Chapter 2. Authentication and Security

This chapter provides information on authorization through Red Hat Enterprise Virtualization Manager's security.

2.1. TLS/SSL Certification

The API requires Hypertext Transfer Protocol Secure (HTTPS) [1] for secure transport-level encryption of requests. This involves a process of attaining a certificate from your Red Hat Enterprise Virtualization Manager server and importing it into your client's certificate store.

Procedure 2.1. Attain a certificate

This process helps a user attain a certificate from the Red Hat Enterprise Virtualization Manager and transfer it to the client machine. A user achieves this using one of three methods:
  1. Method 1 - Use a command line tool to download the certificate from the server. Examples of command line tools include cURL and Wget; both are available for multiple platforms.
    1. If using cURL:
      curl -o rhevm.cer http://[rhevm-server]:8080/ca.crt
    2. If using Wget:
      wget -O rhevm.cer http://[rhevm-server]:8080/ca.crt
  2. Method 2 - Use a web browser to navigate to the certificate located at:
    http://[rhevm-server]:8080/ca.crt
    Depending on the chosen browser, the certificate either downloads or imports into the browser's keystore.
    1. If the browser downloads the certificate: save the file as rhevm.cer.
      If the browser imports the certificate: export it from the browser's certification options and save it as rhevm.cer.
  3. Method 3 - Access your Red Hat Enterprise Virtualization Manager server either physically or through a secure shell (SSH) client, export the certificate from the server's keystore and copy it to your client machine.
    1. Access your Red Hat Enterprise Virtualization Manager server as the root user.
    2. Export a certificate from the server's keystore using the Java keytool management utility:
      keytool -exportcert -keystore /etc/pki/rhevm/.keystore -alias rhevm -storepass mypass -file rhevm.cer
      This creates a certificate file called rhevm.cer.
    3. Copy the certificate to the client machine using the scp command:
      scp rhevm.cer [username]@[client-machine]:[directory]
Each of the three methods results in a certificate file named rhevm.cer on your client machine. An API user imports this file into the client's certificate store.

Procedure 2.2. Import a certificate to your client

  • A certificate import for your client relies on how the client itself stores and interprets certificates. This guide contains an example on importing to a Java keystore in Appendix B, Java Keystores. For other clients, please refer to your client documentation for more information on importing a certificate.


[1] HTTPS is described in RFC 2818 HTTP Over TLS.