E.2. Setting Up SSL or TLS Connections between the Manager and an LDAP Server

⁠E.2. Setting Up SSL or TLS Connections between the Manager and an LDAP Server

To set up a secure connection between the Red Hat Enterpriser Virtualization Manager and an LDAP server, obtain the server's root CA certificate. Import it to the Manager to create a public keystore file to store the information. The following procedure uses the Java KeyStore (JKS) format. The keystore type can be anything Java supports.

Note

For more information on creating a keystore file and importing certificates, see the X.509 CERTIFICATE TRUST STORE section of the README file at /usr/share/doc/ovirt-engine-extension-aaa-ldap-version.

Obtain the LDAP server's root CA certificate and copy it to the Manager's /tmp directory, then use the following procedure to create a public keystore file on the Manager. Update the LDAP property configuration file with the public keystore file details.

⁠

Procedure E.2. Creating a Keystore File

On the Red Hat Enterprise Virtualization Manager, import the certificate and create a public keystore file. The following command imports the root CA certificate at /tmp/myrootca.pem, and creates a public keystore file myrootca.jks under /etc/ovirt-engine/aaa/.
```
$ keytool -importcert -noprompt -trustcacerts -alias myrootca -file /tmp/myrootca.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass changeit
```

Update the /etc/ovirt-engine/aaa/profile1.properties file with the keystore file information.

Note

${local:_basedir} is the directory where the LDAP property configuration file resides and points to the /etc/ovirt-engine/aaa directory. If you created the public keystore file in a different directory, replace ${local:_basedir} with the full path to the public keystore file.

To use startTLS (recommended):

# Create keystore, import certificate chain and uncomment
pool.default.ssl.startTLS = true
pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
pool.default.ssl.truststore.password = changeit

To use SSL:

# Create keystore, import certificate chain and uncomment
pool.default.serverset.single.port = 636
pool.default.ssl.enable = true
pool.default.ssl.truststore.file = ${local:_basedir}/myrootca.jks
pool.default.ssl.truststore.password = changeit

To continue configuring a generic LDAP provider, see Section 17.2.2, “Configuring a Generic LDAP Provider”. To continue configuring LDAP and Kerberos for Single Sign-on, see Section 17.2.3.1, “Configuring LDAP and Kerberos for Single Sign-on”.