Providing new certificates for Virtual Console support

Edit online

Follow these steps to replace the certificates necessary to secure communication between the noVNCProxy services and PowerVM® NovaLink VNC console. You should replace the certificates if you believe that a certificate was compromised or if you need to change a property, such as the expiration date.

Note: For details about the parameters to use when you generate these certificates, see /etc/pki/novnc/ca/openssl.conf.

If you are replacing any certificates on the management server, run powervc-services stop on the management server to stop all PowerVC services.
Optionally replace the CA certificate:
1. (Optional) Generate a new key file with this file name and location: /etc/pki/novnc/ca/private/cakey.pem.
2. Generate a new self-signed CA certificate for the service with this file name and location: /etc/pki/novnc/ca/private/cakey.pem.
3. Copy the new CA certificate onto each managed NovaLink host. Use this file location and name for the CA certificate: /etc/pki/novnc/ca/cacert.pem.
4. Continue with all of the following steps. Because the CA certificate was replaced, all of the other certificates must be signed with the new certificate. Therefore, the remaining steps are mandatory.
Optionally replace the client certificate for the PowerVC management server.
1. Optionally generate a new private key with this location and name: /etc/pki/novnc/client/private/clientkey.pem.
2. Generate a new client certificate and use the CA certificate to sign it. Use this file location and name for the client certificate: /etc/pki/novnc/client/clientcert.pem.
Optionally replace the server certificate for a NovaLink host.
1. If you are replacing any certificates on the hosts, run powervc-services stop on the hosts to stop all PowerVC services.
2. Optionally generate a new private key with this location and name: /etc/pki/novnc/server/private/serverkey.pem.
3. Generate a new server certificate and use the CA certificate to sign it. Use this file location and name for the server certificate: /etc/pki/novnc/server/servercert.pem.
4. Run powervc-services start on the hosts to restart all PowerVC services.
If you replaced any certificates on the management server, run powervc-services start on the management server to restart all PowerVC services.

For the VNC console access to work seamlessly from PowerVC GUI, make sure that the cacert.pem file is present in /etc/pki/novnc/ca/ on the NovaLink host. Otherwise, access might fail with FileNotFoundError: [Errno 2] No such file or directory in certain cases.

To resolve this issue, complete these steps.

After adding the NovaLink host if cacert.pem file is missing from /etc/pki/novnc/ca/, then manually copy the file from PowerVC management server to the NovaLink host.
Check if the/etc/pki/novnc/ca directory in PowerVC management server has PowerVC services as a group. If not, then manually include PowerVC services as a group to the /etc/pki/novnc/ca directory by using the chgrp pvcservices /etc/pki/novnc/ca command.
Check if the /etc/pki/novnc/ca/cacert.pem file in PowerVC management server has PowerVC services as a group. If not, then manually include PowerVC services as a group to the /etc/pki/novnc/ca/cacert.pem file by using the chgrp pvcservices /etc/pki/novnc/ca/cacert.pem command.
Check if the /etc/pki/novnc/client/clientcert.pem file in PowerVC management server has PowerVC services as a group. If not, then manually include PowerVC services as a group to the /etc/pki/novnc/client/clientcert.pem file by using the chgrp pvcservices /etc/pki/novnc/client/clientcert.pem command.
Check if the /etc/pki/novnc/client/private/clientkey.pem file in PowerVC management server has PowerVC services as a group. If not, then manually include PowerVC services as a group to the /etc/pki/novnc/client/private/clientkey.pem file by using the chgrp pvcservices /etc/pki/novnc/client/private/clientkey.pem command.