Security
You can encrypt communications by configuring your organization’s third-party CA certificate to identify the Oracle Linux Virtualization Manager to users connecting over HTTPS.
Using a third-party CA certificate for HTTPS connections does not affect the certificate that is used for authentication between the engine host and KVM hosts. They continue to use the self-signed certificate generated by the Manager.
You can also enable HTTP Strict Transport Security (HSTS) to help protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.
Note:
If you are required to be compliant with the Federal Information Processing Standard (FIPS), you can enable FIPS mode for your Oracle Linux Virtualization Manager deployment. See FIPS Mode Deployment in the Oracle Linux Virtualization Manager: Getting Started.Replacing the Oracle Linux Virtualization Manager Apache SSL Certificate
Before you begin you must obtain a third-party CA certificate, which is a digital certificate issued by a certificate authority (CA). The certificate is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain’s order is critical and must be from the last intermediate certificate to the root certificate.
Caution:
Do not change the permissions and ownerships for the
/etc/pki
directory or any subdirectories.
The permission for the /etc/pki
and
/etc/pki/ovirt-engine
directories must
remain as the default value of 755
.
To replace the Oracle Linux Virtualization Manager Apache SSL Certificate:
-
Copy the new third-party CA certificate to the host-wide trust store and update the trust store.
# cp third-party-ca-cert.pem /etc/pki/ca-trust/source/anchors/ # update-ca-trust export
-
Remove the symbolic link to
/etc/pki/ovirt-engine/apache-ca.pem
.The Engine has been configured to use
/etc/pki/ovirt-engine/apache-ca.pem
, which is symbolically linked to/etc/pki/ovirt-engine/ca.pem
.# rm /etc/pki/ovirt-engine/apache-ca.pem
-
Copy the CA certificate into the PKI directory for the Manager.
# cp third-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
-
Back up the existing private key and certificate.
# cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck # cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
-
Copy the new Apache private key into the PKI directory for the Manager by entering the following command and respond to prompt.
# cp apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass cp: overwrite /etc/pki/ovirt-engine/keys/apache.key.nopass? y
-
Copy the new Apache certificate into the PKI directory for the Manager by entering the following command and respond to the prompt.
# cp apache.cer /etc/pki/ovirt-engine/certs/apache.cer cp: overwrite /etc/pki/ovirt-engine/certs/apache.cer? y
-
Restart the Apache HTTP server (
httpd
) and the Manager.# systemctl restart httpd # systemctl restart ovirt-engine
-
Create a new trust store configuration file (or edit the existing one) at
/etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
by adding the following parameters.ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
-
Back up the existing Websocket configuration file.
# cp /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf /etc/ovirt-engine/ \ ovirt-websocket-proxy.conf.d/10-setup.conf.bck
-
Edit the Websocket configuration file at
/etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
by adding the following parameters.SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
-
Restart the
ovirt-provider-ovn
service.# systemctl restart ovirt-provider-ovn
-
Restart the
ovirt-engine
service.# systemctl restart ovirt-engine
Enabling HTTP Strict Transport Security
To enable HTTP Strict Transport Security, complete the following steps.
- For the ovirt-engine service port 443, create a configuration file for
httpd
, for example:# cat ovirt-enable-strict-transport-security.conf LoadModule headers_module modules/mod_headers.so Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> # systemctl restart httpd
_internal/http.py
file:# vi /usr/lib64/python3.6/site-packages/ovirt_imageio/_internal/http.py
class Response:
def __init__(self, con):
self._con = con
self.status_code = OK
self.headers = Headers({"content-length": 0, "Strict-Transport-Security": "max-age=31536000"})
self._started = False
# systemctl restart ovirt-imageio
# curl -s -I -k https://localhost:54323
HTTP/1.1 404 Not Found
server: imageio/2.4.7
date: Wed, 13 Sep 2023 16:56:45 GMT
content-length: 19
Strict-Transport-Security: max-age=31536000
content-type: text/plain; charset=UTF-8
server.py
file:# vi /usr/lib64/python3.6/http/server.py
def send_response(self, code, message=None):
"""Add the response header to the headers buffer and log the
response code.
Also send two standard headers with the server software
version and the current date.
"""
self.log_request(code)
self.send_response_only(code, message)
self.send_header('Server', self.version_string())
self.send_header('Date', self.date_time_string())
# Oracle Bug-33308887: added below header for security scans
self.send_header("Strict-Transport-Security", "max-age=31536000")
# systemctl restart ovirt-provider-ovn
# curl -s -I -k https://localhost:35357
HTTP/1.0 501 Unsupported method ('HEAD')
Server: BaseHTTP/0.6 Python/3.6.8
Date: Wed, 13 Sep 2023 17:34:32 GMT
Strict-Transport-Security: max-age=31536000
Connection: close
Content-Type: application/json
Content-Length: 137
response.py
file.# vi /usr/lib/python3.6/site-packages/webob/response.py
# Initialize headers
self._headers = None
if headerlist is None:
self._headerlist = []
else:
self._headerlist = headerlist
self._headerlist.append(('Strict-Transport-Security', 'max-age=31536000'))
# systemctl restart ovirt-websocket-proxy
# curl -s -I -k https://localhost:6100
HTTP/1.1 405 Method Not Allowed
Server: WebSockify Python/3.6.8
Date: Wed, 13 Sep 2023 18:31:12 GMT
Strict-Transport-Security: max-age=31536000
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 472