E.3. Enabling encrypted VNC consoles for FIPS

You can set up encrypted VNC consoles to work with a Red Hat Virtualization (RHV) Manager and hosts that have FIPS enabled.

To set up encrypted VNC consoles, you complete the following procedures:

E.3.1. Configuring the cluster to enable VNC Encryption


  • FIPS must be enabled on the cluster.


  1. In the Administration Portal, click ComputeClusters.
  2. Select the cluster where you plan to enable VNC encryption and click Edit. The Edit Cluster window opens.
  3. Select the Console tab.
  4. Select the Enable VNC Encryption checkbox and click OK.

E.3.2. Running the VNC SASL Ansible playbook for each host


  1. In the Administration Portal, put the FIPS-enabled hosts into maintenance mode:

    1. Click ComputeHosts.
    2. In the Virtual Machines column, verify that each host has zero virtual machines.

      Perform a live migration to remove virtual machines from hosts, if necessary. See Migrating Virtual Machines Between Hosts.

    3. Select each host and click ManagementMaintenance and OK.
  2. Connect to the command line of the machine where the Manager is running.

    • Standalone Manager:

      # ssh root@rhvm
    • Self-hosted engine: Click ComputeVirtual Machines to select the self-hosted engine virtual machine, named HostedEngine by default, and then click Console.
  3. Run the VNC SASL Ansible playbook for each host:

    # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
    # ansible-playbook --ask-pass --inventory=<hostname> ovirt-vnc-sasl.yml <1>
    Specify the Hostname displayed on ComputeHosts.
  4. Select the host and click InstallationReinstall.
  5. After reinstallation, select the host and click ManagementRestart.
  6. After rebooting, select the host and click ManagementActivate.
VNC SASL Ansible playbook error message

When running the VNC SASL Ansible playbook, the task might fail with the following error message:

Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.  Please add this host’s fingerprint to your known_hosts file to manage this host.

To solve this problem, disable host key checking by doing one of the following:

  • Disable host key checking permanently by uncommenting the following line in /etc/ansible/ansible.cfg:

    #host_key_checking = False
  • Disable host key checking temporarily by running the following command:


E.3.3. Configuring the Remote Viewer to trust the Manager’s CA certificate

Configure the Remote Viewer console on your client machine, virt-viewer or remote-viewer, to trust the RHV Manager’s certificate authority (CA)


  1. Navigate to https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA.
  2. Enable all the trust settings.
  3. On the client machine where you plan to run the VNC console, create a directory for the certificate file:

    $ mkdir ~/.pki/CA

    If this step generates an error such as mkdir: cannot create directory ‘/home/example_user/.pki/CA’: File exists, take precautions to avoid overwriting ~/.pki/CA/cacert.pem in the next step. For example, include the current date in the filename.

  4. Download the certificate:

    $ curl -k -o ~/.pki/CA/cacert-<today’s date>.pem '\https://<engine_address>/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA'
  5. Install the certificate authority in your browser:

  6. Install the SASL SCRAM libraries on the client machine:

    $ sudo dnf install cyrus-sasl-scram

Verification steps

  1. Run a virtual machine on one of the FIPS-enabled hosts you created.
  2. Connect to the virtual machine using a VNC console.