subject:"\[Users\] Procedure to change engine host name"

Re: [Users] Procedure to change engine host name

2012-11-12 Thread Alan Johnson

On Mon, Nov 12, 2012 at 12:26 PM, Juan Hernandez wrote:

> On 11/12/2012 06:12 PM, Alan Johnson wrote:
> > I greatly appreciated these instructions, however there seems to be some
> > points missing.  The links on the landing page (User
> > Portal, Administrator Portal, Reports Portal) still have my old host
> > name in them.
> >
> > Where else might I find references to the old name?  Particularly for
> > those links?
> >
> > Thanks!
>
> If you are using 3.1 check the /etc/ovirt-engine/web-conf.js file, it
> contains the old host name as well.
>

That was it.  Thanks!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-11-12 Thread Juan Hernandez

On 11/12/2012 06:12 PM, Alan Johnson wrote:
> On Wed, Oct 17, 2012 at 12:38 PM, Jason Brooks  > wrote:
> 
> On 10/05/2012 08:03 AM, Juan Hernandez wrote:
> 
> Hi,
> 
> I see some interest on how to change the host name of the
> machine where
> the engine runs (in release 3.1). This is a manual procedure
> that you
> can use to do that:
> 
> 
> I greatly appreciated these instructions, however there seems to be some
> points missing.  The links on the landing page (User
> Portal, Administrator Portal, Reports Portal) still have my old host
> name in them.  I can easily work around this for the time being by
> clicking the link then manually editing the URL of the failed page.  I
> my efforts to find out where this might have happen, I found 2 places in
> the database that include the old host name:
> 
> *option_id.*VdcBootStrapUrl
> *option_id.*VirtualMachineDomainName.
> 
> I have corrected those and restarted oVirt engine, but the links still
> have the old address.  So, I kept digging and found that there might be
> references to the old host name in the storage_server_connections table,
> e.g. ISOs.  Of course, that won't affect these links.
> 
> Where else might I find references to the old name?  Particularly for
> those links?
> 
> Thanks!
>  
> 
> 
> Thanks, Juan -- I'm sure this will come in handy!
> 
> I've copied these instructions into a page on the oVirt wiki:
> 
> http://wiki.ovirt.org/wiki/__How_to_change_engine_host_name
> 
> 
> 
> I have put in a request for a wiki account and will update this page if
> I am approved.  Please feel free to update before I get to it.  =) 

If you are using 3.1 check the /etc/ovirt-engine/web-conf.js file, it
contains the old host name as well.

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-11-12 Thread Alan Johnson

On Wed, Oct 17, 2012 at 12:38 PM, Jason Brooks  wrote:

> On 10/05/2012 08:03 AM, Juan Hernandez wrote:
>
>> Hi,
>>
>> I see some interest on how to change the host name of the machine where
>> the engine runs (in release 3.1). This is a manual procedure that you
>> can use to do that:
>>
>
I greatly appreciated these instructions, however there seems to be some
points missing.  The links on the landing page (User Portal, Administrator
Portal, Reports Portal) still have my old host name in them.  I can easily
work around this for the time being by clicking the link then manually
editing the URL of the failed page.  I my efforts to find out where this
might have happen, I found 2 places in the database that include the old
host name:

*option_id.*VdcBootStrapUrl
*option_id.*VirtualMachineDomainName.

I have corrected those and restarted oVirt engine, but the links still have
the old address.  So, I kept digging and found that there might be
references to the old host name in the storage_server_connections table,
e.g. ISOs.  Of course, that won't affect these links.

Where else might I find references to the old name?  Particularly for those
links?

Thanks!

>
> Thanks, Juan -- I'm sure this will come in handy!
>
> I've copied these instructions into a page on the oVirt wiki:
>
> http://wiki.ovirt.org/wiki/**How_to_change_engine_host_name
>
>
I have put in a request for a wiki account and will update this page if I
am approved.  Please feel free to update before I get to it.  =)
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-19 Thread Neil

On Wed, Oct 17, 2012 at 3:50 PM, Neil  wrote:
> On Wed, Oct 17, 2012 at 2:36 PM, Juan Hernandez  wrote:
>> 1. Switch to Java 7 using "alternatives --config java". But this could
>> have adverse effects in other Java programs that you may be using. Note
>> that the oVirt engine is designed to use Java 7, so if you are using
>> Java 6 you can find other issues.

Installed Java 1.7 and told my system to use it as you mentioned and
my certificate issue was resolved.

Thanks Juan, you the man!

Regards.

Neil Wilson.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-17 Thread Jason Brooks


On 10/05/2012 08:03 AM, Juan Hernandez wrote:

Hi,

I see some interest on how to change the host name of the machine where
the engine runs (in release 3.1). This is a manual procedure that you
can use to do that:


Thanks, Juan -- I'm sure this will come in handy!

I've copied these instructions into a page on the oVirt wiki:

http://wiki.ovirt.org/wiki/How_to_change_engine_host_name

Regards, Jason



0. Make a backup copy of the /etc/pki/ovirt-engine directory.

1. Regenerate the engine certificate signing request preserving the
existing private key (this is very important in order to avoid having to
decrypt/encrypt passwords stored in the database):

openssl req \
-new \
-subj '/C=US/O=Example Inc./CN=f17.example.com' \
-key /etc/pki/ovirt-engine/keys/engine_id_rsa \
-out /etc/pki/ovirt-engine/requests/engine.req

Replace "Example Inc." with the value that you provided during the
installation. If you don't forgot them they can be extracted from the
current engine certificate:

openssl x509 \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-noout \
-subject

And *VERY IMPORTANT*, replace "f17.example.com" with the new fully
qualified host name.

2. Sign again the engine certificate, to simplify this the SignReq.sh
script should be used:

cd /etc/pki/ovirt-engine
./SignReq.sh \
engine.req \
engine.cer \
1800 \
/etc/pki/ovirt-engine \
`date -d yesterday +%y%m%d%H%M%S+` \
NoSoup4U

Double check that the generated certificate is correct, visually and
with the following command:

openssl verify \
-CAfile /etc/pki/ovirt-engine/ca.pem \
/etc/pki/ovirt-engine/certs/engine.cer

3. Generate also a DER encoded version of the certificate:

openssl x509 \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-out /etc/pki/ovirt-engine/certs/engine.der \
-outform der

4. Export the engine private key and certificate to a PKCS12 file:

openssl pkcs12 \
-export \
-name engine \
-inkey /etc/pki/ovirt-engine/keys/engine_id_rsa \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-out /etc/pki/ovirt-engine/keys/engine.p12 \
-passout pass:NoSoup4U

5. Regenerate the keystore used by the engine, importing the old CA
certificate and the new engine certificate:

rm -f /etc/pki/ovirt-engine/.keystore

keytool \
-keystore /etc/pki/ovirt-engine/.keystore \
-import \
-alias cacert \
-storepass mypass \
-noprompt \
-file /etc/pki/ovirt-engine/ca.pem

keytool \
-keystore /etc/pki/ovirt-engine/.keystore \
-importkeystore \
-srckeystore /etc/pki/ovirt-engine/keys/engine.p12 \
-srcalias engine \
-srcstoretype PKCS12 \
-srcstorepass NoSoup4U \
-srckeypass NoSoup4U \
-destalias engine \
-deststorepass mypass \
-destkeypass mypass

6. Restart the httpd and ovirt-engine services:

service ovirt-engine restart
service httpd restart

7. If using ovirt-node as the hypervisors then for each of then check
and fix the "vdc_host_name" parameter in the
"/etc/vdsm-reg/vdsm-reg.conf" file.

Note that this procedure will leave a small trace: the CA certificate
will still contain the URL of the old host. That is a minor
invonvenience, but to solve it *all* certificates would need to be
replaced. If there is interest I can prepare a procedure to do that as well.

Feedback is welcome.

Regards,
Juan Hernandez




--

@jasonbrooks
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-17 Thread Neil

On Wed, Oct 17, 2012 at 2:36 PM, Juan Hernandez  wrote:
> 1. Switch to Java 7 using "alternatives --config java". But this could
> have adverse effects in other Java programs that you may be using. Note
> that the oVirt engine is designed to use Java 7, so if you are using
> Java 6 you can find other issues.

No problem, this new machine is a dedicated ovirt-engine now and the
certificate was migrated from an older Centos install.

> 2. Create a DER encoded version of the CA certificate before importing it:
>
> openssl x509 \
> -in /etc/pki/ovirt-engine/ca.pem \
> -inform pem \
> -out /etc/pki/ovirt-engine/ca.cer \
> -outform der
>
> Then use the "ca.cer" file instead of the "ca.pem" file in the keytool
> command.

Thanks, will give this a try tomorrow morning.

> Sorry for the late response.

No problem, as usual your help is greatly appreciated!

Kind regards.

Neil Wilson.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-17 Thread Juan Hernandez

On 10/17/2012 02:36 PM, Neil wrote:
> Sorry to repost, anyone got any ideas here?
> 
> Thanks!
> 
> On Tue, Oct 16, 2012 at 12:27 PM, Neil  wrote:
>> Hi Juan,
>>
>> Thank you very much for sending through these details, I'm finally
>> getting around to trying to regenerate my certs now, but I'm
>> encountering an issue with importing the old CA as per below...
>>
>> On Fri, Oct 5, 2012 at 5:03 PM, Juan Hernandez  wrote:
>>> 5. Regenerate the keystore used by the engine, importing the old CA
>>> certificate and the new engine certificate:
>>>
>>> rm -f /etc/pki/ovirt-engine/.keystore
>>>
>>> keytool \
>>> -keystore /etc/pki/ovirt-engine/.keystore \
>>> -import \
>>> -alias cacert \
>>> -storepass mypass \
>>> -noprompt \
>>> -file /etc/pki/ovirt-engine/ca.pem
>>
>>
>> [root@backup ovirt-engine]# rm -f /etc/pki/ovirt-engine/.keystore
>> [root@backup ovirt-engine]# keytool \
>>> -keystore /etc/pki/ovirt-engine/.keystore \
>>> -import \
>>> -alias cacert \
>>> -storepass mypass \
>>> -noprompt \
>>> -file /etc/pki/ovirt-engine/ca.pem
>> keytool error: java.lang.Exception: Input not an X.509 certificate

The problem is probably that you are using the keytool from a Java 6
installation, and it doesn't support the PEM certificate format. You can
do two things to solve this:

1. Switch to Java 7 using "alternatives --config java". But this could
have adverse effects in other Java programs that you may be using. Note
that the oVirt engine is designed to use Java 7, so if you are using
Java 6 you can find other issues.

2. Create a DER encoded version of the CA certificate before importing it:

openssl x509 \
-in /etc/pki/ovirt-engine/ca.pem \
-inform pem \
-out /etc/pki/ovirt-engine/ca.cer \
-outform der

Then use the "ca.cer" file instead of the "ca.pem" file in the keytool
command.

Sorry for the late response.

>> My certificate was created on the early release of ovirt-engine 3.1 so
>> not sure if this is perhaps why?
>>
>> Thanks.
>>
>> Regards.
>>
>> Neil Wilson.

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-17 Thread Neil

On Wed, Oct 17, 2012 at 11:13 AM, Oved Ourfalli  wrote:
> - Original Message -
>> From: "Neil" 
>> To: "Juan Hernandez" 
>> Cc: users@ovirt.org
>> Sent: Wednesday, October 17, 2012 11:06:24 AM
>> Subject: Re: [Users] Procedure to change engine host name
>>
>> Sorry to repost, anyone got any ideas here?
>>
>> Thanks!
>>
> Can you check the certificate file for whitespaces, extra characters and etc.?
> (In some threads about this issue that was usually the problem - apologize in 
> advance if you already read such threads).

Thanks for helping, I've just checked visually(using vi) and it seems
to be good, not sure if there is some kind of app I can run on it to
verify that is is valid. This is the first portion of the file, not
sure if there is something obvious?

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Bla Bla, CN=CA-node02.blabla.com.49238
Validity
Not Before: May 22 18:41:23 2012
Not After : May 21 16:41:23 2022 GMT
Subject: C=US, O=Bla Bla, CN=CA-node02.blabla.com.49238
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:

Thanks!
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-17 Thread Oved Ourfalli

- Original Message -
> From: "Neil" 
> To: "Juan Hernandez" 
> Cc: users@ovirt.org
> Sent: Wednesday, October 17, 2012 11:06:24 AM
> Subject: Re: [Users] Procedure to change engine host name
> 
> Sorry to repost, anyone got any ideas here?
> 
> Thanks!
> 
Can you check the certificate file for whitespaces, extra characters and etc.?
(In some threads about this issue that was usually the problem - apologize in 
advance if you already read such threads).

> On Tue, Oct 16, 2012 at 12:27 PM, Neil  wrote:
> > Hi Juan,
> >
> > Thank you very much for sending through these details, I'm finally
> > getting around to trying to regenerate my certs now, but I'm
> > encountering an issue with importing the old CA as per below...
> >
> > On Fri, Oct 5, 2012 at 5:03 PM, Juan Hernandez
> >  wrote:
> >> 5. Regenerate the keystore used by the engine, importing the old
> >> CA
> >> certificate and the new engine certificate:
> >>
> >> rm -f /etc/pki/ovirt-engine/.keystore
> >>
> >> keytool \
> >> -keystore /etc/pki/ovirt-engine/.keystore \
> >> -import \
> >> -alias cacert \
> >> -storepass mypass \
> >> -noprompt \
> >> -file /etc/pki/ovirt-engine/ca.pem
> >
> >
> > [root@backup ovirt-engine]# rm -f /etc/pki/ovirt-engine/.keystore
> > [root@backup ovirt-engine]# keytool \
> >> -keystore /etc/pki/ovirt-engine/.keystore \
> >> -import \
> >> -alias cacert \
> >> -storepass mypass \
> >> -noprompt \
> >> -file /etc/pki/ovirt-engine/ca.pem
> > keytool error: java.lang.Exception: Input not an X.509 certificate
> >
> > My certificate was created on the early release of ovirt-engine 3.1
> > so
> > not sure if this is perhaps why?
> >
> > Thanks.
> >
> > Regards.
> >
> > Neil Wilson.
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-17 Thread Neil

Sorry to repost, anyone got any ideas here?

Thanks!

On Tue, Oct 16, 2012 at 12:27 PM, Neil  wrote:
> Hi Juan,
>
> Thank you very much for sending through these details, I'm finally
> getting around to trying to regenerate my certs now, but I'm
> encountering an issue with importing the old CA as per below...
>
> On Fri, Oct 5, 2012 at 5:03 PM, Juan Hernandez  wrote:
>> 5. Regenerate the keystore used by the engine, importing the old CA
>> certificate and the new engine certificate:
>>
>> rm -f /etc/pki/ovirt-engine/.keystore
>>
>> keytool \
>> -keystore /etc/pki/ovirt-engine/.keystore \
>> -import \
>> -alias cacert \
>> -storepass mypass \
>> -noprompt \
>> -file /etc/pki/ovirt-engine/ca.pem
>
>
> [root@backup ovirt-engine]# rm -f /etc/pki/ovirt-engine/.keystore
> [root@backup ovirt-engine]# keytool \
>> -keystore /etc/pki/ovirt-engine/.keystore \
>> -import \
>> -alias cacert \
>> -storepass mypass \
>> -noprompt \
>> -file /etc/pki/ovirt-engine/ca.pem
> keytool error: java.lang.Exception: Input not an X.509 certificate
>
> My certificate was created on the early release of ovirt-engine 3.1 so
> not sure if this is perhaps why?
>
> Thanks.
>
> Regards.
>
> Neil Wilson.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

2012-10-16 Thread Neil

Hi Juan,

Thank you very much for sending through these details, I'm finally
getting around to trying to regenerate my certs now, but I'm
encountering an issue with importing the old CA as per below...

On Fri, Oct 5, 2012 at 5:03 PM, Juan Hernandez  wrote:
> 5. Regenerate the keystore used by the engine, importing the old CA
> certificate and the new engine certificate:
>
> rm -f /etc/pki/ovirt-engine/.keystore
>
> keytool \
> -keystore /etc/pki/ovirt-engine/.keystore \
> -import \
> -alias cacert \
> -storepass mypass \
> -noprompt \
> -file /etc/pki/ovirt-engine/ca.pem

[root@backup ovirt-engine]# rm -f /etc/pki/ovirt-engine/.keystore
[root@backup ovirt-engine]# keytool \
> -keystore /etc/pki/ovirt-engine/.keystore \
> -import \
> -alias cacert \
> -storepass mypass \
> -noprompt \
> -file /etc/pki/ovirt-engine/ca.pem
keytool error: java.lang.Exception: Input not an X.509 certificate

My certificate was created on the early release of ovirt-engine 3.1 so
not sure if this is perhaps why?

Thanks.

Regards.

Neil Wilson.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

[Users] Procedure to change engine host name

2012-10-05 Thread Juan Hernandez

Hi,

I see some interest on how to change the host name of the machine where
the engine runs (in release 3.1). This is a manual procedure that you
can use to do that:

0. Make a backup copy of the /etc/pki/ovirt-engine directory.

1. Regenerate the engine certificate signing request preserving the
existing private key (this is very important in order to avoid having to
decrypt/encrypt passwords stored in the database):

openssl req \
-new \
-subj '/C=US/O=Example Inc./CN=f17.example.com' \
-key /etc/pki/ovirt-engine/keys/engine_id_rsa \
-out /etc/pki/ovirt-engine/requests/engine.req

Replace "Example Inc." with the value that you provided during the
installation. If you don't forgot them they can be extracted from the
current engine certificate:

openssl x509 \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-noout \
-subject

And *VERY IMPORTANT*, replace "f17.example.com" with the new fully
qualified host name.

2. Sign again the engine certificate, to simplify this the SignReq.sh
script should be used:

cd /etc/pki/ovirt-engine
./SignReq.sh \
engine.req \
engine.cer \
1800 \
/etc/pki/ovirt-engine \
`date -d yesterday +%y%m%d%H%M%S+` \
NoSoup4U

Double check that the generated certificate is correct, visually and
with the following command:

openssl verify \
-CAfile /etc/pki/ovirt-engine/ca.pem \
/etc/pki/ovirt-engine/certs/engine.cer

3. Generate also a DER encoded version of the certificate:

openssl x509 \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-out /etc/pki/ovirt-engine/certs/engine.der \
-outform der

4. Export the engine private key and certificate to a PKCS12 file:

openssl pkcs12 \
-export \
-name engine \
-inkey /etc/pki/ovirt-engine/keys/engine_id_rsa \
-in /etc/pki/ovirt-engine/certs/engine.cer \
-out /etc/pki/ovirt-engine/keys/engine.p12 \
-passout pass:NoSoup4U

5. Regenerate the keystore used by the engine, importing the old CA
certificate and the new engine certificate:

rm -f /etc/pki/ovirt-engine/.keystore

keytool \
-keystore /etc/pki/ovirt-engine/.keystore \
-import \
-alias cacert \
-storepass mypass \
-noprompt \
-file /etc/pki/ovirt-engine/ca.pem

keytool \
-keystore /etc/pki/ovirt-engine/.keystore \
-importkeystore \
-srckeystore /etc/pki/ovirt-engine/keys/engine.p12 \
-srcalias engine \
-srcstoretype PKCS12 \
-srcstorepass NoSoup4U \
-srckeypass NoSoup4U \
-destalias engine \
-deststorepass mypass \
-destkeypass mypass

6. Restart the httpd and ovirt-engine services:

service ovirt-engine restart
service httpd restart

7. If using ovirt-node as the hypervisors then for each of then check
and fix the "vdc_host_name" parameter in the
"/etc/vdsm-reg/vdsm-reg.conf" file.

Note that this procedure will leave a small trace: the CA certificate
will still contain the URL of the old host. That is a minor
invonvenience, but to solve it *all* certificates would need to be
replaced. If there is interest I can prepare a procedure to do that as well.

Feedback is welcome.

Regards,
Juan Hernandez

-- 
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

Re: [Users] Procedure to change engine host name

[Users] Procedure to change engine host name

12 matches

Site Navigation

Mail list logo

Footer information