hello
I think If our engine want to talk to vdsm, we need generate certs for host
in engine, so [1] is our shell script for genrating certs, see at the red codes,
we need these steps: a) generate vdsmkey b) generate request c) issue certs
for vdsm d) import and store vdsmCerts to .truststore; then our engine can
talk to vdsm by ssl. but if we do not reload sslContext in [2], the old
.truststore is still used, so we still cannot talk to the new vdsm.
[1]
#!/bin/bash
CA_DAYS="3650"
KEYTOOL="keytool"
password="mypass"
PKIDIR="/etc/linxVirt/linx-pki"
subject="/C=CN/O=Linx/CN=engine.16988"
function genEngineCerts() {
cd "${PKIDIR}"
rm -rf client/
rm -rf private/
rm -rf keys/
rm -rf requests/
rm -rf certs/
rm .truststore
mkdir client/
mkdir private/
mkdir keys/
mkdir requests/
mkdir certs/
rm database.txt*
#openssl
echo 1000 > "${PKIDIR}/serial.txt" || die "Cannot write to serial.txt"
touch "${PKIDIR}/database.txt" "${PKIDIR}/.rnd" || die "Cannot write to
database.txt"
#生成CA根证书
touch "${PKIDIR}/private/ca.pem"
chmod o-rwx "${PKIDIR}/private/ca.pem" || die "Cannot set CA permissions"
openssl genrsa \
-out "${PKIDIR}/private/ca.pem" \
2048 \
|| die "Cannot generate CA key"
openssl req \
-batch \
-config "${PKIDIR}/cacert.conf" \
-new \
-key "${PKIDIR}/private/ca.pem" \
-out "${PKIDIR}/requests/ca.csr" \
-subj "${subject}" \
|| die "Cannot generate CA request"
(
cd "${PKIDIR}"
openssl ca \
-batch \
-config openssl.conf \
-extfile cacert.conf \
-extensions v3_ca \
-in requests/ca.csr \
-out ca.pem \
-keyfile private/ca.pem \
-selfsign \
-subj "${subject}" \
-utf8 \
-days "${CA_DAYS}" \
-startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
) || die "Cannot enroll CA certificate"
# 签发engine证书
openssl genrsa \
-out keys/engine_id_rsa 2048
openssl req \
-new \
-out requests/engine.req \
-key keys/engine_id_rsa \
-subj "${subject}"
openssl ca \
-batch \
-config openssl.conf \
-extfile cacert2.conf \
-extensions v3_ca \
-in requests/engine.req \
-out certs/engine.cer \
-keyfile private/ca.pem \
-subj "${subject}" \
-utf8 \
-days "3650" \
-startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
openssl pkcs12 \
-export \
-in certs/engine.cer \
-inkey keys/engine_id_rsa \
-passin pass:mypass \
-password pass:mypass \
-out keys/engine.p12
}
function genVdsmCerts() {
cd "${PKIDIR}"
#issue certs for vdsm
openssl genrsa \
-out client/vdsmkey.pem 2048
openssl req \
-new \
-out requests/$1.req \
-key client/vdsmkey.pem \
-subj "${subject}"
openssl ca \
-batch \
-config openssl.conf \
-extfile cacert2.conf \
-extensions v3_ca \
-in requests/$1.req \
-out certs/$1.cer \
-keyfile private/ca.pem \
-subj /O=Linx/CN=$1 \
-utf8 \
-days "3650" \
-startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
cp ca.pem client/cacert.pem
cp certs/$1.cer client/vdsmcert.pem
cp install.sh client
#生成engine信任证书集
keytool -import -noprompt -trustcacerts -alias $1$(date --utc --date "now
+1 days" +"%y%m%d%H%M%SZ")$(cat /dev/urandom | head -n 10 | md5sum | head -c
10) -keypass mypass -file certs/$1.cer -keystore .truststore -storepass mypass
}
case $1 in
"engine")
genEngineCerts
echo "generate engine certs succeed!...."
;;
"vdsm")
if [ $# -ne 2 ]; then
echo "Usage:"
echo "$0 engine generate base certs in engine"
echo "$0 vdsm vdsmIp issue certs for vdsm"
else
genVdsmCerts $2
echo "generate vdsm certs succeed!...."
fi
;;
*)
echo "Usage:"
echo "$0 engine generate base certs in engine"
echo "$0 vdsm vdsmIp issue certs for vdsm"
;;
esac
[2]
https://github.com/oVirt/vdsm-jsonrpc-java/blob/078233e60c24f8b8525b3bf5fb1c5ab9f1c4e0f4/client/src/main/java/org/ovirt/vdsm/jsonrpc/client/reactors/ReactorFactory.java#L85
At 2018-01-02 20:53:45, "Piotr Kliczewski" <[email protected]> wrote:
Hello,
One instance of a reactor was done by design. Can you please provide steps how
do you use the code and why do you need to change .truststore?
Thanks,
Piotr
On Wed, Dec 27, 2017 at 2:16 AM, pengyixiang <[email protected]> wrote:
hello
If we add a new node, we generate vdsm certs and scp them to node, then we
add it to .truststore in [1], so that our engine can connect to vdsm.
so If .truststore changed, "getSslStompReactor" still use the old .truststore
and connect failed. I made a mistake, changed certs is .truststore rather than
engine.p12
[1]
openssl genrsa \
-out client/vdsmkey.pem 2048
openssl req \
-new \
-out requests/$1.req \
-key client/vdsmkey.pem \
-subj "${subject}"
openssl ca \
-batch \
-config openssl.conf \
-extfile cacert2.conf \
-extensions v3_ca \
-in requests/$1.req \
-out certs/$1.cer \
-keyfile private/ca.pem \
-subj /O=Linx/CN=$1 \
-utf8 \
-days "3650" \
-startdate "$(date --utc --date "now -1 days" +"%y%m%d%H%M%SZ")"
cp ca.pem client/cacert.pem
cp certs/$1.cer client/vdsmcert.pem
cp install.sh client
keytool -import -noprompt -trustcacerts -alias $1$(date --utc --date "now
+1 days" +"%y%m%d%H%M%SZ")$(cat /dev/urandom | head -n 10 | md5sum | head -c
10) -keypass mypass -file certs/$1.cer -keystore .truststore -storepass mypass
At 2017-12-26 16:37:33, "Irit Goihman" <[email protected]> wrote:
Hi,
Can you explain your question?
Why engine certs are changed?
Thanks,
Irit
On Mon, Dec 25, 2017 at 3:26 AM, pengyixiang <[email protected]> wrote:
hello, everyone!
I use ScenarioClient to call vdsm-jsonrpc-client, but I find after my
engine connected to one node, I new a node, then the certs(engine.p12) is
changed,
but engine can not connected to new node, at last, I find the problem in there
[1], and I think rpc's certs to node that is still old, so I try to changed
code to [2],
then repeat the test way, it works well, the ovirt's engine doesn't meet the
trouble and how did you do? client is created like this [3].
[1]
https://github.com/oVirt/vdsm-jsonrpc-java/blob/078233e60c24f8b8525b3bf5fb1c5ab9f1c4e0f4/client/src/main/java/org/ovirt/vdsm/jsonrpc/client/reactors/ReactorFactory.java#L76
[2]
private static Reactor getSslStompReactor(ManagerProvider provider) throws
ClientConnectionException {
// if (sslStompReactor != null) {
// return sslStompReactor;
// }
synchronized (ReactorFactory.class) {
// if (sslStompReactor != null) {
// return sslStompReactor;
// }
try {
sslStompReactor = new SSLStompReactor(provider.getSSLContext());
} catch (IOException | GeneralSecurityException e) {
throw new ClientConnectionException(e);
}
}
return sslStompReactor;
}
[3]
public ScenarioClient(String hostname, int port) throws
ClientConnectionException {
this.reactor = ReactorFactory.getReactor(ProviderFactory.getProvider(),
ReactorType.STOMP);
final ReactorClient client = this.reactor.createClient(hostname, port);
client.setClientPolicy(new DefaultStompConnectionPolicy());
this.worker = ReactorFactory.getWorker(PARALLELISM);
this.jsonClient = this.worker.register(client);
this.jsonClient.setRetryPolicy(new DefaultStompClientPolicy());
}
_______________________________________________
Devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/devel
--
IRIT GOIHMAN
SOFTWARE ENGINEER
EMEA VIRTUALIZATION R&D
Red Hat EMEA
| |
TRIED. TESTED. TRUSTED.
|
@redhatnews Red Hat Red Hat
_______________________________________________
Devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/devel
_______________________________________________
Devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/devel
