On 09/22/2011 10:40 PM, Kirkpatrick, Jeffrey W wrote:
I followed the guidance on this page http://spice-space.org/page/SSLConnection
and
http://fedoraproject.org/wiki/QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set
for setting up SSL authentication for the SPICE client, however I am still
unable to connect via an SSL connection. I am attempting to use the Windows
client to connect to the SPICE server running with a KVM guest on a RHEL6
server.
On the KVM Host, I used the script cited on the SSLConnection page above to
create the keys/certs and set up under /etc/pki/libvirt-spice:
I created the KVM guest using this command:
virt-install --name rhelguest --vcpus 2 --ram 2048 --disk
path=/var/lib/libvirt/images/NETAPPS_2/rhelguest/rhelguest.img --network
bridge=br0 --mac 52:54:00:AE:25:21
--graphics=spice,listen=0.0.0.0,port=5901,tlsport=5902 --os-type=linux
--os-variant=rhel6 --import --noautoconsole
In /etc/libvirt/qemu.org, I have the following lines uncommented:
spice_tls = 1
spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
I restarted libvirtd after making all these changes.
I see in my netstat output the following ports are open:
tcp 0 0 0.0.0.0:5901 0.0.0.0:*
LISTEN 32086/qemu-kvm
tcp 0 0 0.0.0.0:5902 0.0.0.0:*
LISTEN 32086/qemu-kvm
On the Windows Client, I downloaded the ca-cert.pem file I created from the KVM
Host into the %APPDATA%\spicec directory, and I also copied it to the same
folder with my spicec binary (to test both ways) and when I run the client
connection command below (IPs and hostnames sanitized for security), the SPICE
client starts up but immediately closes. :
spicec -h IPADDRESS_OF_KVM_HOST -p 5901 -s 5902 --ca-file .\spice_truststore.pem
--secure-channels all --host-subject "C=TX, L=Dallas, O=Bofa,
CN=KVMhostname.bankofamerica.com"
I tried it as shown above and with \ before each comma, as indicated by the
spicec help message.)
Here are the error messages I got in the spice log:
1316719758 INFO [10988:8764] Platform::set_clipboard_owner: new clipboard
owner: none
1316719758 INFO [10988:8764] Application::main: starting ???
1316719758 INFO [10988:8764] GUI::GUI:
1316719759 INFO [10988:8764] ForeignMenu::ForeignMenu: Creating a foreign menu
connection SpiceForeignMenu-10988
1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Trying
IPADDRESS_OF_KVM_HOST 5902
1316719759 INFO [10988:10708] RedPeer::connect_unsecure: Connected to
IPADDRESS_OF_KVM_HOST 5902
1316719759 WARN [10988:10708] RedPeer::connect_secure: failed to connect w/SSL,
ssl_error error:00000001:lib(0):func(0):reason(1)
1316719759 WARN [10988:10708] RedChannel::run: SSL Error:
1316719759 INFO [10988:8764] WinMain: Spice client terminated (exitcode = 7)
Maybe you're missing ticketing (password) information.
Can you please try with one/both of the following options:
1. setting a password on the server (i) and using it in spicec command line (ii)
(i) add ',password=<pw>' to the end of -spice params of qemu-kvm command line.
or use qemu-kvm monitor to 'set_ticket spice <pw>'
(and possibly set expiration time).
or there must be a way to tell libvirt that.
(ii) spice ... -w <pw>
2. adding a 'disable-ticketing' as a spice-param to qemu-kvm (possibly via
libvirt).
Can you let us know the qemu-kvm command line ?
Also check the qemu-kvm log file (which is where spice-server log messages go),
somewhere in /var/log/libvirt/qemu/ and let us know if there are some
interesting lines there.
Uri.
_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel
