'=?utf-8?q?=5Bovirt-devel=5D?= Re: ovirt engine certificate password'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vdsm-devel
Subject:    =?utf-8?q?=5Bovirt-devel=5D?= Re: ovirt engine certificate password
From:       Yedidyah Bar David <didi () redhat ! com>
Date:       2018-10-28 10:25:20
Message-ID: CAHRwYXuXBtgJNk31hoSLGQrzomrf5s3jZfe-OqETbwBdxsukQA () mail ! gmail ! com
[Download RAW message or body]

On Sat, Oct 27, 2018 at 2:36 PM Anastasiya Ruzhanskaya
<anastasiya.ruzhanskaya@frtk.ru> wrote:
> 
> Hello everyone!

Hi,

> I am trying to analyze traffic between ovirt-engine and vdsm.
> First strange thing is, that it should be encrypted by default . When I listen in \
> wireshark for message from engine to vdsm being on the engine machine, the traffic \
> is not encrypted. It is only tcp. I expect it then be acceptable for wireshark json \
> dissector. But this is not a json. Is this a normal situation or I should set up \
> encryption by myself?

I think it should be encrypted.

> 
> However, on the guest machine, I see in wireshark that the traffic between engine \
> and vdsm is encrypted.  ( I have a configuration of my computer as a client and two \
> VMs as engine and node). So , I am trying to use engine's private key to decrypt \
> it. The private key is not engine_id_rsa (am I right?), but it is hidden inside \
> .p12 file.

The p12 file is a PKCS#12 format archive, contains both private and public keys.

The engine_id_rsa is the private key in ssh format.

> To extract the key from this file I need a password. During the ovirt installing I \
> didn't set up any password for this. Is this maybe a default one?

Yes, 'mypass'. I do not think we have a documented way to change it,
might be wrong.

Generally speaking, we only rely on file-level protection for this.

> How can I extract a private key?

Check also the script packaging/bin/pki-pkcs12-extract.sh .

> 
> So, the final questions are:
> 1) Should the traffic between engine and vdsm be encrypted by default?

Yes, IMO, but I didn't fully understand what you wrote above.
Do you see it encrypted on one side (vdsm) and cleartext on the
other (engine)? Weird.

> 2) How the private key for engine can be extracted?

See also: https://ovirt.org/develop/release-management/features/infra/pki/

It's probably outdated a bit, but should still be mostly accurate.

Best regards,
-- 
Didi
_______________________________________________
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/site/privacy-policy/
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/3GHIDUAJKI424ZGOLFT6HJJM4DP4WGZC/



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic