RHEV: How to recreate RHEV-M CA and update RHEV setup with the new certificate (migration from 2.1 only)
SOLUTION 확인됨 - 업데이트됨05시 38분 2014년 7월 25일 - English 환경
Red Hat Enterprise Virtualization (RHEV)
Migration Tool for RHEV 2.2->3.0 migration
RHEV-M 2.2, originally upgraded from 2.1
RHEL 6 hypervisors
문제
Use the information in this this article only if all of the following apply to your RHEV environment:
You used a migration tool to upgrade your RHEV2.2 environment to RHEV 3.0
and
You started using RHEV2.1 and upgraded your environment from 2.1 to 2.2
In this case you will have troubles upgrading your environment to full 3.0 compatibility mode cluster and won't be able to attach RHEL6 based host to your system. Check Diagnostic Steps section below for more details.
해결
This resolution contains 3 steps to cover all the involved entities: RHEV-M, Hosts, Client accessing Admin/User Portal via https:
I. On RHEV-M: - recreate RHEV-M CA; create and sign RHEV-M public-private key pair; update JBoss EAP with new certificates
II. Each host - re-register to RHEV-M
III. Import the new RHEV-M CA and public key on the clients used to access Admin / User Portal
Here are the detailed steps:
Note: type/copy the commands as is, just replace the IPs setup and DN values to match your setup.
I. On RHEV-M 3.0 perform the following steps:
0. Make a backup copy of the /etc/pki/rhevm directory.
Raw
# cp -pr /etc/pki/rhevm /var/tmp/
1. Reset the certificate database and serial number:
Raw
# cd /etc/pki/rhevm
# rm database.txt*
# rm serial.txt*
# touch database.txt
# echo 01 > serial.txt
# rm -rf certs/*
# rm -rf requests/*
2. Regenerate the CA certificate signing request preserving the existing private key:
Raw
# openssl req \
-new \
-key private/ca.pem \
-config cacert.conf \
-out requests/ca.csr
3. Sign again the CA certificate, adding the required X509v3 extensions:
Raw
# openssl ca \
-selfsign \
-out ca.pem \
-in requests/ca.csr \
-keyfile private/ca.pem \
-days 3650 \
-config openssl.conf \
-extfile cacert.conf \
-extensions v3_ca \
-startdate `date -d yesterday +%y%m%d%H%M%S+0000`
Verify visually that the generated ca.pem file contains the X509v3 extensions, something like this:
Raw
X509v3 extensions:
X509v3 Subject Key Identifier:
45:31:B7:BF:3C:D3:D3:7C:03:2F:6B:A6:F7:03:B8:F4:C0:34:63:D9
Authority Information Access:
CA Issuers - URI:http://rhevm.example.com:8080/ca.crt
X509v3 Authority Key Identifier:
keyid:45:31:B7:BF:3C:D3:D3:7C:03:2F:6B:A6:F7:03:B8:F4:C0:34:63:D9
DirName:/C=US/O=Example Inc./CN=RHEVM CA
serial:00
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
4. Generate a DER version of the CA certificate:
Raw
# openssl x509 \
-in ca.pem \
-out certs/ca.der \
-outform der
5. Regenerate the RHEV-M certificate signing request preserving the existing private key (this is very important in order to avoid having to decrypt/encrypt passwords stored in the database):
Important - replace RHEVM-FQDN and Company Name below
Raw
# openssl req \
-new \
-subj '/C=US/O=Example Inc./CN=RHEVM-FQDN' \
-key keys/rhevm_id_rsa \
-out requests/rhevm.req \
-passin pass:mypass
Note that the -subj option should be the DN of the RHEV-M certificate currently in use.
6. Sign again the RHEV-M certificate, to simplify this the
SignReq.sh script should be used:
Raw
# ./SignReq.sh \
rhevm.req \
rhevm.cer \
1800 \
/etc/pki/rhevm \
`date -d yesterday +%y%m%d%H%M%S+0000` \
mypass
Double check that the generated certificate is correct, visually and with the following command:
Raw
# openssl verify -CAfile ca.pem certs/rhevm.cer
7. Generate also a DER encoded version of the RHEV-M certificate:
Raw
# openssl x509 \
-in certs/rhevm.cer \
-out certs/rhevm.der \
-outform DER
8. Export the RHEV-M private key and certificate to a PKCS12 file:
Raw
# openssl pkcs12 \
-export \
-name rhevm \
-inkey keys/rhevm_id_rsa \
-in certs/rhevm.cer \
-passin pass:mypass \
-out certs/rhevm.pfx \
-passout pass:mypass
9. Regenerate the keystore used by the engine:
Raw
# rm .keystore
# keytool \
-keystore .keystore \
-importkeystore \
-srckeystore certs/rhevm.pfx \
-srcalias rhevm \
-srcstoretype PKCS12 \
-srcstorepass mypass \
-destalias rhevm \
-deststorepass mypass
10. Add the CA certificate to the keystore used by the engine:
Raw
# keytool \
-keystore .keystore \
-storepass mypass \
-import \
-alias cacert \
-file certs/ca.der \
-noprompt
11. Regenerate the truststore used by the engine:
Raw
# rm .truststore
keytool \
-keystore .truststore \
-storepass mypass \
-import \
-alias cacert \
-file certs/ca.der \
-noprompt
12. Copy the new CA certificate to the root web application:
Raw
# cp /var/lib/jbossas/server/rhevm-slimmed/deploy/ROOT.war/ca.crt /var/tmp/
# cp ca.pem /var/lib/jbossas/server/rhevm-slimmed/deploy/ROOT.war/ca.crt
Note: this step is not required for 3.1 environments, since it is using the default location under /etc/pki.
13. Restart jboss EAP to refresh the certificate on it:
Raw
# service jbossas restart
14. Verify RHEV-M operates ok and Admin Portal is accessible.
back to top
II. Host side:
After replacing the certificates on RHEV-M side, it is time to update the hosts.
The best and easiest way to do it is to re-register the host to RHEV-M, so that the registration process will take care of all the certificates recreation.
It is recommended to wipe out the host and reinstall it from scratch before re-registering it to RHEV-M, so that not to have wrong certificates leftovers. Refer to 'How to prepare a RHEV Hypervisor system for re-registration' for details.
Here is the procedure to manually update the host with RHEV-M certificates, but you should not have to follow it and registration process should be enough.
Note: if it is RHEV-H host, you would have to unpersist /etc/pki before the procedure, and persist it back after the end.
1. Backup current certificates on the host. If RHEV-H, copy them to another machine, if RHEL, copy them to /var/tmp:
Raw
/etc/pki/vdsm/certs/cacert.pem
/etc/pki/vdsm/certs/vdsmcert.pem
/etc/pki/vdsm/libvirt-spice/ca-cert.pem
/etc/pki/vdsm/libvirt-spice/server-cert.pem
2. Create a config file named host_ip.conf (192.168.200.101.conf, for example) for openssl:
Raw
# cd /tmp
# touch 192.168.200.101.conf
with content similar to this:
Raw
RANDFILE = ~/.rnd
[ req ]
distinguished_name = req_distinguished_name
prompt = no
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ req_distinguished_name ]
O = Example Inc.
CN = 192.168.200.101
3. Create a certificate signing request using the existing VDSM private key and the configuration file:
Raw
# openssl \
req \
-new \
-key \
/etc/pki/vdsm/keys/vdsmkey.pem \
-out /tmp/192.168.200.101.req \
-config 192.168.200.101.conf
4. Copy the resulting CSR file to RHEV-M, to the /etc/pki/rhevm/requests directory:
Raw
# scp /tmp/192.168.200.101.req root@rhevm-fqdn:/etc/pki/rhevm/requests/
5. In RHEV-M sign the CSR using the SingReq.sh script:
Raw
# cd /etc/pki/rhevm
# ./SignReq.sh \
192.168.200.101.req \
192.168.200.101.cer \
1800 \
/etc/pki/rhevm \
`date -d yesterday +%y%m%d%H%M%S+0000` \
mypass
Verify the generated certificate visually and with the following command:
Raw
# less certs/192.168.200.101.cer
# openssl verify -CAfile ca.pem certs/192.168.200.101.cer
certs/192.168.200.101.cer: OK
6. Replace the CA certificate and the VDSM certificates in the hypervisor with the new ones:
Raw
# cd /etc/pki/rhevm
# scp ca.pem root@192.168.200.101:/etc/pki/vdsm/certs/cacert.pem
# scp ca.pem root@192.168.200.101:/etc/pki/vdsm/libvirt-spice/ca-cert.pem
# scp certs/192.168.200.101.cer root@192.168.200.101:/etc/pki/vdsm/certs/vdsmcert.pem
# scp certs/192.168.200.101.cer root@192.168.200.101:/etc/pki/vdsm/libvirt-spice/server-cert.pem
Verify that the owner and group of the '/etc/pki/vdsm/certs/cacert.pem' and '/etc/pki/vdsm/certs/vdsmcert.pem' files is set to 'vdsm' and 'kvm' respectively, e.g.
Raw
# ls -al
total 10
drwxr-xr-x. 2 vdsm kvm 80 2012-10-11 14:10 .
drwxr-xr-x. 5 vdsm kvm 100 2012-09-27 19:11 ..
-r--r--r--. 1 vdsm kvm 3454 2012-10-11 14:10 cacert.pem
-r--r--r--. 1 vdsm kvm 3574 2012-10-11 14:10 vdsmcert.pem
#
If they are not, then this can be resolved by executing;
Raw
# chown vdsm:kvm /etc/pki/vdsm/certs/cacert.pem
# chown vdsm:kvm /etc/pki/vdsm/certs/vdsmcert.pem
7. On the hypervisor:
Raw
# initctl stop libvirtd
# initctl start libvirtd
# service vdsmd restart
8. Activate the host on the Admin Portal. It should be green and responsive.
back to top
III. The procedure to update the client with new CA is described here:
RHEV: How to reinforce RHEV-M CA and ssl keys installation for https access on a client?
back to top
근본 원인
The RHEV migration tool, among other tasks, copies RHEV-M certificates from the old 2.2 environment to a new 3.0 environment in order to maintain connectivity with 2.2 hosts attached to the system. If the environment was originally migrated from 2.1, then it will preserve the old certificate that does not meet the format required by libvirt on RHEL6. Host registration process will start, libvirt will get vdsm.cert signed by RHEV-M CA, but will fail to start.
How do you know if your RHEV-M CA certificate in the old unsupported format?
On Windows machine go to RHEV Manager installation folder and navigate to:
\RhevManager\service\ca\
- Windows2003: certs\ca.pem
- Windows2008: ca.pem
Old format will not contain all the required 509v3 extensions:
Raw
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://rhevm.gsslab.redhat.com/ca.crt
Compared to the required format:
Raw
X509v3 extensions:
X509v3 Subject Key Identifier:
01:05:F1:EF:5C:F7:FB:D7:2A:F5:2E:51:AC:7B:9A:1A:B7:B3:E1:66
Authority Information Access:
CA Issuers - URI:http://rhevm.gsslab.redhat.com:8080/ca.crt
X509v3 Authority Key Identifier:
keyid:01:05:F1:EF:5C:F7:FB:D7:2A:F5:2E:51:AC:7B:9A:1A:B7:B3:E1:66
DirName:/C=US/O=RedHat/CN=RHEVM CA
serial:01
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Note: There is a private Bugzilla #827361 about RHEV-M 2.2 CA that does not contain all the X509v3 extensions required by RHEL 6.
진단 단계
RHEL6 based host registration will never end and Admin Portal will show the host in Installing stage forever.
Check /var/log/rhevm/rhevm.log:
Raw
2012-06-07 20:01:01,443 INFO [org.ovirt.engine.core.bll.CBCInstaller] (pool-19-thread-49) Installation of 10.12.52.144. Executing oVirt ins
tallation stage. (Stage: Sign certificate request and generate certificate)
2012-06-07 20:01:02,462 ERROR [org.ovirt.engine.core.bll.ApproveVdsCommand] (pool-19-thread-49) Command org.ovirt.engine.core.bll.ApproveVds
Command throw exception java.lang.NullPointerException
Check /var/lib/libvird.log
Raw
2012-06-07 23:55:46.298+0000: 7354: info : libvirt version: 0.9.4, package: 23.el6_2.8 (Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>, 2012-04-09-04:06:12, x86-003.build.bos.redhat.com)
2012-06-07 23:55:46.298+0000: 7354: error : virNetTLSContextCheckCertPair:483 : Our own certificate /etc/pki/vdsm/certs/vdsmcert.pem failed validation against /etc/pki/vdsm/certs/cacert.pem: The certificate is not trusted.
Verify vdsm certificate:
Raw
# cd /etc/pki/vdsm
# openssl verify -CAfile cacert.pem vdsmcert.pem
vdsmcert.pem: O = RedHat, CN = 10.12.52.144
error 7 at 0 depth lookup:certificate signature failure
140513173755720:error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus:rsa_eay.c:742:
140513173755720:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:184:
It is required to clean the status of the host in the DB and remove it from the setup, before proceeding with the procedure.
To update host status on the DB, run the command on RHEV-M server:
Raw
# psql rhevm postgres -c "update vm_dynamic set status='0' where vm_host='Host_name'"
로그인하면 댓글을 남길 수 있습니다.