Encrypt VNC Console Connections

When you deploy Oracle Linux Virtualization Manager using FIPS enabled systems, you must ensure VNC console connections are encrypted.

Enable VNC Encryption at Cluster Level

When you have deployed Oracle Linux Virtualization Manager on FIPS enabled systems, you must enable VNC encryption to access virtual machine consoles. Do this at the cluster level:

  1. From the Administration Portal, go to Compute > Clusters.
  2. Edit the Cluster where you want to enable VNC Encryption.
  3. Click on the Console tab on the left.
  4. Check the Enable VNC Encryption checkbox and then click OK.

Reinstall KVM Host

After enabling VNC encryption, you are prompted to reinstall the KVM host, which applies all the required options to enable the VNC encrypted console connection.

Note:

On all hosts assigned to the self-hosted engine, from the Reinstall dialog go to the Hosted-Engine tab and select Deploy.
  1. From the Administration Portal, go to Compute > Hosts.
  2. Select a host to configure, click Management, and then click Maintenance.
  3. Click the Installation button.
  4. Select Reinstall and uncheck "Reboot host after installation".
  5. Click OK.

Run VNC SASL Ansible Playbook on KVM Hosts

To apply the playbook, the KVM host must be in Maintenance mode. You can run the playbook on more than one host at a time. Add all KVM hosts to be configured to the /etc/hosts file, one host per line. Ensure that those hosts are in Maintenance mode before applying the playbook.

  1. From the Administration Portal, go to Compute > Hosts.
  2. Select the host you want to configure, click Management, and then click Maintenance.
  3. SSH into the Engine server.
  4. Ansible tries to find the best Python interpreter to use. Set it to /usr/bin/python3 to avoid errors, then run the ovirt-vnc-sasl.yml playbook:
    # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
 
# sed -ri.orig '/defaults/ainterpreter_python = /usr/bin/python3' ansible.cfg
 
# echo "IP-OR-HOSTNAME" > hosts
 
# ansible-playbook --ask-pass --inventory=hosts ovirt-vnc-sasl.yml

    Full output example:

    # cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
 
# echo "192.168.0.102" > hosts
 
# sed -ri.orig '/defaults/ainterpreter_python = /usr/bin/python3' ansible.cfg
 
# ansible-playbook --ask-pass --inventory=hosts ovirt-vnc-sasl.yml
SSH password:
 
PLAY [all] *********************************************************************
 
TASK [Gathering Facts] *********************************************************
ok: [192.168.0.102]
 
TASK [ovirt-host-setup-vnc-sasl : Create SASL QEMU config file] ****************
ok: [192.168.0.102]
 
TASK [ovirt-host-setup-vnc-sasl : Use saslpasswd2 to create file with dummy user] ***
ok: [192.168.0.102]
 
TASK [ovirt-host-setup-vnc-sasl : Set ownership of the password db] ************
ok: [192.168.0.102]
 
TASK [ovirt-host-setup-vnc-sasl : Modify qemu config file - enable VNC SASL authentication] ***
ok: [192.168.0.102]
 
PLAY RECAP *********************************************************************
 
192.168.0.102 : ok=5 changed=5  unreachable=0  failed=0  skipped=0  rescued=0  ignored=0

Note:

You might receive the following error message when running the ovirt-vnc-sasl.yml playbook:
ERROR! The requested handler 'populate service facts and restart libvirtd' /
was not found in either the main handlers list nor in the listening handlers list

This error is due to the auto-detected Python version being used. To fix it, add the interpreter_python option to the local ansible.cfg file and then rerun the playbook to complete all tasks. 

# cd /usr/share/ovirt-engine/ansible-runner-service-project/project/
 
# sed -ri.orig '/defaults/ainterpreter_python = /usr/bin/python3' ansible.cfg