Re: [ovirt-users] Unable to login to the WEB UI

2016-08-12 Thread Fabrice Bacchella

> Le 11 août 2016 à 11:37, Fabrice Bacchella  a 
> écrit :
> 
> 
>> Le 11 août 2016 à 09:31, Martin Perina > > a écrit :
>> 
>> Hi Fabrice,
>> 
>> so it seems to me that ovirt-engine-rename didn't work as expected, because 
>> you have changed ENGINE_FQDN in 10-setup-protocols.conf. We don't support 
>> user updates on automatically generated files in 
>> /etc/ovirt-engine/engine.conf.d/. Please next time you'd like to change 
>> something, change it in 99-custom-???.conf file.
> 
> I roll back this change, as you said it was not enough and then the rename 
> command..
> 
>> 
>> Now how to get things working: I'm afraid it would be long and painful 
>> process, but let's try:
>> 
>> 1. Change manually ENGINE_FQDN to the new value you have used as new FQDN in 
>> ovirt-engine-rename in those files:
>> 
>> /etc/ovirt-engine/engine.conf.d/10-setup-protocols.conf
>> /etc/ovirt-engine/imageuploader.conf.d/10-engine-setup.conf
>> /etc/ovirt-engine/isouploader.conf.d/10-engine-setup.conf
>> /etc/ovirt-engine/logcollector.conf.d/10-engine-setup.conf
>> 
>> 2. Now, let's check your custom certificates, I know you are using your 
>> custom CA, does the trustore you have set into ENGINE_HTTPS_PKI_TRUST_STORE 
>> contains all certificates which are needed to verify HTTPS certificates you 
>> have set in Apache for new FQDN? If so, then please restart your engine and 
>> try
>> 
>> Thanks
>> 
>> Martin Perina
> 
> I'm not sur the PKI part is the biggest problem. I managed to get it work 
> after a rename and using a custom truststore with all the needed CA.
> 
> My main problem is with this strange 
> User login failure: java.lang.RuntimeException: server_error: 
> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 
> 60)): expected a valid value (number, String, array, object, 'true', 'false' 
> or 'null')
> 
> that no one seems to understand where it came from. Ravi suggest to do not 
> use custom certificate, but I think it's impossible to test this now, because 
> of the incomplete operation of the rename command. So I will but back my 
> trust store and we should focus on this message.
> 
> By the way, I'm on irc on the channel with the nick FabriceB.

Ok we finally nailed that problem with the help of Ravi Nori. Because of the 
new SSO settings, ovirt-engine made a called to itself, from within the same 
process. But it needed to go through apache to authentify itself by itself and 
was intercepted by my SSO setup. I will need to rewrite it and split URL.



___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to login to the WEB UI

2016-08-10 Thread Fabrice Bacchella
I'm not sure it's a good idea if you're running 4.0. This procedure does half 
of the job as it don't touch the custom java trust store and missing parts are 
mandatory for ovirt 4. So I'm now stuck with an unreachable UI after
an upgrade and I don't know if I can roll back. 

> Le 10 août 2016 à 17:30, Marcelo Leandro  a écrit :
> 
> Good morning ,
> 
> "You need to have correctly set up engine FQDN and it has to be resolvable. 
> If you don't have correctly set engine FQDN, you can fix that ​​using 
> ovirt​-engine-rename tool, more info can be found at:
> 
> https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostname/
>  
> 
>  "
> 
> can I make the procedure with host and vms in production?
> 
> Thanks.
> 
> 2016-08-03 14:34 GMT-03:00 Martin Perina  >:
> 
> 
> On Wed, Aug 3, 2016 at 5:25 PM, Fabrice Bacchella 
> > wrote:
> Next step :
> 
> The UI says, even with a restarted navigator:
> 
> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 
> 60)): expected a valid value (number, String, array, object, 'true', 'false' 
> or 'null') at [Source: java.io.StringReader@74749f78; line: 3, column: 2]
> 
> ​I haven't seen this error before, could you please share server.log and 
> engine.log?
> ​ 
> 
> 
> I shift-reload, got a welcome screen, click on "Administration portal". I 
> then got a warning. The vhost for ovirt is "ovirt.mydomain", but I got a 
> redirect to:
> https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?_url=https%3A%2F%2Fovirt.mydomain%2Fovirt-engine%2Fwebadmin%2F%3Flocale%3Den_US=en_US
>  
> 
> that then redirect to:
> https://realhost.mydomain:443/ovirt-engine/sso/oauth/authorize?client_id=ovirt-engine-core_type=code_uri=https%3A%2F%2Fovirt.mydomain%3A443%2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callback=ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E=5ku3vXkfb10
>  
> 
> 
> And it fail with again with still:
> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 
> 60)): expected a valid value (number, String, array, object, 'true', 'false' 
> or 'null') at [Source: java.io.StringReader@328a4512; line: 3, column: 2]​ 
> 
> Many requests were send to ovirt.mydomain, but just one to 
> realhost.mydomain:443, I don't know why.
> 
> ​You need to have correctly set up engine FQDN and it has to be resolvable. 
> If you don't have correctly set engine FQDN, you can fix that ​​using 
> ovirt​-engine-rename tool, more info can be found at:
> 
> https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostname/
>  
> 
> 
> Also be aware that you need to use that engine FQDN to access oVirt 4.0
> 
> 
> I didn't ask for any SSO, I already use my own (CAS), it was working well and 
> the update never ask for activating something new.
> 
> ​This is one of the oVirt 4.0 features​, we have implemented OAUTH SSO for 
> all engine parts: webadmin, userportal and restapi. If you are using CAS 
> (althought it's officially supported by oVirt), that probably means you have 
> configured cas authentication on Apache, passing authenticated username using 
> aaa-misc as authn extension and aaa-ldap as authz extension (to get group 
> memberships for authenticated user). If that's true then please take a look 
> at 
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1342192 
> 
> 
> there are some changes on Apache configuration (the bug is for kerberos, but 
> I suspect similar config is needed also for cas module in apache).
> 
> 
> 
> > Le 3 août 2016 à 15:09, Martin Perina  > > a écrit :
> >
> > Hi,
> > please follow steps as described in BZ:
> >
> > 1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf (you 
> > may choose different filename but it has to end with '.conf' suffix) with 
> > following content:
> >
> >   ENGINE_HTTPS_PKI_TRUST_STORE=""
> >   ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
> >
> > 2. Restart the engine
> >
> > If the above doesn't work please attach server.log/engine.log
> >
> > Thanks
> >
> > Martin Perina
> 
> 
> 
> ___
> Users mailing list
> Users@ovirt.org 
> 

Re: [ovirt-users] Unable to login to the WEB UI

2016-08-10 Thread Marcelo Leandro
Good morning ,

"You need to have correctly set up engine FQDN and it has to be resolvable.
If you don't have correctly set engine FQDN, you can fix that ​​using
ovirt​-engine-rename tool, more info can be found at:

https://www.ovirt.org/documentation/how-to/networking/changing-engine-
hostname/ "

can I make the procedure with host and vms in production?

Thanks.

2016-08-03 14:34 GMT-03:00 Martin Perina :

>
>
> On Wed, Aug 3, 2016 at 5:25 PM, Fabrice Bacchella <
> fabrice.bacche...@icloud.com> wrote:
>
>> Next step :
>>
>> The UI says, even with a restarted navigator:
>>
>> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
>> 60)): expected a valid value (number, String, array, object, 'true',
>> 'false' or 'null') at [Source: java.io.StringReader@74749f78; line: 3,
>> column: 2]
>>
>
> ​I haven't seen this error before, could you please share server.log and
> engine.log?
> ​
>
>
>>
>>
>> I shift-reload, got a welcome screen, click on "Administration portal". I
>> then got a warning. The vhost for ovirt is "ovirt.mydomain", but I got a
>> redirect to:
>> https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?;
>> app_url=https%3A%2F%2Fovirt.mydomain%2Fovirt-engine%
>> 2Fwebadmin%2F%3Flocale%3Den_US=en_US
>> that then redirect to:
>> https://realhost.mydomain:443/ovirt-engine/sso/oauth/
>> authorize?client_id=ovirt-engine-core_type=
>> code_uri=https%3A%2F%2Fovirt.mydomain%3A443%
>> 2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callback=
>> ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%
>> 3Asequence-priority%3D%7E=5ku3vXkfb10
>>
>> And it fail with again with still:
>> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
>> 60)): expected a valid value (number, String, array, object, 'true',
>> 'false' or 'null') at [Source: java.io.StringReader@328a4512; line: 3,
>> column: 2]​
>
>
>> Many requests were send to ovirt.mydomain, but just one to
>> realhost.mydomain:443, I don't know why.
>>
>
> ​You need to have correctly set up engine FQDN and it has to be
> resolvable. If you don't have correctly set engine FQDN, you can fix that ​
> ​using ovirt​-engine-rename tool, more info can be found at:
>
> https://www.ovirt.org/documentation/how-to/networking/changing-engine-
> hostname/
>
> Also be aware that you need to use that engine FQDN to access oVirt 4.0
>
>
>> I didn't ask for any SSO, I already use my own (CAS), it was working well
>> and the update never ask for activating something new.
>>
>
> ​This is one of the oVirt 4.0 features​, we have implemented OAUTH SSO for
> all engine parts: webadmin, userportal and restapi. If you are using CAS
> (althought it's officially supported by oVirt), that probably means you
> have configured cas authentication on Apache, passing authenticated
> username using aaa-misc as authn extension and aaa-ldap as authz extension
> (to get group memberships for authenticated user). If that's true then
> please take a look at
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1342192
>
> there are some changes on Apache configuration (the bug is for kerberos,
> but I suspect similar config is needed also for cas module in apache).
>
>
>>
>> > Le 3 août 2016 à 15:09, Martin Perina  a écrit :
>> >
>> > Hi,
>> > please follow steps as described in BZ:
>> >
>> > 1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
>> (you may choose different filename but it has to end with '.conf' suffix)
>> with following content:
>> >
>> >   ENGINE_HTTPS_PKI_TRUST_STORE=""
>> >   ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="> keystore>"
>> >
>> > 2. Restart the engine
>> >
>> > If the above doesn't work please attach server.log/engine.log
>> >
>> > Thanks
>> >
>> > Martin Perina
>>
>>
>
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to login to the WEB UI

2016-08-03 Thread Martin Perina
On Wed, Aug 3, 2016 at 5:25 PM, Fabrice Bacchella <
fabrice.bacche...@icloud.com> wrote:

> Next step :
>
> The UI says, even with a restarted navigator:
>
> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
> 60)): expected a valid value (number, String, array, object, 'true',
> 'false' or 'null') at [Source: java.io.StringReader@74749f78; line: 3,
> column: 2]
>

​I haven't seen this error before, could you please share server.log and
engine.log?
​


>
>
> I shift-reload, got a welcome screen, click on "Administration portal". I
> then got a warning. The vhost for ovirt is "ovirt.mydomain", but I got a
> redirect to:
>
> https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?_url=https%3A%2F%2Fovirt.mydomain%2Fovirt-engine%2Fwebadmin%2F%3Flocale%3Den_US=en_US
> that then redirect to:
>
> https://realhost.mydomain:443/ovirt-engine/sso/oauth/authorize?client_id=ovirt-engine-core_type=code_uri=https%3A%2F%2Fovirt.mydomain%3A443%2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callback=ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E=5ku3vXkfb10
>
> And it fail with again with still:
> org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code
> 60)): expected a valid value (number, String, array, object, 'true',
> 'false' or 'null') at [Source: java.io.StringReader@328a4512; line: 3,
> column: 2]​


> Many requests were send to ovirt.mydomain, but just one to
> realhost.mydomain:443, I don't know why.
>

​You need to have correctly set up engine FQDN and it has to be resolvable.
If you don't have correctly set engine FQDN, you can fix that ​
​using ovirt​-engine-rename tool, more info can be found at:

https://www.ovirt.org/documentation/how-to/networking/changing-engine-hostname/

Also be aware that you need to use that engine FQDN to access oVirt 4.0


> I didn't ask for any SSO, I already use my own (CAS), it was working well
> and the update never ask for activating something new.
>

​This is one of the oVirt 4.0 features​, we have implemented OAUTH SSO for
all engine parts: webadmin, userportal and restapi. If you are using CAS
(althought it's officially supported by oVirt), that probably means you
have configured cas authentication on Apache, passing authenticated
username using aaa-misc as authn extension and aaa-ldap as authz extension
(to get group memberships for authenticated user). If that's true then
please take a look at

https://bugzilla.redhat.com/show_bug.cgi?id=1342192

there are some changes on Apache configuration (the bug is for kerberos,
but I suspect similar config is needed also for cas module in apache).


>
> > Le 3 août 2016 à 15:09, Martin Perina  a écrit :
> >
> > Hi,
> > please follow steps as described in BZ:
> >
> > 1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf (you
> may choose different filename but it has to end with '.conf' suffix) with
> following content:
> >
> >   ENGINE_HTTPS_PKI_TRUST_STORE=""
> >   ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=" keystore>"
> >
> > 2. Restart the engine
> >
> > If the above doesn't work please attach server.log/engine.log
> >
> > Thanks
> >
> > Martin Perina
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to login to the WEB UI

2016-08-03 Thread Fabrice Bacchella
Next step :

The UI says, even with a restarted navigator:

org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 60)): 
expected a valid value (number, String, array, object, 'true', 'false' or 
'null') at [Source: java.io.StringReader@74749f78; line: 3, column: 2] 


I shift-reload, got a welcome screen, click on "Administration portal". I then 
got a warning. The vhost for ovirt is "ovirt.mydomain", but I got a redirect to:
https://ovirt.mydomain/ovirt-engine/webadmin/sso/login?_url=https%3A%2F%2Fovirt.mydomain%2Fovirt-engine%2Fwebadmin%2F%3Flocale%3Den_US=en_US
that then redirect to:
https://realhost.mydomain:443/ovirt-engine/sso/oauth/authorize?client_id=ovirt-engine-core_type=code_uri=https%3A%2F%2Fovirt.mydomain%3A443%2Fovirt-engine%2Fwebadmin%2Fsso%2Foauth2-callback=ovirt-app-admin+ovirt-app-portal+ovirt-ext%3Dauth%3Asequence-priority%3D%7E=5ku3vXkfb10

And it fail with again with still:
org.codehaus.jackson.JsonParseException: Unexpected character ('<' (code 60)): 
expected a valid value (number, String, array, object, 'true', 'false' or 
'null') at [Source: java.io.StringReader@328a4512; line: 3, column: 2] 

Many requests were send to ovirt.mydomain, but just one to 
realhost.mydomain:443, I don't know why.

I didn't ask for any SSO, I already use my own (CAS), it was working well and 
the update never ask for activating something new.  
  


> Le 3 août 2016 à 15:09, Martin Perina  a écrit :
> 
> Hi,
> please follow steps as described in BZ:
> 
> 1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf (you may 
> choose different filename but it has to end with '.conf' suffix) with 
> following content:
> 
>   ENGINE_HTTPS_PKI_TRUST_STORE=""
>   ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
> 
> 2. Restart the engine
> 
> If the above doesn't work please attach server.log/engine.log
> 
> Thanks
> 
> Martin Perina

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to login to the WEB UI

2016-08-03 Thread Martin Perina
Hi,
please follow steps as described in BZ:

1. Create /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf (you
may choose different filename but it has to end with '.conf' suffix) with
following content:

  ENGINE_HTTPS_PKI_TRUST_STORE=""
  ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""

2. Restart the engine

If the above doesn't work please attach server.log/engine.log

Thanks

Martin Perina


On Wed, Aug 3, 2016 at 2:49 PM, Fabrice Bacchella <
fabrice.bacche...@icloud.com> wrote:

> Indeed, the certificate for the web interface is not coming from ovirt's
> internal PKI, but from our own internal one.
>
> I have a custom trust store not located in /etc/pki/java/cacerts, I did
> try to add ENGINE_PROPERTIES="${ENGINE_PROPERTIES}
> javax.net.ssl.trustStore=.../allmyca.jks
> javax.net.ssl.trustStorePassword=''" in a file in
> /etc/ovirt-engine/engine.conf.d but it didn't help.
>
> Can I add them in /etc/pki/ovirt-engine/.truststore ?
> >
> > Le 3 août 2016 à 13:22, Martin Perina  a écrit :
> >
> > Hi,
> >
> > are you using HTTPS certificate signed by external CA? If so please
> follow steps described in Doc Text of
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1336838
> >
> > Thanks
> >
> > Martin Perina
> >
> >
> > On Wed, Aug 3, 2016 at 1:18 PM, Fabrice Bacchella <
> fabrice.bacche...@icloud.com> wrote:
> > After the upgrad, I'm unable to log in, I'm getting the following error:
> >
> >  sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path
> >  to requested target
> >
> >
> > Where should I look to correct that ?
> > ___
> > Users mailing list
> > Users@ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> >
>
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to login to the WEB UI

2016-08-03 Thread Fabrice Bacchella
Indeed, the certificate for the web interface is not coming from ovirt's 
internal PKI, but from our own internal one.

I have a custom trust store not located in /etc/pki/java/cacerts, I did try to 
add ENGINE_PROPERTIES="${ENGINE_PROPERTIES} 
javax.net.ssl.trustStore=.../allmyca.jks javax.net.ssl.trustStorePassword=''" 
in a file in /etc/ovirt-engine/engine.conf.d but it didn't help.

Can I add them in /etc/pki/ovirt-engine/.truststore ?
> 
> Le 3 août 2016 à 13:22, Martin Perina  a écrit :
> 
> Hi,
> 
> are you using HTTPS certificate signed by external CA? If so please follow 
> steps described in Doc Text of
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1336838
> 
> Thanks
> 
> Martin Perina
> 
> 
> On Wed, Aug 3, 2016 at 1:18 PM, Fabrice Bacchella 
>  wrote:
> After the upgrad, I'm unable to log in, I'm getting the following error:
> 
>  sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path
>  to requested target
> 
> 
> Where should I look to correct that ?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 

___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users


Re: [ovirt-users] Unable to login to the WEB UI

2016-08-03 Thread Martin Perina
Hi,

are you using HTTPS certificate signed by external CA? If so please follow
steps described in Doc Text of

https://bugzilla.redhat.com/show_bug.cgi?id=1336838

Thanks

Martin Perina


On Wed, Aug 3, 2016 at 1:18 PM, Fabrice Bacchella <
fabrice.bacche...@icloud.com> wrote:

> After the upgrad, I'm unable to log in, I'm getting the following error:
>
>  sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path
>  to requested target
>
>
> Where should I look to correct that ?
> ___
> Users mailing list
> Users@ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users