 3.2, the custom keystore file configuration was, again not respected and reverted to defaults.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install RHEV 3.0
2. Install custom SSL certificate as instructed in Tech Brief article: https://access.redhat.com/site/articles/216903
3. Upgrade to RHEV 3.1
4. Copy /etc/pki/rhevm-old/example.keystore to /etc/pki/ovirt-engine/example.keystore
5. Fix the permissions to ovirt:ovirt on example.keystore
6. Edit /usr/share/ovirt-engine/service/engine-service.xml.in file and find the https connector section:
<ssl name="ssl" password="examplePassword" certificate-key-file="/etc/pki/ovirt-engine/example.keystore" key-alias="example" protocol="$getString('ENGINE_HTTPS_PROTOCOLS')" verify-client="false"/>
7. Optional for rhevm-reports: Edit /usr/share/ovirt-engine-dwh/etl/history_service.sh run properties:
RUN_PROPERTIES="-Xms256M -Xmx1024M -Djavax.net.ssl.trustStore=/etc/pki/ovirt-engine/.keystore -Djavax.net.ssl.trustStorePassword=mypass"
8. Optional for rhevm-reports: Edit /usr/share/ovirt-engine/rhevm-reports.war/WEB-INF/applicationContext-security-web.xml and change the following entry:
<property name="trustStorePath" value="/etc/pki/ovirt-engine/example.keystore"/>
<property name="trustStorePassword" value="examplePassword"/>
The SSL certificate configuration is not respected during the upgrade from 3.1 to 3.2
The existing configuration should be preserved and properly migrated automatically for the customer. This is very important for our strategic customers who, more often than not, employ their own SSL certificates instead of the default self-signed cert.
^ Step 9: Upgrade to RHEV 3.2
This is dup of bug#1013946, not sure why a new bug was opened.
(In reply to Alon Bar-Lev from comment #3)
> This is dup of bug#1013946, not sure why a new bug was opened.
Sorry, the other bug was for 3.0 to 3.1 which is not being maintained anymore. I thought a separate bug was needed for the 3.2 installer to handle differently. Thank you for your reply.
Closing as WORKSFORME... Please re-open if have any more questions.