1336845 – [RFE] - Document Single Sign-On which uses HTTPS connection to communicate between webadmin/userportal and SSO module.

Bug 1336845 - [RFE] - Document Single Sign-On which uses HTTPS connection to communicate between webadmin/userportal and SSO module.

Summary: [RFE] - Document Single Sign-On which uses HTTPS connection to communicate be...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ovirt-4.0.4
Target Release:	---
Assignee:	Tahlia Richardson
QA Contact:	Julie
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1146712 1374585 (view as bug list)
Depends On:	1336838
Blocks:	1156381
TreeView+	depends on / blocked

Reported:	2016-05-17 14:47 UTC by David Jaša
Modified:	2019-12-16 06:41 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: oVirt 4.0 introduces Single Sign-On feature, which uses HTTPS connection to communicate between webadmin/userportal and SSO module. Consequence: If custom HTTPS certificate signed by custom CA is used in Apache, then users won't be able to login to webadmin/userportal after upgrade from 3.6 to 4.0. Fix: New configuration variables ENGINE_HTTPS_PKI_TRUST_STORE and ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD have been added to engine PKI configuration. By default those variables are set to use trust store with internal oVirt CA. If customer wants to use custom HTTPS certificate signed by different CA, then he has to perform following steps: 1. Install custom CA (that signed HTTPS certificate) into host wide trustore (more info can be found in update-ca-trust man page) 2. Configure HTTPS certificate in Apache (this step is same as in previous versions) 3. Create new configuration file (for example /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf) with following content: ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" 4. Restart ovirt-engine service Result: New installation: If user wants to use custom HTTPS certificate on Apache, he has to perform above configuration steps 1. - 4. Upgraded installation with custom HTTPS certificate: If user configured custom HTTPS certificate on Apache on previous version, he needs to perform above steps 1., 3. and 4. right after successfully finished upgrade Upgraded installation without custom HTTPS certificate: No special steps are required.
Clone Of:
Environment:
Last Closed:	2016-11-02 00:41:24 UTC
oVirt Team:	Docs
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Article)	216903	None	None	None	2018-12-06 18:04:48 UTC
Red Hat Knowledge Base (Solution)	2610251	None	None	None	2019-12-16 06:41:48 UTC
Red Hat Knowledge Base (Solution)	2742891	None	None	None	2016-11-02 04:42:56 UTC

Description David Jaša 2016-05-17 14:47:01 UTC

Description of problem:
When using externally-signed certificate for apache (a.k.a. Apache SSL configuration: Manual), engine needs to trust this CA in order to make internal SSO work. Documentation should state this fact clearly.

Version-Release number of selected component (if applicable):
RHEV 4.0.0-0.6

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Testing currently blocked by bug 1336838.

Comment 1 Martin Perina 2016-05-17 15:05:37 UTC

Ravi, after finishing work on BZ1336838 please append steps required for SSO feature in RHEV 4.0 to work properly when customer is using HTTPS certificate signed by its own CA, so those steps can be added to RHEV 4.0 doc.

Comment 2 David Jaša 2016-06-22 16:13:59 UTC

Works when using key store with password. When using system keystore that doesn't use password with no password (setting empty or none ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD variable).

Comment 3 Michal Skrivanek 2016-06-25 07:30:51 UTC

Why moving to 4.1? So we won't support customers using their own CA in 4.0?
Please retarget to 4.0

Comment 4 Yaniv Lavi 2016-06-26 13:29:32 UTC

(In reply to Michal Skrivanek from comment #3)
> Why moving to 4.1? So we won't support customers using their own CA in 4.0?
> Please retarget to 4.0


We do not have the resources needed to resolve non urgent issue at this time. I suggest working on the KBase for the time being.

Comment 5 Lucy Bopf 2016-09-23 06:59:17 UTC

Assigning to Tahlia for review.

Comment 6 Tahlia Richardson 2016-10-05 05:21:35 UTC

*** Bug 1374585 has been marked as a duplicate of this bug. ***

Comment 12 Nicolas Ecarnot 2016-10-25 13:45:36 UTC

FWIW:

Hello,

I confirm that the workaround described on top is working with 
4.0.4.4-1.el7.centos (and empty password certs).

Comment 13 Lucy Bopf 2016-10-27 06:03:58 UTC

*** Bug 1146712 has been marked as a duplicate of this bug. ***

Comment 14 Julie 2016-10-27 06:19:54 UTC

Checked the updated text.
Moving this bug to VERIFIED.

Cheers,
Julie

Comment 15 Tahlia Richardson 2016-11-02 00:41:24 UTC

Now published at https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/single/administration-guide/#Replacing_the_Manager_SSL_Certificate

Note You need to log in before you can comment on or make changes to this bug.