Chapter 2. Authentication and Security
2.1. TLS/SSL Certification
Procedure 2.1. Obtaining a Certificate
- Method 1 - Use a command line tool to download the certificate from the Manager. Examples of command line tools include cURL and Wget, both of which are available on multiple platforms.
- If using cURL:
$ curl -o rhvm.cer http://[manager-fqdn]/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
- If using Wget:
$ wget -O rhvm.cer http://[manager-fqdn]/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA
- Method 2 - Use a web browser to navigate to the certificate located at:
http://[manager-fqdn]/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CADepending on the chosen browser, the certificate either downloads or imports into the browser's keystore.
- If the browser downloads the certificate: save the file as
rhvm.cer.If the browser imports the certificate: export it from the browser's certification options and save it as
- Method 3 - Log in to the Manager, export the certificate from the truststore and copy it to your client machine.
- Log in to the Manager as the
- Export the certificate from the truststore using the Java keytool management utility:
$ keytool -exportcert -keystore /etc/pki/ovirt-engine/.truststore -alias cacert -storepass mypass -file rhvm.cerThis creates a certificate file called
- Copy the certificate to the client machine using the
$ scp rhvm.cer [username]@[client-machine]:[directory]
rhvm.ceron your client machine. An API user imports this file into the certificate store of the client.
Procedure 2.2. Importing a Certificate to a Client
- Importing a certificate to a client relies on how the client itself stores and interprets certificates. This guide contains some examples on importing certificates. For clients not using Network Security Services (NSS) or Java KeyStore (JKS), see your client documentation for more information on importing a certificate.