Security

You can encrypt communications by configuring your organization’s third-party CA certificate to identify the Oracle Linux Virtualization Manager to users connecting over HTTPS.

Using a third-party CA certificate for HTTPS connections does not affect the certificate that is used for authentication between the engine host and KVM hosts. They continue to use the self-signed certificate generated by the Manager.

You can also enable HTTP Strict Transport Security (HSTS) to help protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

Note:

If you are required to be compliant with the Federal Information Processing Standard (FIPS), you can enable FIPS mode for your Oracle Linux Virtualization Manager deployment. See FIPS Mode Deployment in the Oracle Linux Virtualization Manager: Getting Started.

Replacing the Oracle Linux Virtualization Manager Apache SSL Certificate

Before you begin you must obtain a third-party CA certificate, which is a digital certificate issued by a certificate authority (CA). The certificate is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain’s order is critical and must be from the last intermediate certificate to the root certificate.

Caution:

Do not change the permissions and ownerships for the /etc/pki directory or any subdirectories. The permission for the /etc/pki and /etc/pki/ovirt-engine directories must remain as the default value of 755.

To replace the Oracle Linux Virtualization Manager Apache SSL Certificate:

  1. Copy the new third-party CA certificate to the host-wide trust store and update the trust store.

    # cp third-party-ca-cert.pem /etc/pki/ca-trust/source/anchors/
    # update-ca-trust export
  2. Remove the symbolic link to /etc/pki/ovirt-engine/apache-ca.pem.

    The Engine has been configured to use /etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to /etc/pki/ovirt-engine/ca.pem.

    # rm /etc/pki/ovirt-engine/apache-ca.pem 
  3. Copy the CA certificate into the PKI directory for the Manager.

    # cp third-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem 
  4. Back up the existing private key and certificate.

    # cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
    # cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
  5. Copy the new Apache private key into the PKI directory for the Manager by entering the following command and respond to prompt.

    # cp apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
    cp: overwrite /etc/pki/ovirt-engine/keys/apache.key.nopass? y
  6. Copy the new Apache certificate into the PKI directory for the Manager by entering the following command and respond to the prompt.

    # cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer 
    cp: overwrite /etc/pki/ovirt-engine/certs/apache.cer? y
  7. Restart the Apache HTTP server (httpd) and the Manager.

    # systemctl restart httpd
    # systemctl restart ovirt-engine
  8. Create a new trust store configuration file (or edit the existing one) at /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf by adding the following parameters.

    ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" 
    ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""  
  9. Back up the existing Websocket configuration file.

    # cp /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf /etc/ovirt-engine/ \
    ovirt-websocket-proxy.conf.d/10-setup.conf.bck
  10. Edit the Websocket configuration file at /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf by adding the following parameters.

    SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer 
    SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
  11. Restart the ovirt-provider-ovn service.

    # systemctl restart ovirt-provider-ovn
  12. Restart the ovirt-engine service.

    # systemctl restart ovirt-engine

Enabling HTTP Strict Transport Security

To enable HTTP Strict Transport Security, complete the following steps.

  1. For the ovirt-engine service port 443, create a configuration file for httpd, for example:
    # cat ovirt-enable-strict-transport-security.conf
    LoadModule headers_module modules/mod_headers.so
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    </IfModule>
     
    # systemctl restart httpd
For the ovirt-imageio service port, modify the _internal/http.py file:
# vi /usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py
 
class Response:
 
    def __init__(self, con):
        self._con = con
        self.status_code = OK
        self.headers = Headers({"content-length": 0, "Strict-Transport-Security": "max-age=31536000"})     
        self._started = False
 
# systemctl restart ovirt-imageio
 
# curl -s -I -k https://localhost:54323
HTTP/1.1 404 Not Found
server: imageio/2.4.7
date: Wed, 13 Sep 2023 16:56:45 GMT
content-length: 19
Strict-Transport-Security: max-age=31536000
content-type: text/plain; charset=UTF-8
For the ovirt-provider-ovn service port, modify the server.py file:
# vi /usr/lib64/python3.6/http/server.py
 
    def send_response(self, code, message=None):
        """Add the response header to the headers buffer and log the
        response code.
 
        Also send two standard headers with the server software
        version and the current date.
 
        """
        self.log_request(code)
        self.send_response_only(code, message)
        self.send_header('Server', self.version_string())
        self.send_header('Date', self.date_time_string())
        # Oracle Bug-33308887: added below header for security scans
        self.send_header("Strict-Transport-Security", "max-age=31536000")     
 
# systemctl restart ovirt-provider-ovn
 
# curl -s -I -k https://localhost:35357
HTTP/1.0 501 Unsupported method ('HEAD')
Server: BaseHTTP/0.6 Python/3.6.8
Date: Wed, 13 Sep 2023 17:34:32 GMT
Strict-Transport-Security: max-age=31536000
Connection: close
Content-Type: application/json
Content-Length: 137
For the ovirt-websocket-proxy service port, modify the response.py file.
# vi /usr/lib/python3.6/site-packages/webob/response.py
 
        # Initialize headers
        self._headers = None
        if headerlist is None:
            self._headerlist = []
        else:
            self._headerlist = headerlist
        self._headerlist.append(('Strict-Transport-Security', 'max-age=31536000'))  
                  
# systemctl restart ovirt-websocket-proxy
 
# curl -s -I -k https://localhost:6100
HTTP/1.1 405 Method Not Allowed
Server: WebSockify Python/3.6.8
Date: Wed, 13 Sep 2023 18:31:12 GMT
Strict-Transport-Security: max-age=31536000
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 472