E.3. Enabling encrypted VNC consoles for FIPS

You can set up encrypted VNC consoles to work with a Red Hat Virtualization (RHV) Manager and hosts that have FIPS enabled.

To set up encrypted VNC consoles, you complete the following procedures:

Configuring the cluster to enable VNC Encryption

Procedure

  1. In the Administration Portal, click ComputeClusters.
  2. Select the cluster where you plan to enable VNC encryption and click Edit. The Edit Cluster window opens.
  3. Select the Console tab.
  4. Select the Enable VNC Encryption checkbox and click OK.

Running the VNC SASL Ansible playbook for each host

Procedure

  1. In the Administration Portal, put the hosts you created with FIPS enabled into maintenance mode:

    1. In the Administration Portal, click ComputeHosts.
    2. In the Virtual Machines column, verify that each host has zero virtual machines. Perform a live migration to remove all virtual machines from any hosts where necessary. For details, see Migrating Virtual Machines Between Hosts
    3. Select each host and click ManagementMaintenance and OK.
  2. Connect to the command line of the machine where the Manager is running.

    • If the Manager is running on a stand-alone machine, connect to that machine’s command line. For example, enter:

      # ssh root@rhvm
    • If the Manager is running as a self-hosted engine, use ComputeVirtual Machines to select the self-hosted engine virtual machine, named HostedEngine by default, and click Console.
  3. On the Manager machine, run the VNC SASL ansible playbook for each host.

    # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
    # ansible-playbook --ask-pass --inventory=<hostname>, ovirt-vnc-sasl.yml

    For <hostname>, enter the complete Hostname shown on ComputeHosts.

  4. Select the host and click InstallationReinstall.
  5. After reinstallation, select the host and click ManagementRestart.
  6. After rebooting, select the host and click ManagementActivate.

Troubleshooting

When running the VNC SASL Ansible playbook, the task might fail with the following error message:

Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host’s fingerprint to your known_hosts file to manage this host.

To solve this problem, disable host key checking by doing one of the following:

  • Disable host key checking permanently by uncommenting the following line in /etc/ansible/ansible.cfg:

    #host_key_checking = False
  • Disable host key checking temporarily by running the following command:

    export ANSIBLE_HOST_KEY_CHECKING=False.

Configuring the Remote Viewer to trust the Manager’s CA certificate

Configure the Remote Viewer console on your client machine, virt-viewer or remote-viewer, to trust the RHV Manager’s certificate authority (CA)

Procedure

  1. Navigate to https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA.
  2. Enable all the trust settings.
  3. On the client machine where you plan to run the VNC console, create a directory for the certificate file:

    $ mkdir ~/.pki/CA
    Warning

    If this step generates an error such as mkdir: cannot create directory ‘/home/example_user/.pki/CA’: File exists, take precautions to avoid overwriting ~/.pki/CA/cacert.pem in the next step. For example, include the current date in the filename.

  4. Download the certificate:

    $ curl -k -o ~/.pki/CA/cacert-<today’s date>.pem '\https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA'
  5. Install the certificate authority in your browser:

Install the SASL SCRAM libraries on the client machine:

$ sudo dnf install cyrus-sasl-scram

Verification steps

  1. Run a virtual machine on one of the FIPS-enabled hosts you created.
  2. Connect to the virtual machine using a VNC console.