Recently we have added support for HTM5 based VNC and SPICE consoles.
In the current master we support:
- VNC and SPICE consoles for RHEVM with websocket proxy
- VNC consoles for VMWare with websocket proxy
- VNC consoles for OpenStack using OpenStack supplied websocket proxy
All of the above make use of the websocket protocol supported by all recent versions of browsers and also can utilize SSL to encrypt the websocket connection.
In case of OpenStack, please refer to OpenStack documentation on the topic: http://docs.openstack.org/admin-guide-cloud/content/getting-started-with-vnc-proxy.html. We only make a API call to get the URL for the console and open that console in a web browser.
The following information applies to RHEVM and VMWare consoles.
The websocket connection by default runs over HTTPS or HTTP bases on how the application was accessed. Meaning under an appliance you will most likely use HTTPS and therefor also the websocket connection will be wss:// (websocket with SSL). In developer setup, when accessing the appliance by HTTPS the proxy will run w/o SSL: ws://
Under Configure–>Configuration–> [active server] – >Advanced
you can use several options.
All keys below belong under the key server.
Previously used key
valid values: mks or vmrc
This key is currently and previously used to configure what type of browser plugin and console is used to access VMWare consoles.
Configuration of SSL encryption
You can control the encryption of data between proxy process running on the appliance and the browser using SSL:
:key : certs/server.cer.key
the paths are relative to the vmdb/
Encrypt defaults to true for SSL connections and to false for non-ssl encryption however it can be overidden here. So for example you can access the application using HTTP and yet use wss:// for the websocket proxy.
To make the consoles actually work you need a certificate that is accepted by your browser.
The best way to do this is to by a certificate from a public CA such as Verisign, Thawte, RapidSSL…
To install certificates into a the CFME which is the product based on ManageIQ, you can use this howto: https://access.redhat.com/articles/449033
For testing purposes it’s best to create an own CA.
Here’s a link to generate a CA on Linux:
Generate a server certificate and sign it by your new CA:
Convert the certificate for Windows IE:
openssl x509 -outform der -in ca.cert.pem -out ca.cert.der
Here’s a link on how to import a CA into IE: http://www.poweradmin.com/help/sslhints/ie.aspx
For Firefox and Chrome the process is pretty straight-forward.
If you insist on testing with the self signed certificate pre-installed in the appliance you can try a trick:
- change wss:// to https:// and open the url
- confirm the security exception
- reopen the VNC/SPICE console
- voila, in Chrome and FF you have the connection between the appliance and browser encrypted by SSL.