You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Nathan Johnson <nj...@ena.com> on 2016/05/07 06:09:23 UTC
hidden configuration items
If you hit the /client/console endpoint with a vmid, it sends you back some
data that contains a link to a the console proxy VM and passes an encrypted
json payload that has the user, password and port for a vnc connection.
Normally this is meant to load in an iframe. We want to decrypt this
response to direct a VNC client to the appropriate host / port / user /
pass and bypass use of the console proxy VM. The key and iv appear to be
stored in the configuration table under the names security.encryption.key
and security.encryption.iv, but as they are hidden we cannot get these
credentials via the listConfigurations endpoint as-is. So my question is:
What would be the most appropriate way to open up the possibility of
showing “hidden” configuration items via this API to our middleware? Some
sort of entry in a config file somewhere? An entry in the configuration
table itself? Or is there some other way to get this information I’m
looking for?
Thanks in advance.
Nathan
Re: hidden configuration items
Posted by Erik Weber <te...@gmail.com>.
On Sat, May 7, 2016 at 8:09 AM, Nathan Johnson <nj...@ena.com> wrote:
> If you hit the /client/console endpoint with a vmid, it sends you back some
> data that contains a link to a the console proxy VM and passes an encrypted
> json payload that has the user, password and port for a vnc connection.
> Normally this is meant to load in an iframe. We want to decrypt this
> response to direct a VNC client to the appropriate host / port / user /
> pass and bypass use of the console proxy VM. The key and iv appear to be
> stored in the configuration table under the names security.encryption.key
> and security.encryption.iv, but as they are hidden we cannot get these
> credentials via the listConfigurations endpoint as-is. So my question is:
>
> What would be the most appropriate way to open up the possibility of
> showing “hidden” configuration items via this API to our middleware? Some
> sort of entry in a config file somewhere? An entry in the configuration
> table itself? Or is there some other way to get this information I’m
> looking for?
>
>
Just tested:
mysql> update configuration set category='Secure' where name in
('security.encryption.iv', 'security.encryption.key');
(default) > list configurations name=security.encryption.iv
count = 1
configuration:
+----------+------------------------+------------------------+------------------------+
| category | name | value |
description |
+----------+------------------------+------------------------+------------------------+
| Secure | security.encryption.iv | <REMOVED FOR SECURITY> | base64
encoded IV data |
+----------+------------------------+------------------------+------------------------+
--
Erik
Re: hidden configuration items
Posted by Anshul Gangwar <an...@accelerite.com>.
I know what happens but I am not sure how will you be able to connect to VNC with that info.
From the diagram in previous mail which components you want to remove?
Basically what I am trying to say here is that json payload is consists of data we get from management server. Only variable there is time on which token changes to make sure nobody in middle has changed anything. It is only meant for authentication purposes. This authentication code is present on management server itself.
CPVM is able to connect to console because of it being present in same network. For connection purposes it doesn’t use any additional data which is not provided by management server.
That being said, I can give more details only after knowing which components you want to replace.
On 09/05/16, 7:27 PM, "Nathan Johnson" <nj...@ena.com> wrote:
>Anshul Gangwar <an...@accelerite.com> wrote:
>>
>> ms ——authenticate—> CPVM ——for VNC console—>Hypervisor
>> ^
>> | gets images from CPVM
>> web browser
>>
>> Which of the above components you want to keep and which to remove?
>
>Currently when you hit the management server and pass it a vmid, you get a
>response that is a html payload with a link in an iframe to the console
>proxy VM, along with a parameter passed on the get string that constitutes
>an encrypted JSON payload. This encrypted JSON payload includes all of the
>information that would be needed to connect via VNC. We want to be able to
>make the request from our middleware, intercept and decrypt this JSON
>payload and be be able to use an alternative web based VNC client.
>
>>
>> Also you can look into other implementations of Console proxy which are
>> rarely used to get more info.
>>
>
>Could you point me to one? I would be very interested to look at an
>alternative.
>
>Thank you,
>Nathan
>
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
Re: hidden configuration items
Posted by Nathan Johnson <nj...@ena.com>.
Anshul Gangwar <an...@accelerite.com> wrote:
>
> ms ——authenticate—> CPVM ——for VNC console—>Hypervisor
> ^
> | gets images from CPVM
> web browser
>
> Which of the above components you want to keep and which to remove?
Currently when you hit the management server and pass it a vmid, you get a
response that is a html payload with a link in an iframe to the console
proxy VM, along with a parameter passed on the get string that constitutes
an encrypted JSON payload. This encrypted JSON payload includes all of the
information that would be needed to connect via VNC. We want to be able to
make the request from our middleware, intercept and decrypt this JSON
payload and be be able to use an alternative web based VNC client.
>
> Also you can look into other implementations of Console proxy which are
> rarely used to get more info.
>
Could you point me to one? I would be very interested to look at an
alternative.
Thank you,
Nathan
Re: hidden configuration items
Posted by Anshul Gangwar <an...@accelerite.com>.
I didn’t get how will you use that info to connect?
There are three connections involved in showing console to user.
ms ——authenticate—> CPVM ——for VNC console—>Hypervisor
^
| gets images from CPVM
web browser
Which of the above components you want to keep and which to remove?
Also you can look into other implementations of Console proxy which are rarely used to get more info.
Regards,
Anshul
> On 07-May-2016, at 11:39 AM, Nathan Johnson <nj...@ena.com> wrote:
>
> If you hit the /client/console endpoint with a vmid, it sends you back some
> data that contains a link to a the console proxy VM and passes an encrypted
> json payload that has the user, password and port for a vnc connection.
> Normally this is meant to load in an iframe. We want to decrypt this
> response to direct a VNC client to the appropriate host / port / user /
> pass and bypass use of the console proxy VM. The key and iv appear to be
> stored in the configuration table under the names security.encryption.key
> and security.encryption.iv, but as they are hidden we cannot get these
> credentials via the listConfigurations endpoint as-is. So my question is:
>
> What would be the most appropriate way to open up the possibility of
> showing “hidden” configuration items via this API to our middleware? Some
> sort of entry in a config file somewhere? An entry in the configuration
> table itself? Or is there some other way to get this information I’m
> looking for?
>
> Thanks in advance.
>
> Nathan
DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.