From 5d4f27480d0e97a9d56106213733d52f0a6f884f Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Tue, 26 Jul 2022 11:45:28 -0300
Subject: [PATCH 01/19] Console access enhancements

---
 .../consoleproxy/ConsoleProxyResource.java    |   5 +-
 .../cloud/agent/api/to/VirtualMachineTO.java  |   9 +
 .../user/consoleproxy/ConsoleEndpoint.java    |  58 +++
 .../CreateConsoleEndpointCmd.java             |  99 ++++
 .../response/CreateConsoleUrlResponse.java    |  97 ++++
 .../consoleproxy/ConsoleAccessManager.java    |  43 ++
 .../ConsoleAccessAuthenticationCommand.java   |  13 +-
 .../info/ConsoleProxyConnectionInfo.java      |   1 +
 .../com/cloud/info/ConsoleProxyStatus.java    |   5 +
 .../wrapper/LibvirtStartCommandWrapper.java   |  15 +
 .../java/com/cloud/api/ApiDispatcher.java     |   7 +
 .../main/java/com/cloud/api/ApiServlet.java   |  13 +
 .../AgentBasedConsoleProxyManager.java        |  11 +-
 .../com/cloud/consoleproxy/AgentHookBase.java |  18 +-
 .../ConsoleAccessManagerImpl.java             | 451 ++++++++++++++++++
 .../consoleproxy/ConsoleProxyManager.java     |  43 +-
 .../consoleproxy/ConsoleProxyManagerImpl.java |  17 +-
 .../cloud/hypervisor/HypervisorGuruBase.java  |  10 +
 .../cloud/server/ManagementServerImpl.java    |   2 +
 .../servlet/ConsoleProxyClientParam.java      |  28 ++
 .../cloud/servlet/ConsoleProxyServlet.java    | 218 ---------
 .../spring-server-core-managers-context.xml   |   2 +
 .../com/cloud/consoleproxy/ConsoleProxy.java  |  36 +-
 .../consoleproxy/ConsoleProxyClient.java      |   2 +
 .../consoleproxy/ConsoleProxyClientBase.java  |   6 +
 .../consoleproxy/ConsoleProxyClientParam.java |  28 ++
 .../ConsoleProxyClientStatsCollector.java     |   9 +
 .../consoleproxy/ConsoleProxyGCThread.java    |  10 +-
 .../ConsoleProxyHttpHandlerHelper.java        |   9 +
 .../ConsoleProxyNoVNCHandler.java             |   6 +
 .../consoleproxy/ConsoleProxyNoVNCServer.java |  17 +-
 .../consoleproxy/ConsoleProxyNoVncClient.java |   7 +
 .../opt/cloud/bin/setup/consoleproxy.sh       |   5 +
 systemvm/patch-sysvms.sh                      |   5 +-
 tools/apidoc/gen_toc.py                       |   3 +-
 ui/src/components/widgets/Console.vue         |  19 +-
 .../consoleproxy/ConsoleAccessUtils.java      |  27 ++
 37 files changed, 1083 insertions(+), 271 deletions(-)
 create mode 100644 api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
 create mode 100644 api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
 create mode 100644 api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleUrlResponse.java
 create mode 100644 api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
 create mode 100644 server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
 create mode 100644 utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java

diff --git a/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java b/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
index 257a1fc984a1..3f5372af9aa6 100644
--- a/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
+++ b/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
@@ -382,9 +382,10 @@ protected void runInContext() {
         }
     }
 
-    public String authenticateConsoleAccess(String host, String port, String vmId, String sid, String ticket, Boolean isReauthentication) {
+    public String authenticateConsoleAccess(String host, String port, String vmId, String sid, String ticket,
+                                            Boolean isReauthentication, String sessionToken) {
 
-        ConsoleAccessAuthenticationCommand cmd = new ConsoleAccessAuthenticationCommand(host, port, vmId, sid, ticket);
+        ConsoleAccessAuthenticationCommand cmd = new ConsoleAccessAuthenticationCommand(host, port, vmId, sid, ticket, sessionToken);
         cmd.setReauthenticating(isReauthentication);
 
         ConsoleProxyAuthenticationResult result = new ConsoleProxyAuthenticationResult();
diff --git a/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java b/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
index 5fc248343ecc..d612fb624858 100644
--- a/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
+++ b/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
@@ -59,6 +59,7 @@ public class VirtualMachineTO {
     boolean enableDynamicallyScaleVm;
     String vncPassword;
     String vncAddr;
+    String vncPort;
     Map<String, String> params;
     String uuid;
     String bootType;
@@ -283,6 +284,14 @@ public void setVncAddr(String vncAddr) {
         this.vncAddr = vncAddr;
     }
 
+    public String getVncPort() {
+        return vncPort;
+    }
+
+    public void setVncPort(String vncPort) {
+        this.vncPort = vncPort;
+    }
+
     public Map<String, String> getDetails() {
         return params;
     }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
new file mode 100644
index 000000000000..cd61c223ed16
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
@@ -0,0 +1,58 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.consoleproxy;
+
+public class ConsoleEndpoint {
+
+    private boolean result;
+    private String details;
+    private String url;
+
+    public ConsoleEndpoint(boolean result, String url) {
+        this.result = result;
+        this.url = url;
+    }
+
+    public ConsoleEndpoint(boolean result, String url, String details) {
+        this(result, url);
+        this.details = details;
+    }
+
+    public boolean isResult() {
+        return result;
+    }
+
+    public void setResult(boolean result) {
+        this.result = result;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public void setUrl(String url) {
+        this.url = url;
+    }
+
+    public String getDetails() {
+        return details;
+    }
+
+    public void setDetails(String details) {
+        this.details = details;
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
new file mode 100644
index 000000000000..b84fa4745106
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
@@ -0,0 +1,99 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.command.user.consoleproxy;
+
+import com.cloud.exception.ConcurrentOperationException;
+import com.cloud.exception.InsufficientCapacityException;
+import com.cloud.exception.NetworkRuleConflictException;
+import com.cloud.exception.ResourceAllocationException;
+import com.cloud.exception.ResourceUnavailableException;
+import org.apache.cloudstack.api.APICommand;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.ApiErrorCode;
+import org.apache.cloudstack.api.BaseCmd;
+import org.apache.cloudstack.api.Parameter;
+import org.apache.cloudstack.api.ServerApiException;
+import org.apache.cloudstack.api.response.CreateConsoleUrlResponse;
+import org.apache.cloudstack.api.response.UserVmResponse;
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.utils.consoleproxy.ConsoleAccessUtils;
+import org.apache.commons.collections.MapUtils;
+import org.apache.log4j.Logger;
+
+import javax.inject.Inject;
+import java.util.Map;
+
+@APICommand(name = CreateConsoleEndpointCmd.APINAME, description = "Create a console endpoint to connect to a VM console",
+        responseObject = CreateConsoleUrlResponse.class, since = "4.18.0",
+        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
+public class CreateConsoleEndpointCmd extends BaseCmd {
+
+    public static final String APINAME = "createConsoleEndpoint";
+    public static final Logger s_logger = Logger.getLogger(CreateConsoleEndpointCmd.class.getName());
+
+    @Inject
+    private ConsoleAccessManager consoleManager;
+
+    @Parameter(name = ApiConstants.VIRTUAL_MACHINE_ID,
+            type = CommandType.UUID,
+            entityType = UserVmResponse.class,
+            required = true,
+            description = "ID of the VM")
+    private Long vmId;
+
+    @Override
+    public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
+        String clientSecurityToken = getClientSecurityToken();
+        String clientAddress = getClientAddress();
+        ConsoleEndpoint endpoint = consoleManager.generateConsoleEndpoint(vmId, clientSecurityToken, clientAddress);
+        if (endpoint != null) {
+            CreateConsoleUrlResponse response = new CreateConsoleUrlResponse();
+            response.setResult(endpoint.isResult());
+            response.setDetails(endpoint.getDetails());
+            response.setUrl(endpoint.getUrl());
+            response.setResponseName(getCommandName());
+            response.setObjectName("consoleendpoint");
+            setResponseObject(response);
+        } else {
+            throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Unable to generate console endpoint for vm " + vmId);
+        }
+    }
+
+    private String getParameterBase(String paramKey) {
+        Map<String, String> params = getFullUrlParams();
+        return MapUtils.isNotEmpty(params) && params.containsKey(paramKey) ? params.get(paramKey) : null;
+    }
+
+    private String getClientAddress() {
+        return getParameterBase(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY);
+    }
+
+    private String getClientSecurityToken() {
+        return getParameterBase(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY);
+    }
+
+    @Override
+    public String getCommandName() {
+        return APINAME.toLowerCase() + BaseCmd.RESPONSE_SUFFIX;
+    }
+
+    @Override
+    public long getEntityOwnerId() {
+        return CallContext.current().getCallingAccount().getId();
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleUrlResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleUrlResponse.java
new file mode 100644
index 000000000000..61b05be7ab39
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleUrlResponse.java
@@ -0,0 +1,97 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+
+public class CreateConsoleUrlResponse extends BaseResponse {
+
+    @SerializedName(ApiConstants.RESULT)
+    @Param(description = "true if the console endpoint is generated properly")
+    private Boolean result;
+
+    @SerializedName(ApiConstants.DETAILS)
+    @Param(description = "details in case of an error")
+    private String details;
+
+    @SerializedName(ApiConstants.IP_ADDRESS)
+    @Param(description = "the console ip address")
+    private String ipAddress;
+
+    @SerializedName(ApiConstants.PORT)
+    @Param(description = "the console port")
+    private String port;
+
+    @SerializedName(ApiConstants.TOKEN)
+    @Param(description = "the console token")
+    private String token;
+
+    @SerializedName(ApiConstants.URL)
+    @Param(description = "the console url")
+    private String url;
+
+    public Boolean getResult() {
+        return result;
+    }
+
+    public void setResult(Boolean result) {
+        this.result = result;
+    }
+
+    public String getDetails() {
+        return details;
+    }
+
+    public void setDetails(String details) {
+        this.details = details;
+    }
+
+    public String getIpAddress() {
+        return ipAddress;
+    }
+
+    public void setIpAddress(String ip) {
+        this.ipAddress = ip;
+    }
+
+    public String getPort() {
+        return port;
+    }
+
+    public void setPort(String port) {
+        this.port = port;
+    }
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public String getUrl() {
+        return url;
+    }
+
+    public void setUrl(String url) {
+        this.url = url;
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
new file mode 100644
index 000000000000..55061088c4c6
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
@@ -0,0 +1,43 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.consoleproxy;
+
+import com.cloud.utils.component.Manager;
+import org.apache.cloudstack.api.command.user.consoleproxy.ConsoleEndpoint;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.config.Configurable;
+
+public interface ConsoleAccessManager extends Manager, Configurable {
+
+    ConfigKey<String> ConsoleProxySchema = new ConfigKey<>("Advanced", String.class,
+            "consoleproxy.schema", "http",
+            "The http/https schema to be used by the console proxy URLs", true);
+
+    ConfigKey<Boolean> ConsoleProxyExtraSecurityHeaderEnabled = new ConfigKey<>("Advanced", Boolean.class,
+            "consoleproxy.extra.security.header.enabled", "false",
+            "Enable/disable extra security validation for console proxy using client header", true);
+
+    ConfigKey<String> ConsoleProxyExtraSecurityHeaderName = new ConfigKey<>("Advanced", String.class,
+            "consoleproxy.extra.security.header.name", "SECURITY_TOKEN",
+            "A client header for extra security validation when using the console proxy", true);
+
+    ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityToken, String clientAddress);
+
+    boolean isSessionAllowed(String sessionUuid);
+
+    void removeSessions(String[] sessionUuids);
+}
diff --git a/core/src/main/java/com/cloud/agent/api/ConsoleAccessAuthenticationCommand.java b/core/src/main/java/com/cloud/agent/api/ConsoleAccessAuthenticationCommand.java
index dd533d8774da..683d4afd5b2f 100644
--- a/core/src/main/java/com/cloud/agent/api/ConsoleAccessAuthenticationCommand.java
+++ b/core/src/main/java/com/cloud/agent/api/ConsoleAccessAuthenticationCommand.java
@@ -26,6 +26,7 @@ public class ConsoleAccessAuthenticationCommand extends AgentControlCommand {
     private String _vmId;
     private String _sid;
     private String _ticket;
+    private String sessionUuid;
 
     private boolean _isReauthenticating;
 
@@ -33,12 +34,14 @@ public ConsoleAccessAuthenticationCommand() {
         _isReauthenticating = false;
     }
 
-    public ConsoleAccessAuthenticationCommand(String host, String port, String vmId, String sid, String ticket) {
+    public ConsoleAccessAuthenticationCommand(String host, String port, String vmId, String sid, String ticket,
+                                              String sessiontkn) {
         _host = host;
         _port = port;
         _vmId = vmId;
         _sid = sid;
         _ticket = ticket;
+        sessionUuid = sessiontkn;
     }
 
     public String getHost() {
@@ -68,4 +71,12 @@ public boolean isReauthenticating() {
     public void setReauthenticating(boolean value) {
         _isReauthenticating = value;
     }
+
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
+
+    public void setSessionUuid(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
 }
diff --git a/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java b/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java
index 48819f494750..06a048a21809 100644
--- a/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java
+++ b/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java
@@ -26,6 +26,7 @@ public class ConsoleProxyConnectionInfo {
     public String tag;
     public long createTime;
     public long lastUsedTime;
+    public String sessionUuid;
 
     public ConsoleProxyConnectionInfo() {
     }
diff --git a/core/src/main/java/com/cloud/info/ConsoleProxyStatus.java b/core/src/main/java/com/cloud/info/ConsoleProxyStatus.java
index 3d3dda9a508a..e9ef26a63b9e 100644
--- a/core/src/main/java/com/cloud/info/ConsoleProxyStatus.java
+++ b/core/src/main/java/com/cloud/info/ConsoleProxyStatus.java
@@ -21,6 +21,7 @@
 
 public class ConsoleProxyStatus {
     private ConsoleProxyConnectionInfo[] connections;
+    private String[] removedSessions;
 
     public ConsoleProxyStatus() {
     }
@@ -28,4 +29,8 @@ public ConsoleProxyStatus() {
     public ConsoleProxyConnectionInfo[] getConnections() {
         return connections;
     }
+
+    public String[] getRemovedSessions() {
+        return removedSessions;
+    }
 }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index 7b69993f2e5e..6b5090bf1546 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -24,6 +24,7 @@
 
 import com.cloud.agent.resource.virtualnetwork.VRScripts;
 import com.cloud.utils.FileUtil;
+import com.cloud.utils.ssh.SshHelper;
 import org.apache.log4j.Logger;
 import org.libvirt.Connect;
 import org.libvirt.DomainInfo.DomainState;
@@ -50,6 +51,9 @@
 public final class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
 
     private static final Logger s_logger = Logger.getLogger(LibvirtStartCommandWrapper.class);
+    private static final int sshPort = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
+    private static final File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
+    private static final String vncConfFileLocation = "/root/vncport";
 
     @Override
     public Answer execute(final StartCommand command, final LibvirtComputingResource libvirtComputingResource) {
@@ -110,6 +114,17 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                         }
                     }
 
+                    if (vmSpec.getType() == VirtualMachine.Type.ConsoleProxy && vmSpec.getVncPort() != null) {
+                        String novncPort = vmSpec.getVncPort();
+                        try {
+                            String addCmd = "echo " + novncPort + " > " + vncConfFileLocation;
+                            SshHelper.sshExecute(controlIp, sshPort, "root",
+                                    pemFile, null, addCmd, 20000, 20000, 600000);
+                        } catch (Exception e) {
+                            s_logger.error("Could not set the noVNC port " + novncPort + " to the CPVM", e);
+                        }
+                    }
+
                     final VirtualRoutingResource virtRouterResource = libvirtComputingResource.getVirtRouterResource();
                     // check if the router is up?
                     for (int count = 0; count < 60; count++) {
diff --git a/server/src/main/java/com/cloud/api/ApiDispatcher.java b/server/src/main/java/com/cloud/api/ApiDispatcher.java
index 3880f2aa9d1b..18121497365d 100644
--- a/server/src/main/java/com/cloud/api/ApiDispatcher.java
+++ b/server/src/main/java/com/cloud/api/ApiDispatcher.java
@@ -32,6 +32,7 @@
 import org.apache.cloudstack.api.BaseAsyncCustomIdCmd;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.BaseCustomIdCmd;
+import org.apache.cloudstack.api.command.user.consoleproxy.CreateConsoleEndpointCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.jobs.AsyncJob;
 import org.apache.cloudstack.framework.jobs.AsyncJobManager;
@@ -158,6 +159,12 @@ public void dispatch(final BaseCmd cmd, final Map<String, String> params, final
             ((BaseAsyncCustomIdCmd)cmd).checkUuid();
         } else if (cmd instanceof BaseCustomIdCmd) {
             ((BaseCustomIdCmd)cmd).checkUuid();
+        } else if (cmd instanceof CreateConsoleEndpointCmd) {
+            Map<String, String> fullUrlParams = ((CreateConsoleEndpointCmd) cmd).getFullUrlParams();
+            s_logger.info("Console URL full params:");
+            for (String key : fullUrlParams.keySet()) {
+                s_logger.info(key + " : " + fullUrlParams.get(key));
+            }
         }
 
         cmd.execute();
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
index 4bdf31defaf4..f754392c3041 100644
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -41,8 +41,11 @@
 import org.apache.cloudstack.api.auth.APIAuthenticationManager;
 import org.apache.cloudstack.api.auth.APIAuthenticationType;
 import org.apache.cloudstack.api.auth.APIAuthenticator;
+import org.apache.cloudstack.api.command.user.consoleproxy.CreateConsoleEndpointCmd;
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.managed.context.ManagedContext;
+import org.apache.cloudstack.utils.consoleproxy.ConsoleAccessUtils;
 import org.apache.log4j.Logger;
 import org.jetbrains.annotations.Nullable;
 import org.springframework.stereotype.Component;
@@ -324,6 +327,16 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                 // Add the HTTP method (GET/POST/PUT/DELETE) as well into the params map.
                 params.put("httpmethod", new String[]{req.getMethod()});
                 setProjectContext(params);
+                if (org.apache.commons.lang3.StringUtils.isNotBlank(command) &&
+                        command.equalsIgnoreCase(CreateConsoleEndpointCmd.APINAME)) {
+                    InetAddress addr = getClientAddress(req);
+                    String clientAddress = addr != null ? addr.getHostAddress() : null;
+                    params.put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] {clientAddress});
+                    if (ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderEnabled.value()) {
+                        String clientSecurityToken = req.getHeader(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
+                        params.put(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY, new String[] {clientSecurityToken});
+                    }
+                }
                 final String response = apiServer.handleRequest(params, responseType, auditTrailSb);
                 HttpUtils.writeHttpResponse(resp, response != null ? response : "", HttpServletResponse.SC_OK, responseType, ApiServer.JSONcontentType.value());
             } else {
diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java b/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java
index 487ec45a4249..f7594e8d0401 100644
--- a/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java
+++ b/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java
@@ -21,6 +21,7 @@
 import javax.inject.Inject;
 import javax.naming.ConfigurationException;
 
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
 import org.apache.log4j.Logger;
 
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
@@ -67,6 +68,8 @@ public class AgentBasedConsoleProxyManager extends ManagerBase implements Consol
     protected ConsoleProxyDao _cpDao;
     @Inject
     protected KeystoreManager _ksMgr;
+    @Inject
+    protected ConsoleAccessManager consoleAccessManager;
 
     @Inject
     ConfigurationDao _configDao;
@@ -77,8 +80,9 @@ public class AgentBasedConsoleProxyManager extends ManagerBase implements Consol
 
     public class AgentBasedAgentHook extends AgentHookBase {
 
-        public AgentBasedAgentHook(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr, AgentManager agentMgr, KeysManager keysMgr) {
-            super(instanceDao, hostDao, cfgDao, ksMgr, agentMgr, keysMgr);
+        public AgentBasedAgentHook(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr,
+                                   AgentManager agentMgr, KeysManager keysMgr, ConsoleAccessManager consoleAccessManager) {
+            super(instanceDao, hostDao, cfgDao, ksMgr, agentMgr, keysMgr, consoleAccessManager);
         }
 
         @Override
@@ -121,7 +125,8 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
 
         _consoleProxyUrlDomain = configs.get("consoleproxy.url.domain");
 
-        _listener = new ConsoleProxyListener(new AgentBasedAgentHook(_instanceDao, _hostDao, _configDao, _ksMgr, _agentMgr, _keysMgr));
+        _listener = new ConsoleProxyListener(new AgentBasedAgentHook(_instanceDao, _hostDao, _configDao, _ksMgr,
+                _agentMgr, _keysMgr, consoleAccessManager));
         _agentMgr.registerForHostEvents(_listener, true, true, false);
 
         if (s_logger.isInfoEnabled()) {
diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
index 2bc092e056ba..c461d5b207b7 100644
--- a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
+++ b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
@@ -21,6 +21,7 @@
 import java.security.SecureRandom;
 import java.util.Date;
 
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.cloudstack.framework.security.keystore.KeystoreManager;
@@ -68,14 +69,17 @@ public abstract class AgentHookBase implements AgentHook {
     AgentManager _agentMgr;
     KeystoreManager _ksMgr;
     KeysManager _keysMgr;
+    ConsoleAccessManager consoleAccessManager;
 
-    public AgentHookBase(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr, AgentManager agentMgr, KeysManager keysMgr) {
+    public AgentHookBase(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr,
+                         AgentManager agentMgr, KeysManager keysMgr, ConsoleAccessManager consoleAccessMgr) {
         _instanceDao = instanceDao;
         _hostDao = hostDao;
         _agentMgr = agentMgr;
         _configDao = cfgDao;
         _ksMgr = ksMgr;
         _keysMgr = keysMgr;
+        consoleAccessManager = consoleAccessMgr;
     }
 
     @Override
@@ -83,6 +87,8 @@ public AgentControlAnswer onConsoleAccessAuthentication(ConsoleAccessAuthenticat
         Long vmId = null;
 
         String ticketInUrl = cmd.getTicket();
+        String sessionUuid = cmd.getSessionUuid();
+
         if (ticketInUrl == null) {
             s_logger.error("Access ticket could not be found, you could be running an old version of console proxy. vmId: " + cmd.getVmId());
             return new ConsoleAccessAuthenticationAnswer(cmd, false);
@@ -93,16 +99,20 @@ public AgentControlAnswer onConsoleAccessAuthentication(ConsoleAccessAuthenticat
         }
 
         if (!cmd.isReauthenticating()) {
-            String ticket = ConsoleProxyServlet.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId());
+            String ticket = ConsoleAccessManagerImpl.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId(), sessionUuid);
             if (s_logger.isDebugEnabled()) {
                 s_logger.debug("Console authentication. Ticket in 1 minute boundary for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " + ticket);
             }
 
+            if (!consoleAccessManager.isSessionAllowed(sessionUuid)) {
+                s_logger.error("Invalid session, only one session allowed per token");
+                return new ConsoleAccessAuthenticationAnswer(cmd, false);
+            }
+
             if (!ticket.equals(ticketInUrl)) {
                 Date now = new Date();
                 // considering of minute round-up
-                String minuteEarlyTicket =
-                    ConsoleProxyServlet.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId(), new Date(now.getTime() - 60 * 1000));
+                String minuteEarlyTicket = ConsoleAccessManagerImpl.genAccessTicket(cmd.getHost(), cmd.getPort(), cmd.getSid(), cmd.getVmId(), new Date(now.getTime() - 60 * 1000), sessionUuid);
 
                 if (s_logger.isDebugEnabled()) {
                     s_logger.debug("Console authentication. Ticket in 2-minute boundary for " + cmd.getHost() + ":" + cmd.getPort() + "-" + cmd.getVmId() + " is " +
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
new file mode 100644
index 000000000000..1a485625f15d
--- /dev/null
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
@@ -0,0 +1,451 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.consoleproxy;
+
+import com.cloud.agent.AgentManager;
+import com.cloud.agent.api.Answer;
+import com.cloud.agent.api.GetVmVncTicketAnswer;
+import com.cloud.agent.api.GetVmVncTicketCommand;
+import com.cloud.exception.AgentUnavailableException;
+import com.cloud.exception.OperationTimedoutException;
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.host.HostVO;
+import com.cloud.hypervisor.Hypervisor;
+import com.cloud.resource.ResourceState;
+import com.cloud.server.ManagementServer;
+import com.cloud.servlet.ConsoleProxyClientParam;
+import com.cloud.servlet.ConsoleProxyPasswordBasedEncryptor;
+import com.cloud.storage.GuestOSVO;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
+import com.cloud.utils.Pair;
+import com.cloud.utils.Ternary;
+import com.cloud.utils.component.ManagerBase;
+import com.cloud.utils.db.EntityManager;
+import com.cloud.utils.exception.CloudRuntimeException;
+import com.cloud.vm.UserVmDetailVO;
+import com.cloud.vm.VirtualMachine;
+import com.cloud.vm.VirtualMachineManager;
+import com.cloud.vm.VmDetailConstants;
+import com.cloud.vm.dao.UserVmDetailsDao;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import org.apache.cloudstack.api.command.user.consoleproxy.ConsoleEndpoint;
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
+import org.apache.cloudstack.context.CallContext;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.framework.security.keys.KeysManager;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.log4j.Logger;
+
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import javax.inject.Inject;
+import javax.naming.ConfigurationException;
+
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.UUID;
+
+public class ConsoleAccessManagerImpl extends ManagerBase implements ConsoleAccessManager {
+
+    @Inject
+    private AccountManager _accountMgr;
+    @Inject
+    private VirtualMachineManager _vmMgr;
+    @Inject
+    private ManagementServer _ms;
+    @Inject
+    private EntityManager _entityMgr;
+    @Inject
+    private UserVmDetailsDao _userVmDetailsDao;
+    @Inject
+    private KeysManager _keysMgr;
+    @Inject
+    private AgentManager agentManager;
+
+    private static KeysManager s_keysMgr;
+    private final Gson _gson = new GsonBuilder().create();
+
+    public static final Logger s_logger = Logger.getLogger(ConsoleAccessManagerImpl.class.getName());
+
+    private static Set<String> allowedSessions;
+
+    @Override
+    public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
+        s_keysMgr = _keysMgr;
+        allowedSessions = new HashSet<>();
+        return super.configure(name, params);
+    }
+
+    @Override
+    public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityToken, String clientAddress) {
+        try {
+            if (_accountMgr == null || _vmMgr == null || _ms == null) {
+                return new ConsoleEndpoint(false, null,"Console service is not ready");
+            }
+
+            if (_keysMgr.getHashKey() == null) {
+                String msg = "Console access denied. Ticket service is not ready yet";
+                s_logger.debug(msg);
+                return new ConsoleEndpoint(false, null, msg);
+            }
+
+            Account account = CallContext.current().getCallingAccount();
+
+            // Do a sanity check here to make sure the user hasn't already been deleted
+            if (account == null) {
+                s_logger.debug("Invalid user/account, reject console access");
+                return new ConsoleEndpoint(false, null,"Access denied. Invalid or inconsistent account is found");
+            }
+
+            VirtualMachine vm = _entityMgr.findById(VirtualMachine.class, vmId);
+            if (vm == null) {
+                s_logger.info("Invalid console servlet command parameter: " + vmId);
+                return new ConsoleEndpoint(false, null, "Cannot find VM with ID " + vmId);
+            }
+
+            if (!checkSessionPermision(vm, account)) {
+                return new ConsoleEndpoint(false, null, "Permission denied");
+            }
+
+            String sessionToken = UUID.randomUUID().toString();
+            return generateAccessEndpoint(vmId, sessionToken, clientSecurityToken, clientAddress);
+        } catch (Throwable e) {
+            s_logger.error("Unexepected exception in ConsoleProxyServlet", e);
+            return new ConsoleEndpoint(false, null, "Server Internal Error: " + e.getMessage());
+        }
+    }
+
+    @Override
+    public boolean isSessionAllowed(String sessionUuid) {
+        return allowedSessions.contains(sessionUuid);
+    }
+
+    @Override
+    public void removeSessions(String[] sessionUuids) {
+        for (String r : sessionUuids) {
+            allowedSessions.remove(r);
+        }
+    }
+
+    private boolean checkSessionPermision(VirtualMachine vm, Account account) {
+        if (_accountMgr.isRootAdmin(account.getId())) {
+            return true;
+        }
+
+        switch (vm.getType()) {
+            case User:
+                try {
+                    _accountMgr.checkAccess(account, null, true, vm);
+                } catch (PermissionDeniedException ex) {
+                    if (_accountMgr.isNormalUser(account.getId())) {
+                        if (s_logger.isDebugEnabled()) {
+                            s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId() + " does not match the account id in session " +
+                                    account.getId() + " and caller is a normal user");
+                        }
+                    } else if (_accountMgr.isDomainAdmin(account.getId())
+                            || account.getType() == Account.Type.READ_ONLY_ADMIN) {
+                        if(s_logger.isDebugEnabled()) {
+                            s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
+                                    + " does not match the account id in session " + account.getId() + " and the domain-admin caller does not manage the target domain");
+                        }
+                    }
+                    return false;
+                }
+                break;
+
+            case DomainRouter:
+            case ConsoleProxy:
+            case SecondaryStorageVm:
+                return false;
+
+            default:
+                s_logger.warn("Unrecoginized virtual machine type, deny access by default. type: " + vm.getType());
+                return false;
+        }
+
+        return true;
+    }
+
+    private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionToken, String clientSecurityToken, String clientAddress) {
+        VirtualMachine vm = _vmMgr.findById(vmId);
+        String msg;
+        if (vm == null) {
+            msg = "VM " + vmId + " does not exist, sending blank response for console access request";
+            s_logger.warn(msg);
+            throw new CloudRuntimeException(msg);
+        }
+
+        if (vm.getHostId() == null) {
+            msg = "VM " + vmId + " lost host info, sending blank response for console access request";
+            s_logger.warn(msg);
+            throw new CloudRuntimeException(msg);
+        }
+
+        HostVO host = _ms.getHostBy(vm.getHostId());
+        if (host == null) {
+            msg = "VM " + vmId + "'s host does not exist, sending blank response for console access request";
+            s_logger.warn(msg);
+            throw new CloudRuntimeException(msg);
+        }
+
+        if (Hypervisor.HypervisorType.LXC.equals(vm.getHypervisorType())) {
+            throw new CloudRuntimeException("Console access is not supported for LXC");
+        }
+
+        String rootUrl = _ms.getConsoleAccessUrlRoot(vmId);
+        if (rootUrl == null) {
+            throw new CloudRuntimeException("Console access will be ready in a few minutes. Please try it again later.");
+        }
+
+        ConsoleEndpoint consoleEndpoint = composeConsoleAccessEndpoint(rootUrl, vm, host, clientAddress, sessionToken, clientSecurityToken);
+        s_logger.debug("The console URL is: " + consoleEndpoint.getUrl());
+        return consoleEndpoint;
+    }
+
+    private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMachine vm, HostVO hostVo, String addr,
+                                                         String sessionUuid, String clientSecurityToken) {
+        StringBuffer sb = new StringBuffer(rootUrl);
+        String host = hostVo.getPrivateIpAddress();
+
+        Pair<String, Integer> portInfo = null;
+        if (hostVo.getHypervisorType() == Hypervisor.HypervisorType.KVM &&
+                (hostVo.getResourceState().equals(ResourceState.ErrorInMaintenance) ||
+                        hostVo.getResourceState().equals(ResourceState.ErrorInPrepareForMaintenance))) {
+            UserVmDetailVO detailAddress = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_ADDRESS);
+            UserVmDetailVO detailPort = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_PORT);
+            if (detailAddress != null && detailPort != null) {
+                portInfo = new Pair<>(detailAddress.getValue(), Integer.valueOf(detailPort.getValue()));
+            } else {
+                s_logger.warn("KVM Host in ErrorInMaintenance/ErrorInPrepareForMaintenance but " +
+                        "no VNC Address/Port was available. Falling back to default one from MS.");
+            }
+        }
+
+        if (portInfo == null) {
+            portInfo = _ms.getVncPort(vm);
+        }
+
+        if (s_logger.isDebugEnabled())
+            s_logger.debug("Port info " + portInfo.first());
+
+        Ternary<String, String, String> parsedHostInfo = parseHostInfo(portInfo.first());
+
+        int port = -1;
+        if (portInfo.second() == -9) {
+            //for hyperv
+            port = Integer.parseInt(_ms.findDetail(hostVo.getId(), "rdp.server.port").getValue());
+        } else {
+            port = portInfo.second();
+        }
+
+        String sid = vm.getVncPassword();
+        UserVmDetailVO details = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KEYBOARD);
+
+        String tag = vm.getUuid();
+
+        String ticket = genAccessTicket(parsedHostInfo.first(), String.valueOf(port), sid, tag, sessionUuid);
+        ConsoleProxyPasswordBasedEncryptor encryptor = new ConsoleProxyPasswordBasedEncryptor(getEncryptorPassword());
+        ConsoleProxyClientParam param = new ConsoleProxyClientParam();
+        param.setClientHostAddress(parsedHostInfo.first());
+        param.setClientHostPort(port);
+        param.setClientHostPassword(sid);
+        param.setClientTag(tag);
+        param.setTicket(ticket);
+        param.setSessionUuid(sessionUuid);
+        param.setSourceIP(addr);
+
+        if (StringUtils.isNotBlank(clientSecurityToken)) {
+            param.setClientSecurityHeader(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
+            param.setClientSecurityToken(clientSecurityToken);
+            s_logger.debug("Added security token " + clientSecurityToken + " for header " + ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
+        }
+
+        if (requiresVncOverWebSocketConnection(vm, hostVo)) {
+            setWebsocketUrl(vm, param);
+        }
+
+        if (details != null) {
+            param.setLocale(details.getValue());
+        }
+
+        if (portInfo.second() == -9) {
+            //For Hyperv Clinet Host Address will send Instance id
+            param.setHypervHost(host);
+            param.setUsername(_ms.findDetail(hostVo.getId(), "username").getValue());
+            param.setPassword(_ms.findDetail(hostVo.getId(), "password").getValue());
+        }
+        if (parsedHostInfo.second() != null  && parsedHostInfo.third() != null) {
+            param.setClientTunnelUrl(parsedHostInfo.second());
+            param.setClientTunnelSession(parsedHostInfo.third());
+        }
+
+        String token = encryptor.encryptObject(ConsoleProxyClientParam.class, param);
+        if (param.getHypervHost() != null || !ConsoleProxyManager.NoVncConsoleDefault.value()) {
+            sb.append("/ajax?token=" + token);
+        } else {
+            sb.append("/resource/noVNC/vnc.html")
+                    .append("?autoconnect=true")
+                    .append("&port=" + ConsoleProxyManager.NoVncConsolePort.value())
+                    .append("&token=" + token);
+        }
+
+        // for console access, we need guest OS type to help implement keyboard
+        long guestOs = vm.getGuestOSId();
+        GuestOSVO guestOsVo = _ms.getGuestOs(guestOs);
+        if (guestOsVo.getCategoryId() == 6)
+            sb.append("&guest=windows");
+
+        if (s_logger.isDebugEnabled()) {
+            s_logger.debug("Compose console url: " + sb);
+        }
+        s_logger.debug("Adding allowed session: " + sessionUuid);
+        allowedSessions.add(sessionUuid);
+        String url = !sb.toString().startsWith("http") ? ConsoleAccessManager.ConsoleProxySchema.value() + ":" + sb : sb.toString();
+        return new ConsoleEndpoint(true, url);
+    }
+
+    static public Ternary<String, String, String> parseHostInfo(String hostInfo) {
+        String host = null;
+        String tunnelUrl = null;
+        String tunnelSession = null;
+
+        s_logger.info("Parse host info returned from executing GetVNCPortCommand. host info: " + hostInfo);
+
+        if (hostInfo != null) {
+            if (hostInfo.startsWith("consoleurl")) {
+                String tokens[] = hostInfo.split("&");
+
+                if (hostInfo.length() > 19 && hostInfo.indexOf('/', 19) > 19) {
+                    host = hostInfo.substring(19, hostInfo.indexOf('/', 19)).trim();
+                    tunnelUrl = tokens[0].substring("consoleurl=".length());
+                    tunnelSession = tokens[1].split("=")[1];
+                } else {
+                    host = "";
+                }
+            } else if (hostInfo.startsWith("instanceId")) {
+                host = hostInfo.substring(hostInfo.indexOf('=') + 1);
+            } else {
+                host = hostInfo;
+            }
+        } else {
+            host = hostInfo;
+        }
+
+        return new Ternary<String, String, String>(host, tunnelUrl, tunnelSession);
+    }
+
+    /**
+     * Since VMware 7.0 VNC servers are deprecated, it uses a ticket to create a VNC over websocket connection
+     * Check: https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html
+     */
+    private boolean requiresVncOverWebSocketConnection(VirtualMachine vm, HostVO hostVo) {
+        return vm.getHypervisorType() == Hypervisor.HypervisorType.VMware && hostVo.getHypervisorVersion().compareTo("7.0") >= 0;
+    }
+
+    public static String genAccessTicket(String host, String port, String sid, String tag, String sessionUuid) {
+        return genAccessTicket(host, port, sid, tag, new Date(), sessionUuid);
+    }
+
+    public static String genAccessTicket(String host, String port, String sid, String tag, Date normalizedHashTime, String sessionUuid) {
+        String params = "host=" + host + "&port=" + port + "&sid=" + sid + "&tag=" + tag + "&session=" + sessionUuid;
+
+        try {
+            Mac mac = Mac.getInstance("HmacSHA1");
+
+            long ts = normalizedHashTime.getTime();
+            ts = ts / 60000;        // round up to 1 minute
+            String secretKey = s_keysMgr.getHashKey();
+
+            SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
+            mac.init(keySpec);
+            mac.update(params.getBytes());
+            mac.update(String.valueOf(ts).getBytes());
+
+            byte[] encryptedBytes = mac.doFinal();
+
+            return Base64.encodeBase64String(encryptedBytes);
+        } catch (Exception e) {
+            s_logger.error("Unexpected exception ", e);
+        }
+        return "";
+    }
+
+    private String getEncryptorPassword() {
+        String key = _keysMgr.getEncryptionKey();
+        String iv = _keysMgr.getEncryptionIV();
+
+        ConsoleProxyPasswordBasedEncryptor.KeyIVPair keyIvPair = new ConsoleProxyPasswordBasedEncryptor.KeyIVPair(key, iv);
+        return _gson.toJson(keyIvPair);
+    }
+
+    /**
+     * Sets the URL to establish a VNC over websocket connection
+     */
+    private void setWebsocketUrl(VirtualMachine vm, ConsoleProxyClientParam param) {
+        String ticket = acquireVncTicketForVmwareVm(vm);
+        if (StringUtils.isBlank(ticket)) {
+            s_logger.error("Could not obtain VNC ticket for VM " + vm.getInstanceName());
+            return;
+        }
+        String wsUrl = composeWebsocketUrlForVmwareVm(ticket, param);
+        param.setWebsocketUrl(wsUrl);
+    }
+
+    /**
+     * Format expected: wss://<ESXi_HOST_IP>:443/ticket/<TICKET_ID>
+     */
+    private String composeWebsocketUrlForVmwareVm(String ticket, ConsoleProxyClientParam param) {
+        param.setClientHostPort(443);
+        return String.format("wss://%s:%s/ticket/%s", param.getClientHostAddress(), param.getClientHostPort(), ticket);
+    }
+
+    /**
+     * Acquires a ticket to be used for console proxy as described in 'Removal of VNC Server from ESXi' on:
+     * https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html
+     */
+    private String acquireVncTicketForVmwareVm(VirtualMachine vm) {
+        try {
+            s_logger.info("Acquiring VNC ticket for VM = " + vm.getHostName());
+            GetVmVncTicketCommand cmd = new GetVmVncTicketCommand(vm.getInstanceName());
+            Answer answer = agentManager.send(vm.getHostId(), cmd);
+            GetVmVncTicketAnswer ans = (GetVmVncTicketAnswer) answer;
+            if (!ans.getResult()) {
+                s_logger.info("VNC ticket could not be acquired correctly: " + ans.getDetails());
+            }
+            return ans.getTicket();
+        } catch (AgentUnavailableException | OperationTimedoutException e) {
+            s_logger.error("Error acquiring ticket", e);
+            return null;
+        }
+    }
+
+    @Override
+    public String getConfigComponentName() {
+        return ConsoleAccessManagerImpl.class.getSimpleName();
+    }
+
+    @Override
+    public ConfigKey<?>[] getConfigKeys() {
+        return new ConfigKey[] { ConsoleProxySchema, ConsoleProxyExtraSecurityHeaderName,
+                ConsoleProxyExtraSecurityHeaderEnabled };
+    }
+}
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
index f7f88b0da66e..2308ffae96a9 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
@@ -23,39 +23,40 @@
 
 public interface ConsoleProxyManager extends Manager, ConsoleProxyService {
 
-    public static final int DEFAULT_PROXY_CAPACITY = 50;
-    public static final int DEFAULT_STANDBY_CAPACITY = 10;
-    public static final int DEFAULT_PROXY_VM_RAMSIZE = 1024;            // 1G
-    public static final int DEFAULT_PROXY_VM_CPUMHZ = 500;                // 500 MHz
+    int DEFAULT_PROXY_CAPACITY = 50;
+    int DEFAULT_STANDBY_CAPACITY = 10;
+    int DEFAULT_PROXY_VM_RAMSIZE = 1024;            // 1G
+    int DEFAULT_PROXY_VM_CPUMHZ = 500;                // 500 MHz
 
-    public static final int DEFAULT_PROXY_CMD_PORT = 8001;
-    public static final int DEFAULT_PROXY_VNC_PORT = 0;
-    public static final int DEFAULT_PROXY_URL_PORT = 80;
-    public static final int DEFAULT_PROXY_SESSION_TIMEOUT = 300000;        // 5 minutes
+    int DEFAULT_PROXY_CMD_PORT = 8001;
+    int DEFAULT_PROXY_VNC_PORT = 0;
+    int DEFAULT_PROXY_URL_PORT = 80;
+    int DEFAULT_PROXY_SESSION_TIMEOUT = 300000;        // 5 minutes
 
-    public static final int DEFAULT_NOVNC_PORT = 8080;
+    String ALERT_SUBJECT = "proxy-alert";
+    String CERTIFICATE_NAME = "CPVMCertificate";
 
-    public static final String ALERT_SUBJECT = "proxy-alert";
-    public static final String CERTIFICATE_NAME = "CPVMCertificate";
-
-    public static final ConfigKey<Boolean> NoVncConsoleDefault = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.default", "true",
+    ConfigKey<Boolean> NoVncConsoleDefault = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.default", "true",
         "If true, noVNC console will be default console for virtual machines", true);
 
-    public static final ConfigKey<Boolean> NoVncConsoleSourceIpCheckEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.sourceip.check.enabled", "false",
+    ConfigKey<Boolean> NoVncConsoleSourceIpCheckEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.sourceip.check.enabled", "false",
         "If true, The source IP to access novnc console must be same as the IP in request to management server for console URL. Needs to reconnect CPVM to management server when this changes (via restart CPVM, or management server, or cloud service in CPVM)", false);
 
-    public void setManagementState(ConsoleProxyManagementState state);
+    ConfigKey<Integer> NoVncConsolePort = new ConfigKey<>("Advanced", Integer.class, "novnc.console.port",
+            "8080", "The listen port for noVNC console", true);
+
+    void setManagementState(ConsoleProxyManagementState state);
 
-    public ConsoleProxyManagementState getManagementState();
+    ConsoleProxyManagementState getManagementState();
 
-    public void resumeLastManagementState();
+    void resumeLastManagementState();
 
-    public ConsoleProxyVO startProxy(long proxyVmId, boolean ignoreRestartSetting);
+    ConsoleProxyVO startProxy(long proxyVmId, boolean ignoreRestartSetting);
 
-    public boolean stopProxy(long proxyVmId);
+    boolean stopProxy(long proxyVmId);
 
-    public boolean rebootProxy(long proxyVmId);
+    boolean rebootProxy(long proxyVmId);
 
-    public boolean destroyProxy(long proxyVmId);
+    boolean destroyProxy(long proxyVmId);
 
 }
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index f984dab21b75..c230c162cd32 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -32,6 +32,7 @@
 import com.cloud.utils.PasswordGenerator;
 import org.apache.cloudstack.agent.lb.IndirectAgentLB;
 import org.apache.cloudstack.ca.CAManager;
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
 import org.apache.cloudstack.framework.ca.Certificate;
@@ -263,11 +264,14 @@ public class ConsoleProxyManagerImpl extends ManagerBase implements ConsoleProxy
     private KeystoreDao _ksDao;
     @Inject
     private KeystoreManager _ksMgr;
+    @Inject
+    private ConsoleAccessManager consoleAccessManager;
 
     public class VmBasedAgentHook extends AgentHookBase {
 
-        public VmBasedAgentHook(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr, AgentManager agentMgr, KeysManager keysMgr) {
-            super(instanceDao, hostDao, cfgDao, ksMgr, agentMgr, keysMgr);
+        public VmBasedAgentHook(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr,
+                                AgentManager agentMgr, KeysManager keysMgr, ConsoleAccessManager consoleAccessManager) {
+            super(instanceDao, hostDao, cfgDao, ksMgr, agentMgr, keysMgr, consoleAccessManager);
         }
 
         @Override
@@ -1156,7 +1160,8 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
         value = agentMgrConfigs.get("port");
         managementPort = NumbersUtil.parseInt(value, 8250);
 
-        consoleProxyListener = new ConsoleProxyListener(new VmBasedAgentHook(vmInstanceDao, hostDao, configurationDao, _ksMgr, agentManager, keysManager));
+        consoleProxyListener = new ConsoleProxyListener(new VmBasedAgentHook(vmInstanceDao, hostDao, configurationDao,
+                _ksMgr, agentManager, keysManager, consoleAccessManager));
         agentManager.registerForHostEvents(consoleProxyListener, true, true, false);
 
         virtualMachineManager.registerGuru(VirtualMachine.Type.ConsoleProxy, this);
@@ -1597,7 +1602,7 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] { NoVncConsoleDefault, NoVncConsoleSourceIpCheckEnabled };
+        return new ConfigKey<?>[] { NoVncConsoleDefault, NoVncConsoleSourceIpCheckEnabled, NoVncConsolePort };
     }
 
     protected ConsoleProxyStatus parseJsonToConsoleProxyStatus(String json) throws JsonParseException {
@@ -1621,7 +1626,9 @@ protected void updateConsoleProxyStatus(String statusInfo, Long proxyVmId) {
             if (status.getConnections() != null) {
                 count = status.getConnections().length;
             }
-
+            if (status.getRemovedSessions() != null) {
+                consoleAccessManager.removeSessions(status.getRemovedSessions());
+            }
             details = statusInfo.getBytes(Charset.forName("US-ASCII"));
         } else {
             s_logger.debug(String.format("Unable to retrieve load info from proxy {\"vmId\": %s}. Invalid load info [%s].", proxyVmId, statusInfo));
diff --git a/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java b/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
index 20b7a2b67d6b..93b37381ffcd 100644
--- a/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
+++ b/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
@@ -22,6 +22,7 @@
 
 import javax.inject.Inject;
 
+import com.cloud.consoleproxy.ConsoleProxyManager;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.backup.Backup;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
@@ -283,6 +284,15 @@ protected VirtualMachineTO toVirtualMachineTO(VirtualMachineProfile vmProfile) {
         to.setConfigDriveLocation(vmProfile.getConfigDriveLocation());
         to.setState(vm.getState());
 
+        if (vmInstance.getType() == VirtualMachine.Type.ConsoleProxy) {
+            try {
+                String vncPort = String.valueOf(ConsoleProxyManager.NoVncConsolePort.value());
+                to.setVncPort(vncPort);
+            } catch (Exception e) {
+                s_logger.error("Could not parse the noVNC port set on " + ConsoleProxyManager.NoVncConsolePort.key(), e);
+            }
+        }
+
         return to;
     }
 
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index 074fff86be5a..9c7eef4f2bdb 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -365,6 +365,7 @@
 import org.apache.cloudstack.api.command.user.autoscale.UpdateAutoScaleVmGroupCmd;
 import org.apache.cloudstack.api.command.user.autoscale.UpdateAutoScaleVmProfileCmd;
 import org.apache.cloudstack.api.command.user.config.ListCapabilitiesCmd;
+import org.apache.cloudstack.api.command.user.consoleproxy.CreateConsoleEndpointCmd;
 import org.apache.cloudstack.api.command.user.event.ArchiveEventsCmd;
 import org.apache.cloudstack.api.command.user.event.DeleteEventsCmd;
 import org.apache.cloudstack.api.command.user.event.ListEventTypesCmd;
@@ -3625,6 +3626,7 @@ public List<Class<?>> getCommands() {
         cmdList.add(IssueOutOfBandManagementPowerActionCmd.class);
         cmdList.add(ChangeOutOfBandManagementPasswordCmd.class);
         cmdList.add(GetUserKeysCmd.class);
+        cmdList.add(CreateConsoleEndpointCmd.class);
         return cmdList;
     }
 
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
index 8f9363df5ba9..51ab3b8c2f0c 100644
--- a/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
+++ b/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
@@ -36,6 +36,10 @@ public class ConsoleProxyClientParam {
     private String sourceIP;
     private String websocketUrl;
 
+    private String sessionUuid;
+    private String clientSecurityHeader;
+    private String clientSecurityToken;
+
     public ConsoleProxyClientParam() {
         clientHostPort = 0;
     }
@@ -159,4 +163,28 @@ public String getWebsocketUrl() {
     public void setWebsocketUrl(String websocketUrl) {
         this.websocketUrl = websocketUrl;
     }
+
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
+
+    public String getClientSecurityHeader() {
+        return clientSecurityHeader;
+    }
+
+    public void setClientSecurityHeader(String clientSecurityHeader) {
+        this.clientSecurityHeader = clientSecurityHeader;
+    }
+
+    public void setSessionUuid(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
+
+    public String getClientSecurityToken() {
+        return clientSecurityToken;
+    }
+
+    public void setClientSecurityToken(String clientSecurityToken) {
+        this.clientSecurityToken = clientSecurityToken;
+    }
 }
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
index f0b295f4bb25..4389a03ead2e 100644
--- a/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
@@ -17,9 +17,7 @@
 package com.cloud.servlet;
 
 import java.io.IOException;
-import java.net.InetAddress;
 import java.net.URLEncoder;
-import java.net.UnknownHostException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Date;
@@ -37,45 +35,29 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import com.cloud.agent.AgentManager;
-import com.cloud.agent.api.Answer;
-import com.cloud.agent.api.GetVmVncTicketAnswer;
-import com.cloud.agent.api.GetVmVncTicketCommand;
-import com.cloud.exception.AgentUnavailableException;
-import com.cloud.exception.OperationTimedoutException;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.support.SpringBeanAutowiringSupport;
 
 
-import com.cloud.vm.VmDetailConstants;
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 
-import com.cloud.api.ApiServlet;
-import com.cloud.consoleproxy.ConsoleProxyManager;
 import com.cloud.exception.PermissionDeniedException;
 import com.cloud.host.HostVO;
-import com.cloud.hypervisor.Hypervisor;
-import com.cloud.resource.ResourceState;
 import com.cloud.server.ManagementServer;
-import com.cloud.storage.GuestOSVO;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
 import com.cloud.user.User;
-import com.cloud.uservm.UserVm;
 import com.cloud.utils.ConstantTimeComparator;
 import com.cloud.utils.Pair;
 import com.cloud.utils.Ternary;
 import com.cloud.utils.db.EntityManager;
 import com.cloud.utils.db.TransactionLegacy;
-import com.cloud.vm.UserVmDetailVO;
 import com.cloud.vm.VirtualMachine;
 import com.cloud.vm.VirtualMachineManager;
-import com.cloud.vm.dao.UserVmDetailsDao;
 
 /**
  * Thumbnail access : /console?cmd=thumbnail&vm=xxx&w=xxx&h=xxx
@@ -98,11 +80,7 @@ public class ConsoleProxyServlet extends HttpServlet {
     @Inject
     EntityManager _entityMgr;
     @Inject
-    UserVmDetailsDao _userVmDetailsDao;
-    @Inject
     KeysManager _keysMgr;
-    @Inject
-    AgentManager agentManager;
 
     static KeysManager s_keysMgr;
 
@@ -198,8 +176,6 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
 
             if (cmd.equalsIgnoreCase("thumbnail")) {
                 handleThumbnailRequest(req, resp, vmId);
-            } else if (cmd.equalsIgnoreCase("access")) {
-                handleAccessRequest(req, resp, vmId);
             } else {
                 handleAuthRequest(req, resp, vmId);
             }
@@ -260,61 +236,6 @@ private void handleThumbnailRequest(HttpServletRequest req, HttpServletResponse
         }
     }
 
-    private void handleAccessRequest(HttpServletRequest req, HttpServletResponse resp, long vmId) {
-        VirtualMachine vm = _vmMgr.findById(vmId);
-        if (vm == null) {
-            s_logger.warn("VM " + vmId + " does not exist, sending blank response for console access request");
-            sendResponse(resp, "");
-            return;
-        }
-
-        if (vm.getHostId() == null) {
-            s_logger.warn("VM " + vmId + " lost host info, sending blank response for console access request");
-            sendResponse(resp, "");
-            return;
-        }
-
-        HostVO host = _ms.getHostBy(vm.getHostId());
-        if (host == null) {
-            s_logger.warn("VM " + vmId + "'s host does not exist, sending blank response for console access request");
-            sendResponse(resp, "");
-            return;
-        }
-
-        if (Hypervisor.HypervisorType.LXC.equals(vm.getHypervisorType())){
-            sendResponse(resp, "<html><body><p>Console access is not supported for LXC</p></body></html>");
-            return;
-        }
-
-        String rootUrl = _ms.getConsoleAccessUrlRoot(vmId);
-        if (rootUrl == null) {
-            sendResponse(resp, "<html><body><p>Console access will be ready in a few minutes. Please try it again later.</p></body></html>");
-            return;
-        }
-
-        String vmName = vm.getHostName();
-        if (vm.getType() == VirtualMachine.Type.User) {
-            UserVm userVm = _entityMgr.findById(UserVm.class, vmId);
-            String displayName = userVm.getDisplayName();
-            if (displayName != null && !displayName.isEmpty() && !displayName.equals(vmName)) {
-                vmName += "(" + displayName + ")";
-            }
-        }
-
-        InetAddress remoteAddress = null;
-        try {
-            remoteAddress = ApiServlet.getClientAddress(req);
-        } catch (UnknownHostException e) {
-            s_logger.warn("UnknownHostException when trying to lookup remote IP-Address. This should never happen. Blocking request.", e);
-        }
-
-        StringBuffer sb = new StringBuffer();
-        sb.append("<html><title>").append(escapeHTML(vmName)).append("</title><frameset><frame src=\"").append(composeConsoleAccessUrl(rootUrl, vm, host, remoteAddress));
-        sb.append("\"></frame></frameset></html>");
-        s_logger.debug("the console url is :: " + sb.toString());
-        sendResponse(resp, sb.toString());
-    }
-
     private void handleAuthRequest(HttpServletRequest req, HttpServletResponse resp, long vmId) {
 
         // TODO authentication channel between console proxy VM and management server needs to be secured,
@@ -436,145 +357,6 @@ private String composeThumbnailUrl(String rootUrl, VirtualMachine vm, HostVO hos
         return sb.toString();
     }
 
-    /**
-     * Sets the URL to establish a VNC over websocket connection
-     */
-    private void setWebsocketUrl(VirtualMachine vm, ConsoleProxyClientParam param) {
-        String ticket = acquireVncTicketForVmwareVm(vm);
-        if (StringUtils.isBlank(ticket)) {
-            s_logger.error("Could not obtain VNC ticket for VM " + vm.getInstanceName());
-            return;
-        }
-        String wsUrl = composeWebsocketUrlForVmwareVm(ticket, param);
-        param.setWebsocketUrl(wsUrl);
-    }
-
-    /**
-     * Format expected: wss://<ESXi_HOST_IP>:443/ticket/<TICKET_ID>
-     */
-    private String composeWebsocketUrlForVmwareVm(String ticket, ConsoleProxyClientParam param) {
-        param.setClientHostPort(443);
-        return String.format("wss://%s:%s/ticket/%s", param.getClientHostAddress(), param.getClientHostPort(), ticket);
-    }
-
-    /**
-     * Acquires a ticket to be used for console proxy as described in 'Removal of VNC Server from ESXi' on:
-     * https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html
-     */
-    private String acquireVncTicketForVmwareVm(VirtualMachine vm) {
-        try {
-            s_logger.info("Acquiring VNC ticket for VM = " + vm.getHostName());
-            GetVmVncTicketCommand cmd = new GetVmVncTicketCommand(vm.getInstanceName());
-            Answer answer = agentManager.send(vm.getHostId(), cmd);
-            GetVmVncTicketAnswer ans = (GetVmVncTicketAnswer) answer;
-            if (!ans.getResult()) {
-                s_logger.info("VNC ticket could not be acquired correctly: " + ans.getDetails());
-            }
-            return ans.getTicket();
-        } catch (AgentUnavailableException | OperationTimedoutException e) {
-            s_logger.error("Error acquiring ticket", e);
-            return null;
-        }
-    }
-
-    private String composeConsoleAccessUrl(String rootUrl, VirtualMachine vm, HostVO hostVo, InetAddress addr) {
-        StringBuffer sb = new StringBuffer(rootUrl);
-        String host = hostVo.getPrivateIpAddress();
-
-        Pair<String, Integer> portInfo = null;
-        if (hostVo.getHypervisorType() == Hypervisor.HypervisorType.KVM &&
-                (hostVo.getResourceState().equals(ResourceState.ErrorInMaintenance) ||
-                        hostVo.getResourceState().equals(ResourceState.ErrorInPrepareForMaintenance))) {
-            UserVmDetailVO detailAddress = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_ADDRESS);
-            UserVmDetailVO detailPort = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_PORT);
-            if (detailAddress != null && detailPort != null) {
-                portInfo = new Pair<>(detailAddress.getValue(), Integer.valueOf(detailPort.getValue()));
-            } else {
-                s_logger.warn("KVM Host in ErrorInMaintenance/ErrorInPrepareForMaintenance but " +
-                        "no VNC Address/Port was available. Falling back to default one from MS.");
-            }
-        }
-
-        if (portInfo == null) {
-            portInfo = _ms.getVncPort(vm);
-        }
-
-        if (s_logger.isDebugEnabled())
-            s_logger.debug("Port info " + portInfo.first());
-
-        Ternary<String, String, String> parsedHostInfo = parseHostInfo(portInfo.first());
-
-        int port = -1;
-        if (portInfo.second() == -9) {
-            //for hyperv
-            port = Integer.parseInt(_ms.findDetail(hostVo.getId(), "rdp.server.port").getValue());
-        } else {
-            port = portInfo.second();
-        }
-
-        String sid = vm.getVncPassword();
-        UserVmDetailVO details = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KEYBOARD);
-
-        String tag = vm.getUuid();
-
-        String ticket = genAccessTicket(parsedHostInfo.first(), String.valueOf(port), sid, tag);
-        ConsoleProxyPasswordBasedEncryptor encryptor = new ConsoleProxyPasswordBasedEncryptor(getEncryptorPassword());
-        ConsoleProxyClientParam param = new ConsoleProxyClientParam();
-        param.setClientHostAddress(parsedHostInfo.first());
-        param.setClientHostPort(port);
-        param.setClientHostPassword(sid);
-        param.setClientTag(tag);
-        param.setTicket(ticket);
-        param.setSourceIP(addr != null ? addr.getHostAddress(): null);
-
-        if (requiresVncOverWebSocketConnection(vm, hostVo)) {
-            setWebsocketUrl(vm, param);
-        }
-
-        if (details != null) {
-            param.setLocale(details.getValue());
-        }
-
-        if (portInfo.second() == -9) {
-            //For Hyperv Clinet Host Address will send Instance id
-            param.setHypervHost(host);
-            param.setUsername(_ms.findDetail(hostVo.getId(), "username").getValue());
-            param.setPassword(_ms.findDetail(hostVo.getId(), "password").getValue());
-        }
-        if (parsedHostInfo.second() != null  && parsedHostInfo.third() != null) {
-            param.setClientTunnelUrl(parsedHostInfo.second());
-            param.setClientTunnelSession(parsedHostInfo.third());
-        }
-
-        if (param.getHypervHost() != null || !ConsoleProxyManager.NoVncConsoleDefault.value()) {
-            sb.append("/ajax?token=" + encryptor.encryptObject(ConsoleProxyClientParam.class, param));
-        } else {
-            sb.append("/resource/noVNC/vnc.html")
-                .append("?autoconnect=true")
-                .append("&port=" + ConsoleProxyManager.DEFAULT_NOVNC_PORT)
-                .append("&token=" + encryptor.encryptObject(ConsoleProxyClientParam.class, param));
-        }
-
-        // for console access, we need guest OS type to help implement keyboard
-        long guestOs = vm.getGuestOSId();
-        GuestOSVO guestOsVo = _ms.getGuestOs(guestOs);
-        if (guestOsVo.getCategoryId() == 6)
-            sb.append("&guest=windows");
-
-        if (s_logger.isDebugEnabled()) {
-            s_logger.debug("Compose console url: " + sb.toString());
-        }
-        return sb.toString();
-    }
-
-    /**
-     * Since VMware 7.0 VNC servers are deprecated, it uses a ticket to create a VNC over websocket connection
-     * Check: https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html
-     */
-    private boolean requiresVncOverWebSocketConnection(VirtualMachine vm, HostVO hostVo) {
-        return vm.getHypervisorType() == Hypervisor.HypervisorType.VMware && hostVo.getHypervisorVersion().compareTo("7.0") >= 0;
-    }
-
     public static String genAccessTicket(String host, String port, String sid, String tag) {
         return genAccessTicket(host, port, sid, tag, new Date());
     }
diff --git a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
index 9c0e9a125f93..e57e94b4d3ad 100644
--- a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
+++ b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
@@ -109,6 +109,8 @@
             value="#{consoleProxyAllocatorsRegistry.registered}" />
     </bean>
 
+    <bean id="consoleAccessManagerImpl" class="com.cloud.consoleproxy.ConsoleAccessManagerImpl" />
+
     <bean id="securityGroupManagerImpl2" class="com.cloud.network.security.SecurityGroupManagerImpl2" />
 
     <bean id="ipv6AddressManagerImpl" class="com.cloud.network.Ipv6AddressManagerImpl" />
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
index 908819abb8b4..770e32f63d96 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
@@ -170,7 +170,8 @@ public static ConsoleProxyServerFactory getHttpServerFactory() {
         }
     }
 
-    public static ConsoleProxyAuthenticationResult authenticateConsoleAccess(ConsoleProxyClientParam param, boolean reauthentication) {
+    public static ConsoleProxyAuthenticationResult authenticateConsoleAccess(ConsoleProxyClientParam param,
+                                                                             boolean reauthentication, Session session) {
 
         ConsoleProxyAuthenticationResult authResult = new ConsoleProxyAuthenticationResult();
         authResult.setSuccess(true);
@@ -178,6 +179,20 @@ public static ConsoleProxyAuthenticationResult authenticateConsoleAccess(Console
         authResult.setHost(param.getClientHostAddress());
         authResult.setPort(param.getClientHostPort());
 
+        if (session != null && param.getClientSecurityToken() != null) {
+            String clientSecurityHeader = param.getClientSecurityHeader();
+            String headerValue = session.getUpgradeRequest().getHeader(clientSecurityHeader);
+            if (!param.getClientSecurityToken().equals(headerValue)) {
+                s_logger.error("Security token found but not matching the expected value for this session");
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug(String.format("Expected value for header %s was %s but found %s",
+                            clientSecurityHeader, param.getClientSecurityToken(), headerValue));
+                }
+                authResult.setSuccess(false);
+                return authResult;
+            }
+        }
+
         String websocketUrl = param.getWebsocketUrl();
         if (StringUtils.isNotBlank(websocketUrl)) {
             return authResult;
@@ -192,7 +207,7 @@ public static ConsoleProxyAuthenticationResult authenticateConsoleAccess(Console
             try {
                 result =
                         authMethod.invoke(ConsoleProxy.context, param.getClientHostAddress(), String.valueOf(param.getClientHostPort()), param.getClientTag(),
-                                param.getClientHostPassword(), param.getTicket(), new Boolean(reauthentication));
+                                param.getClientHostPassword(), param.getTicket(), reauthentication, param.getSessionUuid());
             } catch (IllegalAccessException e) {
                 s_logger.error("Unable to invoke authenticateConsoleAccess due to IllegalAccessException" + " for vm: " + param.getClientTag(), e);
                 authResult.setSuccess(false);
@@ -266,7 +281,8 @@ public static void startWithContext(Properties conf, Object context, byte[] ksBi
         try {
             final ClassLoader loader = Thread.currentThread().getContextClassLoader();
             Class<?> contextClazz = loader.loadClass("com.cloud.agent.resource.consoleproxy.ConsoleProxyResource");
-            authMethod = contextClazz.getDeclaredMethod("authenticateConsoleAccess", String.class, String.class, String.class, String.class, String.class, Boolean.class);
+            authMethod = contextClazz.getDeclaredMethod("authenticateConsoleAccess", String.class, String.class,
+                    String.class, String.class, String.class, Boolean.class, String.class);
             reportMethod = contextClazz.getDeclaredMethod("reportLoadInfo", String.class);
             ensureRouteMethod = contextClazz.getDeclaredMethod("ensureRoute", String.class);
         } catch (SecurityException e) {
@@ -456,7 +472,7 @@ public static ConsoleProxyClient getAjaxVncViewer(ConsoleProxyClientParam param,
         synchronized (connectionMap) {
             ConsoleProxyClient viewer = connectionMap.get(clientKey);
             if (viewer == null || viewer.getClass() == ConsoleProxyNoVncClient.class) {
-                authenticationExternally(param);
+                authenticationExternally(param, null);
                 viewer = getClient(param);
                 viewer.initClient(param);
 
@@ -477,7 +493,7 @@ public static ConsoleProxyClient getAjaxVncViewer(ConsoleProxyClientParam param,
 
                 if (!viewer.isFrontEndAlive()) {
 
-                    authenticationExternally(param);
+                    authenticationExternally(param, null);
                     viewer.initClient(param);
                     reportLoadChange = true;
                 }
@@ -519,8 +535,8 @@ public static ConsoleProxyClientStatsCollector getStatsCollector() {
         }
     }
 
-    public static void authenticationExternally(ConsoleProxyClientParam param) throws AuthenticationException {
-        ConsoleProxyAuthenticationResult authResult = authenticateConsoleAccess(param, false);
+    public static void authenticationExternally(ConsoleProxyClientParam param, Session session) throws AuthenticationException {
+        ConsoleProxyAuthenticationResult authResult = authenticateConsoleAccess(param, false, session);
 
         if (authResult == null || !authResult.isSuccess()) {
             s_logger.warn("External authenticator failed authentication request for vm " + param.getClientTag() + " with sid " + param.getClientHostPassword());
@@ -530,7 +546,7 @@ public static void authenticationExternally(ConsoleProxyClientParam param) throw
     }
 
     public static ConsoleProxyAuthenticationResult reAuthenticationExternally(ConsoleProxyClientParam param) {
-        return authenticateConsoleAccess(param, true);
+        return authenticateConsoleAccess(param, true, null);
     }
 
     public static String getEncryptorPassword() {
@@ -559,7 +575,7 @@ public static ConsoleProxyNoVncClient getNoVncViewer(ConsoleProxyClientParam par
         synchronized (connectionMap) {
             ConsoleProxyClient viewer = connectionMap.get(clientKey);
             if (viewer == null || viewer.getClass() != ConsoleProxyNoVncClient.class) {
-                authenticationExternally(param);
+                authenticationExternally(param, session);
                 viewer = new ConsoleProxyNoVncClient(session);
                 viewer.initClient(param);
 
@@ -571,7 +587,7 @@ public static ConsoleProxyNoVncClient getNoVncViewer(ConsoleProxyClientParam par
                     throw new AuthenticationException("Cannot use the existing viewer " + viewer + ": bad sid");
 
                 try {
-                    authenticationExternally(param);
+                    authenticationExternally(param, session);
                 } catch (Exception e) {
                     s_logger.error("Authentication failed for param: " + param);
                     return null;
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClient.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClient.java
index 6429de4ad2fa..e47837d49e9e 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClient.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClient.java
@@ -78,4 +78,6 @@ public interface ConsoleProxyClient {
     void initClient(ConsoleProxyClientParam param);
 
     void closeClient();
+
+    String getSessionUuid();
 }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientBase.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientBase.java
index 1c0f28d0a213..9c24ef619b04 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientBase.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientBase.java
@@ -55,6 +55,7 @@ public abstract class ConsoleProxyClientBase implements ConsoleProxyClient, Cons
     protected boolean framebufferResized = false;
     protected int resizedFramebufferWidth;
     protected int resizedFramebufferHeight;
+    protected String sessionUuid;
 
     public ConsoleProxyClientBase() {
         tracker = new TileTracker();
@@ -422,4 +423,9 @@ public void setClientParam(ConsoleProxyClientParam clientParam) {
         ConsoleProxyPasswordBasedEncryptor encryptor = new ConsoleProxyPasswordBasedEncryptor(ConsoleProxy.getEncryptorPassword());
         this.clientToken = encryptor.encryptObject(ConsoleProxyClientParam.class, clientParam);
     }
+
+    @Override
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
 }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
index c071f551da7d..198fd05f60fb 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
@@ -40,6 +40,10 @@ public class ConsoleProxyClientParam {
 
     private String sourceIP;
 
+    private String sessionUuid;
+    private String clientSecurityHeader;
+    private String clientSecurityToken;
+
     public ConsoleProxyClientParam() {
         clientHostPort = 0;
     }
@@ -162,4 +166,28 @@ public String getWebsocketUrl() {
     public void setWebsocketUrl(String websocketUrl) {
         this.websocketUrl = websocketUrl;
     }
+
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
+
+    public void setSessionUuid(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
+
+    public String getClientSecurityHeader() {
+        return clientSecurityHeader;
+    }
+
+    public void setClientSecurityHeader(String clientSecurityHeader) {
+        this.clientSecurityHeader = clientSecurityHeader;
+    }
+
+    public String getClientSecurityToken() {
+        return clientSecurityToken;
+    }
+
+    public void setClientSecurityToken(String clientSecurityToken) {
+        this.clientSecurityToken = clientSecurityToken;
+    }
 }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java
index 5251b9386d87..922c659cf6dd 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java
@@ -20,6 +20,7 @@
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Hashtable;
+import java.util.List;
 
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
@@ -31,10 +32,16 @@
 public class ConsoleProxyClientStatsCollector {
 
     ArrayList<ConsoleProxyConnection> connections;
+    ArrayList<String> removedSessions;
 
     public ConsoleProxyClientStatsCollector() {
     }
 
+    public void setRemovedSessions(List<String> removed) {
+        removedSessions = new ArrayList<>();
+        removedSessions.addAll(removed);
+    }
+
     public ConsoleProxyClientStatsCollector(Hashtable<String, ConsoleProxyClient> connMap) {
         setConnections(connMap);
     }
@@ -67,6 +74,7 @@ private void setConnections(Hashtable<String, ConsoleProxyClient> connMap) {
                 conn.tag = client.getClientTag();
                 conn.createTime = client.getClientCreateTime();
                 conn.lastUsedTime = client.getClientLastFrontEndActivityTime();
+                conn.sessionUuid = client.getSessionUuid();
                 conns.add(conn);
             }
         }
@@ -81,6 +89,7 @@ public static class ConsoleProxyConnection {
         public String tag;
         public long createTime;
         public long lastUsedTime;
+        public String sessionUuid;
 
         public ConsoleProxyConnection() {
         }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyGCThread.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyGCThread.java
index 2ddb2c7a1d58..7965a2083504 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyGCThread.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyGCThread.java
@@ -17,8 +17,10 @@
 package com.cloud.consoleproxy;
 
 import java.io.File;
+import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Hashtable;
+import java.util.List;
 
 import org.apache.log4j.Logger;
 
@@ -67,9 +69,12 @@ public void run() {
 
         boolean bReportLoad = false;
         long lastReportTick = System.currentTimeMillis();
+        List<String> removedSessions = new ArrayList<>();
+
         while (true) {
             cleanupLogging();
             bReportLoad = false;
+            removedSessions.clear();
 
             if (s_logger.isDebugEnabled())
                 s_logger.debug("connMap=" + connMap);
@@ -89,6 +94,7 @@ public void run() {
                 }
 
                 synchronized (connMap) {
+                    removedSessions.add(client.getSessionUuid());
                     connMap.remove(key);
                     bReportLoad = true;
                 }
@@ -100,7 +106,9 @@ public void run() {
 
             if (bReportLoad || System.currentTimeMillis() - lastReportTick > 5000) {
                 // report load changes
-                String loadInfo = new ConsoleProxyClientStatsCollector(connMap).getStatsReport();
+                ConsoleProxyClientStatsCollector collector = new ConsoleProxyClientStatsCollector(connMap);
+                collector.setRemovedSessions(removedSessions);
+                String loadInfo = collector.getStatsReport();
                 ConsoleProxy.reportLoadInfo(loadInfo);
                 lastReportTick = System.currentTimeMillis();
 
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
index 28d6ec1cab72..2d4a6c1e1a6a 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
@@ -96,6 +96,15 @@ public static Map<String, String> getQueryMap(String query) {
                 if (param.getWebsocketUrl() != null) {
                     map.put("websocketUrl", param.getWebsocketUrl());
                 }
+                if (param.getSessionUuid() != null) {
+                    map.put("sessionUuid", param.getSessionUuid());
+                }
+                if (param.getClientSecurityHeader() != null) {
+                    map.put("clientSecurityHeader", param.getClientSecurityHeader());
+                }
+                if (param.getClientSecurityToken() != null) {
+                    map.put("clientSecurityToken", param.getClientSecurityToken());
+                }
             } else {
                 s_logger.error("Unable to decode token");
             }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java
index 91d8e192fd9b..1b96b14f6717 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java
@@ -89,6 +89,9 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
         String password = queryMap.get("password");
         String sourceIP = queryMap.get("sourceIP");
         String websocketUrl = queryMap.get("websocketUrl");
+        String sessionUuid = queryMap.get("sessionUuid");
+        String clientSecurityToken = queryMap.get("clientSecurityToken");
+        String clientSecurityHeader = queryMap.get("clientSecurityHeader");
 
         if (tag == null)
             tag = "";
@@ -133,6 +136,9 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
             param.setUsername(username);
             param.setPassword(password);
             param.setWebsocketUrl(websocketUrl);
+            param.setSessionUuid(sessionUuid);
+            param.setClientSecurityHeader(clientSecurityHeader);
+            param.setClientSecurityToken(clientSecurityToken);
             viewer = ConsoleProxy.getNoVncViewer(param, ajaxSessionIdStr, session);
         } catch (Exception e) {
             s_logger.warn("Failed to create viewer due to " + e.getMessage(), e);
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
index 28d179ba6fcd..1ee8e537e2dc 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
@@ -17,6 +17,8 @@
 package com.cloud.consoleproxy;
 
 import java.io.ByteArrayInputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.security.KeyStore;
 
 import com.cloud.consoleproxy.util.Logger;
@@ -32,17 +34,30 @@
 public class ConsoleProxyNoVNCServer {
 
     private static final Logger s_logger = Logger.getLogger(ConsoleProxyNoVNCServer.class);
-    private static final int wsPort = 8080;
+    private static int wsPort = 8080;
+    private static final String vncConfFileLocation = "/root/vncport";
 
     private Server server;
 
+    private void init() {
+        try {
+            String portStr = Files.readString(Path.of(vncConfFileLocation)).trim();
+            wsPort = Integer.parseInt(portStr);
+            s_logger.info("Setting port to: " + wsPort);
+        } catch (Exception e) {
+            s_logger.error("Error loading properties from " + vncConfFileLocation, e);
+        }
+    }
+
     public ConsoleProxyNoVNCServer() {
+        init();
         this.server = new Server(wsPort);
         ConsoleProxyNoVNCHandler handler = new ConsoleProxyNoVNCHandler();
         this.server.setHandler(handler);
     }
 
     public ConsoleProxyNoVNCServer(byte[] ksBits, String ksPassword) {
+        init();
         this.server = new Server();
         ConsoleProxyNoVNCHandler handler = new ConsoleProxyNoVNCHandler();
         this.server.setHandler(handler);
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java
index 596084955fad..f1c195913038 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVncClient.java
@@ -46,6 +46,7 @@ public class ConsoleProxyNoVncClient implements ConsoleProxyClient {
     private boolean connectionAlive;
 
     private ConsoleProxyClientParam clientParam;
+    private String sessionUuid;
 
     public ConsoleProxyNoVncClient(Session session) {
         this.session = session;
@@ -89,6 +90,7 @@ public void initClient(ConsoleProxyClientParam param) {
         setClientParam(param);
         client = new NoVncClient();
         connectionAlive = true;
+        this.sessionUuid = param.getSessionUuid();
 
         updateFrontEndActivityTime();
         Thread worker = new Thread(new Runnable() {
@@ -192,6 +194,11 @@ public void closeClient() {
         ConsoleProxy.removeViewer(this);
     }
 
+    @Override
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
+
     @Override
     public int getClientId() {
         return this.clientId;
diff --git a/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh b/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
index 8006f6bb2445..c0e336b5e7cc 100755
--- a/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
@@ -32,6 +32,11 @@ setup_console_proxy() {
   public_ip=`getPublicIp`
   echo "$public_ip $NAME" >> /etc/hosts
 
+  vncport=`cat /root/vncport`
+  log_it "vncport read: ${vncport}"
+  sed -i 's/8080/${vncport}/' /etc/iptables/rules.v4
+  log_it "vnc port ${vncport} rule applied"
+
   disable_rpfilter
   enable_fwding 0
   enable_irqbalance 0
diff --git a/systemvm/patch-sysvms.sh b/systemvm/patch-sysvms.sh
index c2083369be7d..ea75784a5bf4 100644
--- a/systemvm/patch-sysvms.sh
+++ b/systemvm/patch-sysvms.sh
@@ -90,7 +90,10 @@ restart_services() {
       fi
     done < "$svcfile"
     if [ "$TYPE" == "consoleproxy" ]; then
-      iptables -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
+      vncport=`cat /root/vncport`
+      echo "vncport read: ${vncport}"
+      sed -i 's/8080/${vncport}/' /etc/iptables/rules.v4
+      echo "vnc port ${vncport} rule applied"
     fi
 }
 
diff --git a/tools/apidoc/gen_toc.py b/tools/apidoc/gen_toc.py
index 7d020a515a5b..441b21f1d920 100644
--- a/tools/apidoc/gen_toc.py
+++ b/tools/apidoc/gen_toc.py
@@ -201,7 +201,8 @@
     'UnmanagedInstance': 'Virtual Machine',
     'Rolling': 'Rolling Maintenance',
     'importVsphereStoragePolicies' : 'vSphere storage policies',
-    'listVsphereStoragePolicies' : 'vSphere storage policies'
+    'listVsphereStoragePolicies' : 'vSphere storage policies',
+    'ConsoleEndpoint': 'Console Endpoint'
 }
 
 
diff --git a/ui/src/components/widgets/Console.vue b/ui/src/components/widgets/Console.vue
index a42843946fe0..81053225bb12 100644
--- a/ui/src/components/widgets/Console.vue
+++ b/ui/src/components/widgets/Console.vue
@@ -17,9 +17,8 @@
 
 <template>
   <a
-    v-if="['vm', 'systemvm', 'router', 'ilbvm'].includes($route.meta.name) && 'listVirtualMachines' in $store.getters.apis"
-    :href="server + '/console?cmd=access&vm=' + resource.id"
-    target="_blank">
+    v-if="['vm', 'systemvm', 'router', 'ilbvm'].includes($route.meta.name) && 'listVirtualMachines' in $store.getters.apis && 'createConsoleEndpoint' in $store.getters.apis"
+    @click="consoleUrl">
     <a-button style="margin-left: 5px" shape="circle" type="dashed" :size="size" :disabled="['Stopped', 'Error', 'Destroyed'].includes(resource.state)" >
       <code-outlined />
     </a-button>
@@ -28,6 +27,7 @@
 
 <script>
 import { SERVER_MANAGER } from '@/store/mutation-types'
+import { api } from '@/api'
 
 export default {
   name: 'Console',
@@ -41,6 +41,19 @@ export default {
       default: 'small'
     }
   },
+  data () {
+    return {
+      url: ''
+    }
+  },
+  methods: {
+    consoleUrl () {
+      api('createConsoleEndpoint', { virtualmachineid: this.resource.id }).then(json => {
+        this.url = (json && json.createconsoleendpointresponse) ? json.createconsoleendpointresponse.consoleendpoint.url : '#/exception/404'
+        window.open(this.url, '_blank')
+      })
+    }
+  },
   computed: {
     server () {
       if (!this.$config.multipleServer) {
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
new file mode 100644
index 000000000000..b3df0f5a29bb
--- /dev/null
+++ b/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
@@ -0,0 +1,27 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.utils.consoleproxy;
+
+import org.apache.log4j.Logger;
+
+public class ConsoleAccessUtils {
+
+    public static final Logger s_logger = Logger.getLogger(ConsoleAccessUtils.class.getName());
+
+    public static String CLIENT_SECURITY_HEADER_PARAM_KEY = "client-security-token";
+    public static String CLIENT_INET_ADDRESS_KEY = "client-inet-address";
+}

From b2f71cf8e56b20f98dc825cd67fb487b9cfc33ae Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Mon, 15 Aug 2022 10:34:27 -0300
Subject: [PATCH 02/19] Remove extra logging

---
 server/src/main/java/com/cloud/api/ApiDispatcher.java | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/server/src/main/java/com/cloud/api/ApiDispatcher.java b/server/src/main/java/com/cloud/api/ApiDispatcher.java
index 18121497365d..3880f2aa9d1b 100644
--- a/server/src/main/java/com/cloud/api/ApiDispatcher.java
+++ b/server/src/main/java/com/cloud/api/ApiDispatcher.java
@@ -32,7 +32,6 @@
 import org.apache.cloudstack.api.BaseAsyncCustomIdCmd;
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.BaseCustomIdCmd;
-import org.apache.cloudstack.api.command.user.consoleproxy.CreateConsoleEndpointCmd;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.jobs.AsyncJob;
 import org.apache.cloudstack.framework.jobs.AsyncJobManager;
@@ -159,12 +158,6 @@ public void dispatch(final BaseCmd cmd, final Map<String, String> params, final
             ((BaseAsyncCustomIdCmd)cmd).checkUuid();
         } else if (cmd instanceof BaseCustomIdCmd) {
             ((BaseCustomIdCmd)cmd).checkUuid();
-        } else if (cmd instanceof CreateConsoleEndpointCmd) {
-            Map<String, String> fullUrlParams = ((CreateConsoleEndpointCmd) cmd).getFullUrlParams();
-            s_logger.info("Console URL full params:");
-            for (String key : fullUrlParams.keySet()) {
-                s_logger.info(key + " : " + fullUrlParams.get(key));
-            }
         }
 
         cmd.execute();

From 52433ccc011ed8e1c1732d969dd01c56af77d31a Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Mon, 15 Aug 2022 11:43:24 -0300
Subject: [PATCH 03/19] Fix security hotspot

---
 .../java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
index 1a485625f15d..419dcfdbe8f3 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
@@ -369,13 +369,13 @@ public static String genAccessTicket(String host, String port, String sid, Strin
         String params = "host=" + host + "&port=" + port + "&sid=" + sid + "&tag=" + tag + "&session=" + sessionUuid;
 
         try {
-            Mac mac = Mac.getInstance("HmacSHA1");
+            Mac mac = Mac.getInstance("SHA-512");
 
             long ts = normalizedHashTime.getTime();
             ts = ts / 60000;        // round up to 1 minute
             String secretKey = s_keysMgr.getHashKey();
 
-            SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
+            SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), mac.getAlgorithm());
             mac.init(keySpec);
             mac.update(params.getBytes());
             mac.update(String.valueOf(ts).getBytes());

From 390c7bb15ac013eea7b14ea10a3a5bbd52bf1e5d Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Mon, 15 Aug 2022 12:47:53 -0300
Subject: [PATCH 04/19] Fix sonar cloud code smells

---
 .../consoleproxy/ConsoleAccessManager.java    |  7 +-
 .../info/ConsoleProxyConnectionInfo.java      | 10 ++-
 .../com/cloud/capacity/CapacityManager.java   | 17 ++--
 .../framework/config/ConfigKey.java           |  3 +
 .../wrapper/LibvirtStartCommandWrapper.java   | 29 ++++---
 .../main/java/com/cloud/api/ApiServlet.java   |  3 +-
 .../com/cloud/consoleproxy/AgentHookBase.java |  2 +-
 .../ConsoleAccessManagerImpl.java             | 84 +++++++++----------
 .../consoleproxy/ConsoleProxyManager.java     |  6 +-
 .../consoleproxy/ConsoleProxyManagerImpl.java |  4 +-
 .../cloud/servlet/ConsoleProxyServlet.java    |  2 +-
 .../ConsoleProxyClientStatsCollector.java     | 12 ++-
 .../consoleproxy/ConsoleProxyNoVNCServer.java | 12 +--
 .../consoleproxy/ConsoleAccessUtils.java      |  9 +-
 14 files changed, 109 insertions(+), 91 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
index 55061088c4c6..69e12d474386 100644
--- a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
+++ b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
@@ -23,15 +23,16 @@
 
 public interface ConsoleAccessManager extends Manager, Configurable {
 
-    ConfigKey<String> ConsoleProxySchema = new ConfigKey<>("Advanced", String.class,
+
+    ConfigKey<String> ConsoleProxySchema = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, String.class,
             "consoleproxy.schema", "http",
             "The http/https schema to be used by the console proxy URLs", true);
 
-    ConfigKey<Boolean> ConsoleProxyExtraSecurityHeaderEnabled = new ConfigKey<>("Advanced", Boolean.class,
+    ConfigKey<Boolean> ConsoleProxyExtraSecurityHeaderEnabled = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class,
             "consoleproxy.extra.security.header.enabled", "false",
             "Enable/disable extra security validation for console proxy using client header", true);
 
-    ConfigKey<String> ConsoleProxyExtraSecurityHeaderName = new ConfigKey<>("Advanced", String.class,
+    ConfigKey<String> ConsoleProxyExtraSecurityHeaderName = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, String.class,
             "consoleproxy.extra.security.header.name", "SECURITY_TOKEN",
             "A client header for extra security validation when using the console proxy", true);
 
diff --git a/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java b/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java
index 06a048a21809..0cc9d011ca19 100644
--- a/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java
+++ b/core/src/main/java/com/cloud/info/ConsoleProxyConnectionInfo.java
@@ -26,8 +26,16 @@ public class ConsoleProxyConnectionInfo {
     public String tag;
     public long createTime;
     public long lastUsedTime;
-    public String sessionUuid;
+    protected String sessionUuid;
 
     public ConsoleProxyConnectionInfo() {
     }
+
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
+
+    public void setSessionUuid(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
 }
diff --git a/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java b/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java
index e9a37ae7f462..1128897b2973 100644
--- a/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java
+++ b/engine/components-api/src/main/java/com/cloud/capacity/CapacityManager.java
@@ -41,14 +41,11 @@ public interface CapacityManager {
     static final String StorageOverprovisioningFactorCK = "storage.overprovisioning.factor";
     static final String StorageAllocatedCapacityDisableThresholdCK = "pool.storage.allocated.capacity.disablethreshold";
 
-    static final String CATEGORY_ADVANCED = "Advanced";
-    static final String CATEGORY_ALERT = "Alert";
-
     static final ConfigKey<Float> CpuOverprovisioningFactor =
             new ConfigKey<>(
                     Float.class,
                     CpuOverprovisioningFactorCK,
-                    CATEGORY_ADVANCED,
+                    ConfigKey.CATEGORY_ADVANCED,
                     "1.0",
                     "Used for CPU overprovisioning calculation; available CPU will be (actualCpuCapacity * cpu.overprovisioning.factor)",
                     true,
@@ -58,7 +55,7 @@ public interface CapacityManager {
             new ConfigKey<>(
                     Float.class,
                     MemOverprovisioningFactorCK,
-                    CATEGORY_ADVANCED,
+                    ConfigKey.CATEGORY_ADVANCED,
                     "1.0",
                     "Used for memory overprovisioning calculation",
                     true,
@@ -66,7 +63,7 @@ public interface CapacityManager {
                     null);
     static final ConfigKey<Double> StorageCapacityDisableThreshold =
             new ConfigKey<>(
-                    CATEGORY_ALERT,
+                    ConfigKey.CATEGORY_ALERT,
                     Double.class,
                     StorageCapacityDisableThresholdCK,
                     "0.85",
@@ -84,7 +81,7 @@ public interface CapacityManager {
                     ConfigKey.Scope.StoragePool);
     static final ConfigKey<Double> StorageAllocatedCapacityDisableThreshold =
             new ConfigKey<>(
-                    CATEGORY_ALERT,
+                    ConfigKey.CATEGORY_ALERT,
                     Double.class,
                     StorageAllocatedCapacityDisableThresholdCK,
                     "0.85",
@@ -95,7 +92,7 @@ public interface CapacityManager {
             new ConfigKey<>(
                     Boolean.class,
                     "cluster.storage.operations.exclude",
-                    CATEGORY_ADVANCED,
+                    ConfigKey.CATEGORY_ADVANCED,
                     "false",
                     "Exclude cluster from storage operations",
                     true,
@@ -105,7 +102,7 @@ public interface CapacityManager {
             new ConfigKey<>(
                     String.class,
                     "secstorage.nfs.version",
-                    CATEGORY_ADVANCED,
+                    ConfigKey.CATEGORY_ADVANCED,
                     null,
                     "Enforces specific NFS version when mounting Secondary Storage. If NULL default selection is performed",
                     true,
@@ -114,7 +111,7 @@ public interface CapacityManager {
 
     static final ConfigKey<Float> SecondaryStorageCapacityThreshold =
             new ConfigKey<>(
-                    CATEGORY_ADVANCED,
+                    ConfigKey.CATEGORY_ADVANCED,
                     Float.class,
                     "secondary.storage.capacity.threshold",
                     "0.90",
diff --git a/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java b/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java
index d22fe1f1cd85..926e65cbd180 100644
--- a/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java
+++ b/framework/config/src/main/java/org/apache/cloudstack/framework/config/ConfigKey.java
@@ -30,6 +30,9 @@
  */
 public class ConfigKey<T> {
 
+    public static final String CATEGORY_ADVANCED = "Advanced";
+    public static final String CATEGORY_ALERT = "Alert";
+
     public static enum Scope {
         Global, Zone, Cluster, StoragePool, Account, ManagementServer, ImageStore, Domain
     }
diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index 6b5090bf1546..b3294d03b2a0 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -51,9 +51,9 @@
 public final class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
 
     private static final Logger s_logger = Logger.getLogger(LibvirtStartCommandWrapper.class);
-    private static final int sshPort = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
-    private static final File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
-    private static final String vncConfFileLocation = "/root/vncport";
+    private static final int SSH_PORT = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
+    private static final File PEM_FILE = new File(LibvirtComputingResource.SSHPRVKEYPATH);
+    private static final String VNC_CONF_FILE_LOCATION = "/root/vncport";
 
     @Override
     public Answer execute(final StartCommand command, final LibvirtComputingResource libvirtComputingResource) {
@@ -115,14 +115,7 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                     }
 
                     if (vmSpec.getType() == VirtualMachine.Type.ConsoleProxy && vmSpec.getVncPort() != null) {
-                        String novncPort = vmSpec.getVncPort();
-                        try {
-                            String addCmd = "echo " + novncPort + " > " + vncConfFileLocation;
-                            SshHelper.sshExecute(controlIp, sshPort, "root",
-                                    pemFile, null, addCmd, 20000, 20000, 600000);
-                        } catch (Exception e) {
-                            s_logger.error("Could not set the noVNC port " + novncPort + " to the CPVM", e);
-                        }
+                        configureVncPortOnCpvm(vmSpec.getVncPort(), controlIp);
                     }
 
                     final VirtualRoutingResource virtRouterResource = libvirtComputingResource.getVirtRouterResource();
@@ -135,8 +128,8 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                     }
 
                     try {
-                        File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
-                        FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION, Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT), pemFile, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
+                        FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION,Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT),
+                                LibvirtStartCommandWrapper.PEM_FILE, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
                         if (!virtRouterResource.isSystemVMSetup(vmName, controlIp)) {
                             String errMsg = "Failed to patch systemVM";
                             s_logger.error(errMsg);
@@ -177,6 +170,16 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
         }
     }
 
+    private void configureVncPortOnCpvm(String novncPort, String controlIp) {
+        try {
+            String addCmd = "echo " + novncPort + " > " + VNC_CONF_FILE_LOCATION;
+            SshHelper.sshExecute(controlIp, SSH_PORT, "root",
+                    LibvirtStartCommandWrapper.PEM_FILE, null, addCmd, 20000, 20000, 600000);
+        } catch (Exception e) {
+            s_logger.error("Could not set the noVNC port " + novncPort + " to the CPVM", e);
+        }
+    }
+
     private void performAgentStartHook(String vmName, LibvirtComputingResource libvirtComputingResource) {
         try {
             LibvirtKvmAgentHook onStartHook = libvirtComputingResource.getStartHook();
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
index f754392c3041..7e1d238b7774 100644
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -46,6 +46,7 @@
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.managed.context.ManagedContext;
 import org.apache.cloudstack.utils.consoleproxy.ConsoleAccessUtils;
+import org.apache.commons.lang3.BooleanUtils;
 import org.apache.log4j.Logger;
 import org.jetbrains.annotations.Nullable;
 import org.springframework.stereotype.Component;
@@ -332,7 +333,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                     InetAddress addr = getClientAddress(req);
                     String clientAddress = addr != null ? addr.getHostAddress() : null;
                     params.put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] {clientAddress});
-                    if (ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderEnabled.value()) {
+                    if (BooleanUtils.isTrue(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderEnabled.value())) {
                         String clientSecurityToken = req.getHeader(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
                         params.put(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY, new String[] {clientSecurityToken});
                     }
diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
index c461d5b207b7..8064b8b7114d 100644
--- a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
+++ b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
@@ -71,7 +71,7 @@ public abstract class AgentHookBase implements AgentHook {
     KeysManager _keysMgr;
     ConsoleAccessManager consoleAccessManager;
 
-    public AgentHookBase(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr,
+    protected AgentHookBase(VMInstanceDao instanceDao, HostDao hostDao, ConfigurationDao cfgDao, KeystoreManager ksMgr,
                          AgentManager agentMgr, KeysManager keysMgr, ConsoleAccessManager consoleAccessMgr) {
         _instanceDao = instanceDao;
         _hostDao = hostDao;
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
index 419dcfdbe8f3..75bd6cddef98 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
@@ -67,22 +67,22 @@
 public class ConsoleAccessManagerImpl extends ManagerBase implements ConsoleAccessManager {
 
     @Inject
-    private AccountManager _accountMgr;
+    private AccountManager accountManager;
     @Inject
-    private VirtualMachineManager _vmMgr;
+    private VirtualMachineManager virtualMachineManager;
     @Inject
-    private ManagementServer _ms;
+    private ManagementServer managementServer;
     @Inject
-    private EntityManager _entityMgr;
+    private EntityManager entityManager;
     @Inject
-    private UserVmDetailsDao _userVmDetailsDao;
+    private UserVmDetailsDao userVmDetailsDao;
     @Inject
-    private KeysManager _keysMgr;
+    private KeysManager keysManager;
     @Inject
     private AgentManager agentManager;
 
-    private static KeysManager s_keysMgr;
-    private final Gson _gson = new GsonBuilder().create();
+    private static KeysManager secretKeysManager;
+    private final Gson gson = new GsonBuilder().create();
 
     public static final Logger s_logger = Logger.getLogger(ConsoleAccessManagerImpl.class.getName());
 
@@ -90,19 +90,19 @@ public class ConsoleAccessManagerImpl extends ManagerBase implements ConsoleAcce
 
     @Override
     public boolean configure(String name, Map<String, Object> params) throws ConfigurationException {
-        s_keysMgr = _keysMgr;
-        allowedSessions = new HashSet<>();
+        ConsoleAccessManagerImpl.secretKeysManager = keysManager;
+        ConsoleAccessManagerImpl.allowedSessions = new HashSet<>();
         return super.configure(name, params);
     }
 
     @Override
     public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityToken, String clientAddress) {
         try {
-            if (_accountMgr == null || _vmMgr == null || _ms == null) {
+            if (accountManager == null || virtualMachineManager == null || managementServer == null) {
                 return new ConsoleEndpoint(false, null,"Console service is not ready");
             }
 
-            if (_keysMgr.getHashKey() == null) {
+            if (keysManager.getHashKey() == null) {
                 String msg = "Console access denied. Ticket service is not ready yet";
                 s_logger.debug(msg);
                 return new ConsoleEndpoint(false, null, msg);
@@ -116,7 +116,7 @@ public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityT
                 return new ConsoleEndpoint(false, null,"Access denied. Invalid or inconsistent account is found");
             }
 
-            VirtualMachine vm = _entityMgr.findById(VirtualMachine.class, vmId);
+            VirtualMachine vm = entityManager.findById(VirtualMachine.class, vmId);
             if (vm == null) {
                 s_logger.info("Invalid console servlet command parameter: " + vmId);
                 return new ConsoleEndpoint(false, null, "Cannot find VM with ID " + vmId);
@@ -128,8 +128,8 @@ public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityT
 
             String sessionToken = UUID.randomUUID().toString();
             return generateAccessEndpoint(vmId, sessionToken, clientSecurityToken, clientAddress);
-        } catch (Throwable e) {
-            s_logger.error("Unexepected exception in ConsoleProxyServlet", e);
+        } catch (Exception e) {
+            s_logger.error("Unexepected exception in ConsoleAccessManager", e);
             return new ConsoleEndpoint(false, null, "Server Internal Error: " + e.getMessage());
         }
     }
@@ -147,26 +147,24 @@ public void removeSessions(String[] sessionUuids) {
     }
 
     private boolean checkSessionPermision(VirtualMachine vm, Account account) {
-        if (_accountMgr.isRootAdmin(account.getId())) {
+        if (accountManager.isRootAdmin(account.getId())) {
             return true;
         }
 
         switch (vm.getType()) {
             case User:
                 try {
-                    _accountMgr.checkAccess(account, null, true, vm);
+                    accountManager.checkAccess(account, null, true, vm);
                 } catch (PermissionDeniedException ex) {
-                    if (_accountMgr.isNormalUser(account.getId())) {
+                    if (accountManager.isNormalUser(account.getId())) {
                         if (s_logger.isDebugEnabled()) {
                             s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId() + " does not match the account id in session " +
                                     account.getId() + " and caller is a normal user");
                         }
-                    } else if (_accountMgr.isDomainAdmin(account.getId())
-                            || account.getType() == Account.Type.READ_ONLY_ADMIN) {
-                        if(s_logger.isDebugEnabled()) {
-                            s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
-                                    + " does not match the account id in session " + account.getId() + " and the domain-admin caller does not manage the target domain");
-                        }
+                    } else if ((accountManager.isDomainAdmin(account.getId())
+                            || account.getType() == Account.Type.READ_ONLY_ADMIN) && s_logger.isDebugEnabled()) {
+                        s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
+                                + " does not match the account id in session " + account.getId() + " and the domain-admin caller does not manage the target domain");
                     }
                     return false;
                 }
@@ -186,7 +184,7 @@ private boolean checkSessionPermision(VirtualMachine vm, Account account) {
     }
 
     private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionToken, String clientSecurityToken, String clientAddress) {
-        VirtualMachine vm = _vmMgr.findById(vmId);
+        VirtualMachine vm = virtualMachineManager.findById(vmId);
         String msg;
         if (vm == null) {
             msg = "VM " + vmId + " does not exist, sending blank response for console access request";
@@ -200,7 +198,7 @@ private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionToken, S
             throw new CloudRuntimeException(msg);
         }
 
-        HostVO host = _ms.getHostBy(vm.getHostId());
+        HostVO host = managementServer.getHostBy(vm.getHostId());
         if (host == null) {
             msg = "VM " + vmId + "'s host does not exist, sending blank response for console access request";
             s_logger.warn(msg);
@@ -211,7 +209,7 @@ private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionToken, S
             throw new CloudRuntimeException("Console access is not supported for LXC");
         }
 
-        String rootUrl = _ms.getConsoleAccessUrlRoot(vmId);
+        String rootUrl = managementServer.getConsoleAccessUrlRoot(vmId);
         if (rootUrl == null) {
             throw new CloudRuntimeException("Console access will be ready in a few minutes. Please try it again later.");
         }
@@ -223,15 +221,15 @@ private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionToken, S
 
     private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMachine vm, HostVO hostVo, String addr,
                                                          String sessionUuid, String clientSecurityToken) {
-        StringBuffer sb = new StringBuffer(rootUrl);
+        StringBuilder sb = new StringBuilder(rootUrl);
         String host = hostVo.getPrivateIpAddress();
 
         Pair<String, Integer> portInfo = null;
         if (hostVo.getHypervisorType() == Hypervisor.HypervisorType.KVM &&
                 (hostVo.getResourceState().equals(ResourceState.ErrorInMaintenance) ||
                         hostVo.getResourceState().equals(ResourceState.ErrorInPrepareForMaintenance))) {
-            UserVmDetailVO detailAddress = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_ADDRESS);
-            UserVmDetailVO detailPort = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_PORT);
+            UserVmDetailVO detailAddress = userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_ADDRESS);
+            UserVmDetailVO detailPort = userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KVM_VNC_PORT);
             if (detailAddress != null && detailPort != null) {
                 portInfo = new Pair<>(detailAddress.getValue(), Integer.valueOf(detailPort.getValue()));
             } else {
@@ -241,7 +239,7 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         }
 
         if (portInfo == null) {
-            portInfo = _ms.getVncPort(vm);
+            portInfo = managementServer.getVncPort(vm);
         }
 
         if (s_logger.isDebugEnabled())
@@ -252,13 +250,13 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         int port = -1;
         if (portInfo.second() == -9) {
             //for hyperv
-            port = Integer.parseInt(_ms.findDetail(hostVo.getId(), "rdp.server.port").getValue());
+            port = Integer.parseInt(managementServer.findDetail(hostVo.getId(), "rdp.server.port").getValue());
         } else {
             port = portInfo.second();
         }
 
         String sid = vm.getVncPassword();
-        UserVmDetailVO details = _userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KEYBOARD);
+        UserVmDetailVO details = userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KEYBOARD);
 
         String tag = vm.getUuid();
 
@@ -290,8 +288,8 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         if (portInfo.second() == -9) {
             //For Hyperv Clinet Host Address will send Instance id
             param.setHypervHost(host);
-            param.setUsername(_ms.findDetail(hostVo.getId(), "username").getValue());
-            param.setPassword(_ms.findDetail(hostVo.getId(), "password").getValue());
+            param.setUsername(managementServer.findDetail(hostVo.getId(), "username").getValue());
+            param.setPassword(managementServer.findDetail(hostVo.getId(), "password").getValue());
         }
         if (parsedHostInfo.second() != null  && parsedHostInfo.third() != null) {
             param.setClientTunnelUrl(parsedHostInfo.second());
@@ -310,7 +308,7 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
 
         // for console access, we need guest OS type to help implement keyboard
         long guestOs = vm.getGuestOSId();
-        GuestOSVO guestOsVo = _ms.getGuestOs(guestOs);
+        GuestOSVO guestOsVo = managementServer.getGuestOs(guestOs);
         if (guestOsVo.getCategoryId() == 6)
             sb.append("&guest=windows");
 
@@ -323,7 +321,7 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         return new ConsoleEndpoint(true, url);
     }
 
-    static public Ternary<String, String, String> parseHostInfo(String hostInfo) {
+    public static Ternary<String, String, String> parseHostInfo(String hostInfo) {
         String host = null;
         String tunnelUrl = null;
         String tunnelSession = null;
@@ -332,7 +330,7 @@ static public Ternary<String, String, String> parseHostInfo(String hostInfo) {
 
         if (hostInfo != null) {
             if (hostInfo.startsWith("consoleurl")) {
-                String tokens[] = hostInfo.split("&");
+                String[] tokens = hostInfo.split("&");
 
                 if (hostInfo.length() > 19 && hostInfo.indexOf('/', 19) > 19) {
                     host = hostInfo.substring(19, hostInfo.indexOf('/', 19)).trim();
@@ -350,7 +348,7 @@ static public Ternary<String, String, String> parseHostInfo(String hostInfo) {
             host = hostInfo;
         }
 
-        return new Ternary<String, String, String>(host, tunnelUrl, tunnelSession);
+        return new Ternary<>(host, tunnelUrl, tunnelSession);
     }
 
     /**
@@ -373,7 +371,7 @@ public static String genAccessTicket(String host, String port, String sid, Strin
 
             long ts = normalizedHashTime.getTime();
             ts = ts / 60000;        // round up to 1 minute
-            String secretKey = s_keysMgr.getHashKey();
+            String secretKey = secretKeysManager.getHashKey();
 
             SecretKeySpec keySpec = new SecretKeySpec(secretKey.getBytes(), mac.getAlgorithm());
             mac.init(keySpec);
@@ -390,11 +388,11 @@ public static String genAccessTicket(String host, String port, String sid, Strin
     }
 
     private String getEncryptorPassword() {
-        String key = _keysMgr.getEncryptionKey();
-        String iv = _keysMgr.getEncryptionIV();
+        String key = keysManager.getEncryptionKey();
+        String iv = keysManager.getEncryptionIV();
 
         ConsoleProxyPasswordBasedEncryptor.KeyIVPair keyIvPair = new ConsoleProxyPasswordBasedEncryptor.KeyIVPair(key, iv);
-        return _gson.toJson(keyIvPair);
+        return gson.toJson(keyIvPair);
     }
 
     /**
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
index 2308ffae96a9..bae9ee613630 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
@@ -36,13 +36,13 @@ public interface ConsoleProxyManager extends Manager, ConsoleProxyService {
     String ALERT_SUBJECT = "proxy-alert";
     String CERTIFICATE_NAME = "CPVMCertificate";
 
-    ConfigKey<Boolean> NoVncConsoleDefault = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.default", "true",
+    ConfigKey<Boolean> NoVncConsoleDefault = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class, "novnc.console.default", "true",
         "If true, noVNC console will be default console for virtual machines", true);
 
-    ConfigKey<Boolean> NoVncConsoleSourceIpCheckEnabled = new ConfigKey<Boolean>("Advanced", Boolean.class, "novnc.console.sourceip.check.enabled", "false",
+    ConfigKey<Boolean> NoVncConsoleSourceIpCheckEnabled = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class, "novnc.console.sourceip.check.enabled", "false",
         "If true, The source IP to access novnc console must be same as the IP in request to management server for console URL. Needs to reconnect CPVM to management server when this changes (via restart CPVM, or management server, or cloud service in CPVM)", false);
 
-    ConfigKey<Integer> NoVncConsolePort = new ConfigKey<>("Advanced", Integer.class, "novnc.console.port",
+    ConfigKey<Integer> NoVncConsolePort = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Integer.class, "novnc.console.port",
             "8080", "The listen port for noVNC console", true);
 
     void setManagementState(ConsoleProxyManagementState state);
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index c230c162cd32..a5f26e0ffd73 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -986,7 +986,7 @@ public void doInTransactionWithoutResult(TransactionStatus status) {
                     }
                 });
             }
-        } catch (Throwable e) {
+        } catch (Exception e) {
             s_logger.error(String.format("Unable to set console proxy management state to [%s] due to [%s].", state, e.getMessage()), e);
         }
     }
@@ -1021,7 +1021,7 @@ public void resumeLastManagementState() {
             if (lastState != state) {
                 configurationDao.update(Config.ConsoleProxyManagementState.key(), Config.ConsoleProxyManagementState.getCategory(), lastState.toString());
             }
-        } catch (Throwable e) {
+        } catch (Exception e) {
             s_logger.error(String.format("Unable to resume last management state due to [%s].", e.getMessage()), e);
         }
     }
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
index 4389a03ead2e..f7101e1a36e6 100644
--- a/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
+++ b/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java
@@ -179,7 +179,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) {
             } else {
                 handleAuthRequest(req, resp, vmId);
             }
-        } catch (Throwable e) {
+        } catch (Exception e) {
             s_logger.error("Unexepected exception in ConsoleProxyServlet", e);
             sendResponse(resp, "Server Internal Error");
         }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java
index 922c659cf6dd..f82bfdfebb58 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientStatsCollector.java
@@ -74,7 +74,7 @@ private void setConnections(Hashtable<String, ConsoleProxyClient> connMap) {
                 conn.tag = client.getClientTag();
                 conn.createTime = client.getClientCreateTime();
                 conn.lastUsedTime = client.getClientLastFrontEndActivityTime();
-                conn.sessionUuid = client.getSessionUuid();
+                conn.setSessionUuid(client.getSessionUuid());
                 conns.add(conn);
             }
         }
@@ -89,7 +89,15 @@ public static class ConsoleProxyConnection {
         public String tag;
         public long createTime;
         public long lastUsedTime;
-        public String sessionUuid;
+        protected String sessionUuid;
+
+        public String getSessionUuid() {
+            return sessionUuid;
+        }
+
+        public void setSessionUuid(String sessionUuid) {
+            this.sessionUuid = sessionUuid;
+        }
 
         public ConsoleProxyConnection() {
         }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
index 1ee8e537e2dc..3f109d83ca41 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
@@ -34,7 +34,7 @@
 public class ConsoleProxyNoVNCServer {
 
     private static final Logger s_logger = Logger.getLogger(ConsoleProxyNoVNCServer.class);
-    private static int wsPort = 8080;
+    private static int WS_PORT = 8080;
     private static final String vncConfFileLocation = "/root/vncport";
 
     private Server server;
@@ -42,8 +42,8 @@ public class ConsoleProxyNoVNCServer {
     private void init() {
         try {
             String portStr = Files.readString(Path.of(vncConfFileLocation)).trim();
-            wsPort = Integer.parseInt(portStr);
-            s_logger.info("Setting port to: " + wsPort);
+            ConsoleProxyNoVNCServer.WS_PORT = Integer.parseInt(portStr);
+            s_logger.info("Setting port to: " + WS_PORT);
         } catch (Exception e) {
             s_logger.error("Error loading properties from " + vncConfFileLocation, e);
         }
@@ -51,7 +51,7 @@ private void init() {
 
     public ConsoleProxyNoVNCServer() {
         init();
-        this.server = new Server(wsPort);
+        this.server = new Server(WS_PORT);
         ConsoleProxyNoVNCHandler handler = new ConsoleProxyNoVNCHandler();
         this.server.setHandler(handler);
     }
@@ -65,7 +65,7 @@ public ConsoleProxyNoVNCServer(byte[] ksBits, String ksPassword) {
         try {
             final HttpConfiguration httpConfig = new HttpConfiguration();
             httpConfig.setSecureScheme("https");
-            httpConfig.setSecurePort(wsPort);
+            httpConfig.setSecurePort(WS_PORT);
 
             final HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
             httpsConfig.addCustomizer(new SecureRequestCustomizer());
@@ -81,7 +81,7 @@ public ConsoleProxyNoVNCServer(byte[] ksBits, String ksPassword) {
             final ServerConnector sslConnector = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory, "http/1.1"),
                 new HttpConnectionFactory(httpsConfig));
-            sslConnector.setPort(wsPort);
+            sslConnector.setPort(WS_PORT);
             server.addConnector(sslConnector);
         } catch (Exception e) {
             s_logger.error("Unable to secure server due to exception ", e);
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
index b3df0f5a29bb..fb2efe40d1dd 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
@@ -16,12 +16,11 @@
 // under the License.
 package org.apache.cloudstack.utils.consoleproxy;
 
-import org.apache.log4j.Logger;
-
 public class ConsoleAccessUtils {
 
-    public static final Logger s_logger = Logger.getLogger(ConsoleAccessUtils.class.getName());
+    private ConsoleAccessUtils() {
+    }
 
-    public static String CLIENT_SECURITY_HEADER_PARAM_KEY = "client-security-token";
-    public static String CLIENT_INET_ADDRESS_KEY = "client-inet-address";
+    public static final String CLIENT_SECURITY_HEADER_PARAM_KEY = "client-security-token";
+    public static final String CLIENT_INET_ADDRESS_KEY = "client-inet-address";
 }

From f8e97c936e6d3fa363a3beb77c1d3eeb40e4298a Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Mon, 15 Aug 2022 14:09:12 -0300
Subject: [PATCH 05/19] Refactor API response

---
 .../user/consoleproxy/ConsoleEndpoint.java    | 36 +++++++++
 .../CreateConsoleEndpointCmd.java             | 33 ++++++--
 .../ConsoleEndpointWebsocketResponse.java     | 76 +++++++++++++++++++
 ...ava => CreateConsoleEndpointResponse.java} | 53 ++++---------
 .../consoleproxy/ConsoleAccessManager.java    |  5 --
 .../ConsoleAccessManagerImpl.java             | 10 ++-
 .../com/cloud/server/ManagementServer.java    |  2 +
 .../cloud/server/ManagementServerImpl.java    | 10 +++
 8 files changed, 173 insertions(+), 52 deletions(-)
 create mode 100644 api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java
 rename api/src/main/java/org/apache/cloudstack/api/response/{CreateConsoleUrlResponse.java => CreateConsoleEndpointResponse.java} (69%)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
index cd61c223ed16..4b47a60b27e0 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
@@ -21,6 +21,10 @@ public class ConsoleEndpoint {
     private boolean result;
     private String details;
     private String url;
+    private String websocketToken;
+    private String websocketPath;
+    private String websocketHost;
+    private String websocketPort;
 
     public ConsoleEndpoint(boolean result, String url) {
         this.result = result;
@@ -55,4 +59,36 @@ public String getDetails() {
     public void setDetails(String details) {
         this.details = details;
     }
+
+    public String getWebsocketToken() {
+        return websocketToken;
+    }
+
+    public void setWebsocketToken(String websocketToken) {
+        this.websocketToken = websocketToken;
+    }
+
+    public String getWebsocketPath() {
+        return websocketPath;
+    }
+
+    public void setWebsocketPath(String websocketPath) {
+        this.websocketPath = websocketPath;
+    }
+
+    public String getWebsocketHost() {
+        return websocketHost;
+    }
+
+    public void setWebsocketHost(String websocketHost) {
+        this.websocketHost = websocketHost;
+    }
+
+    public String getWebsocketPort() {
+        return websocketPort;
+    }
+
+    public void setWebsocketPort(String websocketPort) {
+        this.websocketPort = websocketPort;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
index b84fa4745106..870d4f11d2ca 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
@@ -27,7 +27,8 @@
 import org.apache.cloudstack.api.BaseCmd;
 import org.apache.cloudstack.api.Parameter;
 import org.apache.cloudstack.api.ServerApiException;
-import org.apache.cloudstack.api.response.CreateConsoleUrlResponse;
+import org.apache.cloudstack.api.response.ConsoleEndpointWebsocketResponse;
+import org.apache.cloudstack.api.response.CreateConsoleEndpointResponse;
 import org.apache.cloudstack.api.response.UserVmResponse;
 import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
 import org.apache.cloudstack.context.CallContext;
@@ -39,7 +40,7 @@
 import java.util.Map;
 
 @APICommand(name = CreateConsoleEndpointCmd.APINAME, description = "Create a console endpoint to connect to a VM console",
-        responseObject = CreateConsoleUrlResponse.class, since = "4.18.0",
+        responseObject = CreateConsoleEndpointResponse.class, since = "4.18.0",
         requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
 public class CreateConsoleEndpointCmd extends BaseCmd {
 
@@ -62,18 +63,34 @@ public void execute() throws ResourceUnavailableException, InsufficientCapacityE
         String clientAddress = getClientAddress();
         ConsoleEndpoint endpoint = consoleManager.generateConsoleEndpoint(vmId, clientSecurityToken, clientAddress);
         if (endpoint != null) {
-            CreateConsoleUrlResponse response = new CreateConsoleUrlResponse();
-            response.setResult(endpoint.isResult());
-            response.setDetails(endpoint.getDetails());
-            response.setUrl(endpoint.getUrl());
-            response.setResponseName(getCommandName());
-            response.setObjectName("consoleendpoint");
+            CreateConsoleEndpointResponse response = createResponse(endpoint);
             setResponseObject(response);
         } else {
             throw new ServerApiException(ApiErrorCode.INTERNAL_ERROR, "Unable to generate console endpoint for vm " + vmId);
         }
     }
 
+    private CreateConsoleEndpointResponse createResponse(ConsoleEndpoint endpoint) {
+        CreateConsoleEndpointResponse response = new CreateConsoleEndpointResponse();
+        response.setResult(endpoint.isResult());
+        response.setDetails(endpoint.getDetails());
+        response.setUrl(endpoint.getUrl());
+        response.setWebsocketResponse(createWebsocketResponse(endpoint));
+        response.setResponseName(getCommandName());
+        response.setObjectName("consoleendpoint");
+        return response;
+    }
+
+    private ConsoleEndpointWebsocketResponse createWebsocketResponse(ConsoleEndpoint endpoint) {
+        ConsoleEndpointWebsocketResponse wsResponse = new ConsoleEndpointWebsocketResponse();
+        wsResponse.setHost(endpoint.getWebsocketHost());
+        wsResponse.setPort(endpoint.getWebsocketPort());
+        wsResponse.setPath(endpoint.getWebsocketPath());
+        wsResponse.setToken(endpoint.getWebsocketToken());
+        wsResponse.setObjectName("websocket");
+        return wsResponse;
+    }
+
     private String getParameterBase(String paramKey) {
         Map<String, String> params = getFullUrlParams();
         return MapUtils.isNotEmpty(params) && params.containsKey(paramKey) ? params.get(paramKey) : null;
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java
new file mode 100644
index 000000000000..a453a1237909
--- /dev/null
+++ b/api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java
@@ -0,0 +1,76 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.api.response;
+
+import com.cloud.serializer.Param;
+import com.google.gson.annotations.SerializedName;
+import org.apache.cloudstack.api.ApiConstants;
+import org.apache.cloudstack.api.BaseResponse;
+
+public class ConsoleEndpointWebsocketResponse extends BaseResponse {
+
+    public ConsoleEndpointWebsocketResponse() {
+    }
+
+    @SerializedName(ApiConstants.TOKEN)
+    @Param(description = "the console websocket token")
+    private String token;
+
+    @SerializedName("host")
+    @Param(description = "the console websocket host")
+    private String host;
+
+    @SerializedName(ApiConstants.PORT)
+    @Param(description = "the console websocket port")
+    private String port;
+
+    @SerializedName(ApiConstants.PATH)
+    @Param(description = "the console websocket path")
+    private String path;
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public String getHost() {
+        return host;
+    }
+
+    public void setHost(String host) {
+        this.host = host;
+    }
+
+    public String getPort() {
+        return port;
+    }
+
+    public void setPort(String port) {
+        this.port = port;
+    }
+
+    public String getPath() {
+        return path;
+    }
+
+    public void setPath(String path) {
+        this.path = path;
+    }
+}
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleUrlResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleEndpointResponse.java
similarity index 69%
rename from api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleUrlResponse.java
rename to api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleEndpointResponse.java
index 61b05be7ab39..c60917bbe7a2 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleUrlResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/CreateConsoleEndpointResponse.java
@@ -21,7 +21,10 @@
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.BaseResponse;
 
-public class CreateConsoleUrlResponse extends BaseResponse {
+public class CreateConsoleEndpointResponse extends BaseResponse {
+
+    public CreateConsoleEndpointResponse() {
+    }
 
     @SerializedName(ApiConstants.RESULT)
     @Param(description = "true if the console endpoint is generated properly")
@@ -31,22 +34,14 @@ public class CreateConsoleUrlResponse extends BaseResponse {
     @Param(description = "details in case of an error")
     private String details;
 
-    @SerializedName(ApiConstants.IP_ADDRESS)
-    @Param(description = "the console ip address")
-    private String ipAddress;
-
-    @SerializedName(ApiConstants.PORT)
-    @Param(description = "the console port")
-    private String port;
-
-    @SerializedName(ApiConstants.TOKEN)
-    @Param(description = "the console token")
-    private String token;
-
     @SerializedName(ApiConstants.URL)
     @Param(description = "the console url")
     private String url;
 
+    @SerializedName("websocket")
+    @Param(description = "the console websocket options")
+    private ConsoleEndpointWebsocketResponse websocketResponse;
+
     public Boolean getResult() {
         return result;
     }
@@ -63,30 +58,6 @@ public void setDetails(String details) {
         this.details = details;
     }
 
-    public String getIpAddress() {
-        return ipAddress;
-    }
-
-    public void setIpAddress(String ip) {
-        this.ipAddress = ip;
-    }
-
-    public String getPort() {
-        return port;
-    }
-
-    public void setPort(String port) {
-        this.port = port;
-    }
-
-    public String getToken() {
-        return token;
-    }
-
-    public void setToken(String token) {
-        this.token = token;
-    }
-
     public String getUrl() {
         return url;
     }
@@ -94,4 +65,12 @@ public String getUrl() {
     public void setUrl(String url) {
         this.url = url;
     }
+
+    public ConsoleEndpointWebsocketResponse getWebsocketResponse() {
+        return websocketResponse;
+    }
+
+    public void setWebsocketResponse(ConsoleEndpointWebsocketResponse websocketResponse) {
+        this.websocketResponse = websocketResponse;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
index 69e12d474386..38c71a7b38e4 100644
--- a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
+++ b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
@@ -23,11 +23,6 @@
 
 public interface ConsoleAccessManager extends Manager, Configurable {
 
-
-    ConfigKey<String> ConsoleProxySchema = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, String.class,
-            "consoleproxy.schema", "http",
-            "The http/https schema to be used by the console proxy URLs", true);
-
     ConfigKey<Boolean> ConsoleProxyExtraSecurityHeaderEnabled = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class,
             "consoleproxy.extra.security.header.enabled", "false",
             "Enable/disable extra security validation for console proxy using client header", true);
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
index 75bd6cddef98..26e51f804d13 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
@@ -317,7 +317,13 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         }
         s_logger.debug("Adding allowed session: " + sessionUuid);
         allowedSessions.add(sessionUuid);
-        String url = !sb.toString().startsWith("http") ? ConsoleAccessManager.ConsoleProxySchema.value() + ":" + sb : sb.toString();
+
+        String url = !sb.toString().startsWith("https") ? sb.toString() : "http:" + sb;
+        ConsoleEndpoint consoleEndpoint = new ConsoleEndpoint(true, url);
+        consoleEndpoint.setWebsocketHost(managementServer.getConsoleAccessAddress(vm.getId()));
+        consoleEndpoint.setWebsocketPort(String.valueOf(ConsoleProxyManager.NoVncConsolePort.value()));
+        consoleEndpoint.setWebsocketPath("websockify");
+        consoleEndpoint.setWebsocketToken(token);
         return new ConsoleEndpoint(true, url);
     }
 
@@ -443,7 +449,7 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey[] { ConsoleProxySchema, ConsoleProxyExtraSecurityHeaderName,
+        return new ConfigKey[] { ConsoleProxyExtraSecurityHeaderName,
                 ConsoleProxyExtraSecurityHeaderEnabled };
     }
 }
diff --git a/server/src/main/java/com/cloud/server/ManagementServer.java b/server/src/main/java/com/cloud/server/ManagementServer.java
index 7ecb66503732..6b54702655d6 100644
--- a/server/src/main/java/com/cloud/server/ManagementServer.java
+++ b/server/src/main/java/com/cloud/server/ManagementServer.java
@@ -54,6 +54,8 @@ public interface ManagementServer extends ManagementService, PluggableService {
 
     String getConsoleAccessUrlRoot(long vmId);
 
+    String getConsoleAccessAddress(long vmId);
+
     GuestOSVO getGuestOs(Long guestOsId);
 
     GuestOSHypervisorVO getGuestOsHypervisor(Long guestOsHypervisorId);
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index 9c7eef4f2bdb..2787762be515 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -2848,6 +2848,16 @@ public String getConsoleAccessUrlRoot(final long vmId) {
         return null;
     }
 
+    @Override
+    public String getConsoleAccessAddress(long vmId) {
+        final VMInstanceVO vm = _vmInstanceDao.findById(vmId);
+        if (vm != null) {
+            final ConsoleProxyInfo proxy = getConsoleProxyForVm(vm.getDataCenterId(), vmId);
+            return proxy != null ? proxy.getProxyAddress() : null;
+        }
+        return null;
+    }
+
     @Override
     public Pair<String, Integer> getVncPort(final VirtualMachine vm) {
         if (vm.getHostId() == null) {

From e2a2153c31be0b109952e9707537350bcac002c8 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Tue, 16 Aug 2022 10:15:20 -0300
Subject: [PATCH 06/19] Minor fix

---
 .../java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
index 26e51f804d13..7bf52882e605 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
@@ -318,13 +318,13 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         s_logger.debug("Adding allowed session: " + sessionUuid);
         allowedSessions.add(sessionUuid);
 
-        String url = !sb.toString().startsWith("https") ? sb.toString() : "http:" + sb;
+        String url = sb.toString().startsWith("https") ? sb.toString() : "http:" + sb;
         ConsoleEndpoint consoleEndpoint = new ConsoleEndpoint(true, url);
         consoleEndpoint.setWebsocketHost(managementServer.getConsoleAccessAddress(vm.getId()));
         consoleEndpoint.setWebsocketPort(String.valueOf(ConsoleProxyManager.NoVncConsolePort.value()));
         consoleEndpoint.setWebsocketPath("websockify");
         consoleEndpoint.setWebsocketToken(token);
-        return new ConsoleEndpoint(true, url);
+        return consoleEndpoint;
     }
 
     public static Ternary<String, String, String> parseHostInfo(String hostInfo) {

From cd8a53748449163e3318fed79e96b8c70cf35625 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Tue, 16 Aug 2022 11:28:33 -0300
Subject: [PATCH 07/19] Refactor and increase timeout on ssh to cpvm

---
 .../wrapper/LibvirtStartCommandWrapper.java   | 33 +++++++++++--------
 1 file changed, 19 insertions(+), 14 deletions(-)

diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index b3294d03b2a0..6acb11575e15 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -51,8 +51,6 @@
 public final class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
 
     private static final Logger s_logger = Logger.getLogger(LibvirtStartCommandWrapper.class);
-    private static final int SSH_PORT = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
-    private static final File PEM_FILE = new File(LibvirtComputingResource.SSHPRVKEYPATH);
     private static final String VNC_CONF_FILE_LOCATION = "/root/vncport";
 
     @Override
@@ -114,10 +112,6 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                         }
                     }
 
-                    if (vmSpec.getType() == VirtualMachine.Type.ConsoleProxy && vmSpec.getVncPort() != null) {
-                        configureVncPortOnCpvm(vmSpec.getVncPort(), controlIp);
-                    }
-
                     final VirtualRoutingResource virtRouterResource = libvirtComputingResource.getVirtRouterResource();
                     // check if the router is up?
                     for (int count = 0; count < 60; count++) {
@@ -127,9 +121,13 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                         }
                     }
 
+                    if (vmSpec.getType() == VirtualMachine.Type.ConsoleProxy && vmSpec.getVncPort() != null) {
+                        configureVncPortOnCpvm(vmSpec.getVncPort(), controlIp);
+                    }
+
                     try {
-                        FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION,Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT),
-                                LibvirtStartCommandWrapper.PEM_FILE, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
+                        File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
+                        FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION, Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT), pemFile, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
                         if (!virtRouterResource.isSystemVMSetup(vmName, controlIp)) {
                             String errMsg = "Failed to patch systemVM";
                             s_logger.error(errMsg);
@@ -171,12 +169,19 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
     }
 
     private void configureVncPortOnCpvm(String novncPort, String controlIp) {
-        try {
-            String addCmd = "echo " + novncPort + " > " + VNC_CONF_FILE_LOCATION;
-            SshHelper.sshExecute(controlIp, SSH_PORT, "root",
-                    LibvirtStartCommandWrapper.PEM_FILE, null, addCmd, 20000, 20000, 600000);
-        } catch (Exception e) {
-            s_logger.error("Could not set the noVNC port " + novncPort + " to the CPVM", e);
+        File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
+        int sshPort = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
+        String addCmd = "echo " + novncPort + " > " + VNC_CONF_FILE_LOCATION;
+        for (int retries = 1; retries <= 3; retries++) {
+            try {
+                SshHelper.sshExecute(controlIp, sshPort, "root", pemFile, null, addCmd);
+                if (s_logger.isDebugEnabled()) {
+                    s_logger.debug(String.format("Set noVNC port: %s to the CPVM", novncPort));
+                }
+                return;
+            } catch (Exception e) {
+                s_logger.error(String.format("Could not set the noVNC port: %s to the CPVM, attempt: %s", novncPort, retries) , e);
+            }
         }
     }
 

From 056f76301afadfe4d02f51b42f864f8b97138057 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Tue, 16 Aug 2022 22:15:05 -0300
Subject: [PATCH 08/19] Add marvin tests and extend permissions

---
 .../CreateConsoleEndpointCmd.java             |   4 +-
 .../smoke/test_console_endpoint.py            | 203 ++++++++++++++++++
 2 files changed, 206 insertions(+), 1 deletion(-)
 create mode 100644 test/integration/smoke/test_console_endpoint.py

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
index 870d4f11d2ca..319db1debf6e 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
@@ -21,6 +21,7 @@
 import com.cloud.exception.NetworkRuleConflictException;
 import com.cloud.exception.ResourceAllocationException;
 import com.cloud.exception.ResourceUnavailableException;
+import org.apache.cloudstack.acl.RoleType;
 import org.apache.cloudstack.api.APICommand;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.api.ApiErrorCode;
@@ -41,7 +42,8 @@
 
 @APICommand(name = CreateConsoleEndpointCmd.APINAME, description = "Create a console endpoint to connect to a VM console",
         responseObject = CreateConsoleEndpointResponse.class, since = "4.18.0",
-        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false)
+        requestHasSensitiveInfo = false, responseHasSensitiveInfo = false,
+        authorized = {RoleType.Admin, RoleType.ResourceAdmin, RoleType.DomainAdmin, RoleType.User})
 public class CreateConsoleEndpointCmd extends BaseCmd {
 
     public static final String APINAME = "createConsoleEndpoint";
diff --git a/test/integration/smoke/test_console_endpoint.py b/test/integration/smoke/test_console_endpoint.py
new file mode 100644
index 000000000000..baf7cf25ac0c
--- /dev/null
+++ b/test/integration/smoke/test_console_endpoint.py
@@ -0,0 +1,203 @@
+#!/usr/bin/env python
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+from marvin.codes import FAILED
+from marvin.cloudstackTestCase import *
+from marvin.cloudstackAPI import (createConsoleEndpoint, updateConfiguration, listConfigurations, destroySystemVm)
+from marvin.lib.utils import *
+from marvin.lib.base import *
+from marvin.lib.common import (get_domain,
+                               get_zone,
+                               get_template,
+                               list_ssvms)
+from nose.plugins.attrib import attr
+
+class TestConsoleEndpoint(cloudstackTestCase):
+
+    @classmethod
+    def setUpClass(cls):
+        cls.testClient = super(TestConsoleEndpoint, cls).getClsTestClient()
+        cls.apiclient = cls.testClient.getApiClient()
+        cls.domain = get_domain(cls.apiclient)
+        cls.services = cls.testClient.getParsedTestDataConfig()
+        # Get Zone, Domain and templates
+        cls.zone = get_zone(cls.apiclient, cls.testClient.getZoneForTests())
+        cls.hypervisor = cls.testClient.getHypervisorInfo()
+
+        cls.template = get_template(
+            cls.apiclient,
+            cls.zone.id,
+            cls.hypervisor
+        )
+
+        if cls.template == FAILED:
+            assert False, "get_template() failed to return template"
+
+        cls.services["virtual_machine"]["zoneid"] = cls.zone.id
+
+        cls.services["template"] = cls.template.id
+        cls.services["zoneid"] = cls.zone.id
+
+        cls.account = Account.create(
+            cls.apiclient,
+            cls.services["account"],
+            domainid=cls.domain.id
+        )
+        cls.service_offering = ServiceOffering.create(
+            cls.apiclient,
+            cls.services["service_offerings"]["tiny"]
+        )
+        cls.vm1 = VirtualMachine.create(
+            cls.apiclient,
+            cls.services["virtual_machine"],
+            templateid=cls.template.id,
+            accountid=cls.account.name,
+            domainid=cls.account.domainid,
+            serviceofferingid=cls.service_offering.id
+        )
+
+        cls._cleanup = [
+            cls.service_offering,
+            cls.vm1,
+            cls.account
+        ]
+        return
+
+    @classmethod
+    def tearDownClass(cls):
+        try:
+            cleanup_resources(cls.apiclient, cls._cleanup)
+        except Exception as e:
+            raise Exception("Warning: Exception during cleanup : %s" % e)
+
+    def setUp(self):
+        self.apiclient = self.testClient.getApiClient()
+        self.dbclient = self.testClient.getDbConnection()
+        self.cleanup = []
+        return
+
+    def tearDown(self):
+        try:
+            # Clean up, terminate the created instance, volumes and snapshots
+            cleanup_resources(self.apiclient, self.cleanup)
+        except Exception as e:
+            raise Exception("Warning: Exception during cleanup : %s" % e)
+        return
+
+    @attr(tags=["basic", "advanced"], required_hardware="false")
+    def test_console_endpoint_permissions(self):
+        cmd = createConsoleEndpoint.createConsoleEndpointCmd()
+        cmd.virtualmachineid=self.vm1.id
+        endpoint = self.apiclient.createConsoleEndpoint(cmd)
+
+        if not endpoint:
+            self.fail("Failed to get generate VM console endpoint")
+
+        self.assertTrue(endpoint.success)
+        self.assertNotEqual(len(endpoint.url), 0, "VM console endpoint url was empty")
+
+        account2 = Account.create(
+            self.apiclient,
+            self.services["account2"],
+            domainid=self.domain.id
+        )
+        self.cleanup.append(account2)
+        account2_user = account2.user[0]
+        account2ApiClient = self.testClient.getUserApiClient(account2_user.username, self.domain.name)
+
+        endpoint = account2ApiClient.createConsoleEndpoint(cmd)
+        self.assertFalse(endpoint.success)
+        self.assertTrue(endpoint.url is None)
+        return
+
+    def checkForRunningSystemVM(self, ssvm, ssvm_type=None):
+        if not ssvm:
+            return None
+
+        def checkRunningState():
+            if not ssvm_type:
+                response = list_ssvms(
+                    self.apiclient,
+                    id=ssvm.id
+                )
+            else:
+                response = list_ssvms(
+                    self.apiclient,
+                    zoneid=self.zone.id,
+                    systemvmtype=ssvm_type
+                )
+
+            if isinstance(response, list):
+                ssvm_response = response[0]
+                return ssvm_response.state == 'Running', ssvm_response
+            return False, None
+
+        res, ssvm_response = wait_until(3, 300, checkRunningState)
+        if not res:
+            self.fail("Failed to reach systemvm state to Running")
+        return ssvm_response
+
+    def destroy_cpvm(self):
+        list_cpvm_response = list_ssvms(
+            self.apiclient,
+            systemvmtype='consoleproxy',
+            zoneid=self.zone.id
+        )
+        self.assertEqual(isinstance(list_cpvm_response, list), True, "Check list response returns a valid list")
+        cpvm_response = list_cpvm_response[0]
+        self.debug("Destroying CPVM: %s" % cpvm_response.id)
+        cmd = destroySystemVm.destroySystemVmCmd()
+        cmd.id = cpvm_response.id
+        self.apiclient.destroySystemVm(cmd)
+        self.checkForRunningSystemVM(cpvm_response, 'consoleproxy')
+
+    @attr(tags=["basic", "advanced"], required_hardware="false")
+    def test_console_endpoint_change_websocket_traffic(self):
+        cmd = listConfigurations.listConfigurationsCmd()
+        cmd.name = "novnc.console.port"
+        vncport = self.apiclient.listConfigurations(cmd)[0].value
+
+        updateConfigurationCmd = updateConfiguration.updateConfigurationCmd()
+        updateConfigurationCmd.name = "novnc.console.port"
+        updateConfigurationCmd.value = "8099"
+        self.apiclient.updateConfiguration(updateConfigurationCmd)
+
+        self.destroy_cpvm()
+
+        cmd = createConsoleEndpoint.createConsoleEndpointCmd()
+        cmd.virtualmachineid=self.vm1.id
+        endpoint = self.apiclient.createConsoleEndpoint(cmd)
+
+        if not endpoint:
+            self.fail("Failed to get generate VM console endpoint")
+
+        self.assertTrue(endpoint.success)
+        self.assertEqual(endpoint.websocket.port, "8099")
+
+        updateConfigurationCmd.value = vncport
+        self.apiclient.updateConfiguration(updateConfigurationCmd)
+
+        self.destroy_cpvm()
+
+        endpoint = self.apiclient.createConsoleEndpoint(cmd)
+
+        if not endpoint:
+            self.fail("Failed to get generate VM console endpoint")
+
+        self.assertTrue(endpoint.success)
+        self.assertEqual(endpoint.websocket.port, vncport)
\ No newline at end of file

From 3df57b884308a09ca5b74f06f430c9ac832665e4 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Wed, 17 Aug 2022 15:33:22 -0300
Subject: [PATCH 09/19] Add unit tests

---
 .../wrapper/LibvirtStartCommandWrapper.java   |  10 +-
 .../LibvirtComputingResourceTest.java         |   7 ++
 .../LibvirtStartCommandWrapperTest.java       |  59 ++++++++++
 .../main/java/com/cloud/api/ApiServlet.java   |  24 ++--
 .../com/cloud/consoleproxy/AgentHookBase.java |   1 +
 .../ConsoleAccessManagerImpl.java             |   8 +-
 .../spring-server-core-managers-context.xml   |   2 +-
 .../java/com/cloud/api/ApiServletTest.java    |  67 ++++++++++-
 .../ConsoleAccessManagerImplTest.java         | 109 ++++++++++++++++++
 9 files changed, 266 insertions(+), 21 deletions(-)
 create mode 100644 plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java
 rename server/src/main/java/{com/cloud => org/apache/cloudstack}/consoleproxy/ConsoleAccessManagerImpl.java (98%)
 create mode 100644 server/src/test/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImplTest.java

diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index 6acb11575e15..b9e35b7d256d 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -48,7 +48,7 @@
 import com.cloud.vm.VirtualMachine;
 
 @ResourceWrapper(handles =  StartCommand.class)
-public final class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
+public class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
 
     private static final Logger s_logger = Logger.getLogger(LibvirtStartCommandWrapper.class);
     private static final String VNC_CONF_FILE_LOCATION = "/root/vncport";
@@ -121,12 +121,13 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                         }
                     }
 
+                    File pemFile = new File(libvirtUtilitiesHelper.retrieveSshPrvKeyPath());
+
                     if (vmSpec.getType() == VirtualMachine.Type.ConsoleProxy && vmSpec.getVncPort() != null) {
-                        configureVncPortOnCpvm(vmSpec.getVncPort(), controlIp);
+                        configureVncPortOnCpvm(vmSpec.getVncPort(), controlIp, pemFile);
                     }
 
                     try {
-                        File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
                         FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION, Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT), pemFile, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
                         if (!virtRouterResource.isSystemVMSetup(vmName, controlIp)) {
                             String errMsg = "Failed to patch systemVM";
@@ -168,8 +169,7 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
         }
     }
 
-    private void configureVncPortOnCpvm(String novncPort, String controlIp) {
-        File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
+    protected void configureVncPortOnCpvm(String novncPort, String controlIp, File pemFile) {
         int sshPort = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
         String addCmd = "echo " + novncPort + " > " + VNC_CONF_FILE_LOCATION;
         for (int retries = 1; retries <= 3; retries++) {
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
index 6741c61eb818..33b375709804 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
@@ -27,6 +27,7 @@
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
@@ -5312,6 +5313,9 @@ public void testStartCommand() throws Exception {
         when(libvirtComputingResource.getLibvirtUtilitiesHelper()).thenReturn(libvirtUtilitiesHelper);
         try {
             when(libvirtUtilitiesHelper.getConnectionByType(vmDef.getHvsType())).thenReturn(conn);
+            when(libvirtUtilitiesHelper.retrieveSshPrvKeyPath()).thenReturn(LibvirtComputingResource.SSHPRVKEYPATH);
+            File pemFile = mock(File.class);
+            PowerMockito.whenNew(File.class).withAnyArguments().thenReturn(pemFile);
             when(conn.listDomains()).thenReturn(vms);
             doNothing().when(libvirtComputingResource).createVbd(conn, vmSpec, vmName, vmDef);
         } catch (final LibvirtException e) {
@@ -5389,6 +5393,9 @@ public void testStartCommandIsolationEc2() throws Exception {
         when(libvirtComputingResource.getLibvirtUtilitiesHelper()).thenReturn(libvirtUtilitiesHelper);
         try {
             when(libvirtUtilitiesHelper.getConnectionByType(vmDef.getHvsType())).thenReturn(conn);
+            when(libvirtUtilitiesHelper.retrieveSshPrvKeyPath()).thenReturn(LibvirtComputingResource.SSHPRVKEYPATH);
+            File pemFile = mock(File.class);
+            PowerMockito.whenNew(File.class).withAnyArguments().thenReturn(pemFile);
             when(conn.listDomains()).thenReturn(vms);
             doNothing().when(libvirtComputingResource).createVbd(conn, vmSpec, vmName, vmDef);
         } catch (final LibvirtException e) {
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java
new file mode 100644
index 000000000000..02780e0f5ea5
--- /dev/null
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java
@@ -0,0 +1,59 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package com.cloud.hypervisor.kvm.resource.wrapper;
+
+import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
+import com.cloud.utils.Pair;
+import com.cloud.utils.ssh.SshHelper;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+import java.io.File;
+
+@RunWith(PowerMockRunner.class)
+@PrepareForTest(SshHelper.class)
+public class LibvirtStartCommandWrapperTest {
+
+    @Mock
+    private File pemFile;
+
+    @Spy
+    private LibvirtStartCommandWrapper wrapper = new LibvirtStartCommandWrapper();
+
+    private static final String CONTROL_IP = "169.254.106.231";
+    private static final int SSH_PORT = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
+
+    @Test
+    @PrepareForTest(SshHelper.class)
+    public void testConfigureVncPortOnCpvm() throws Exception {
+        PowerMockito.mockStatic(SshHelper.class);
+        PowerMockito.when(SshHelper.sshExecute(Mockito.eq(CONTROL_IP), Mockito.eq(SSH_PORT), Mockito.eq("root"),
+                        Mockito.eq(pemFile), Mockito.nullable(String.class), Mockito.anyString()))
+                .thenReturn(new Pair<>(true, ""));
+        String port = "8081";
+        PowerMockito.mockStatic(SshHelper.class);
+        wrapper.configureVncPortOnCpvm(port, CONTROL_IP, pemFile);
+    }
+}
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
index 7e1d238b7774..bd0a406388b6 100644
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -328,16 +328,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                 // Add the HTTP method (GET/POST/PUT/DELETE) as well into the params map.
                 params.put("httpmethod", new String[]{req.getMethod()});
                 setProjectContext(params);
-                if (org.apache.commons.lang3.StringUtils.isNotBlank(command) &&
-                        command.equalsIgnoreCase(CreateConsoleEndpointCmd.APINAME)) {
-                    InetAddress addr = getClientAddress(req);
-                    String clientAddress = addr != null ? addr.getHostAddress() : null;
-                    params.put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] {clientAddress});
-                    if (BooleanUtils.isTrue(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderEnabled.value())) {
-                        String clientSecurityToken = req.getHeader(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
-                        params.put(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY, new String[] {clientSecurityToken});
-                    }
-                }
+                setExtraHeaderSecurityToConsoleEndpointIfEnabled(command, params, req);
                 final String response = apiServer.handleRequest(params, responseType, auditTrailSb);
                 HttpUtils.writeHttpResponse(resp, response != null ? response : "", HttpServletResponse.SC_OK, responseType, ApiServer.JSONcontentType.value());
             } else {
@@ -370,6 +361,19 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
         }
     }
 
+    protected void setExtraHeaderSecurityToConsoleEndpointIfEnabled(String command, Map<String, Object[]> params, HttpServletRequest req) throws UnknownHostException {
+        if (org.apache.commons.lang3.StringUtils.isNotBlank(command) &&
+                command.equalsIgnoreCase(CreateConsoleEndpointCmd.APINAME)) {
+            InetAddress addr = getClientAddress(req);
+            String clientAddress = addr != null ? addr.getHostAddress() : null;
+            params.put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] {clientAddress});
+            if (BooleanUtils.isTrue(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderEnabled.value())) {
+                String clientSecurityToken = req.getHeader(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
+                params.put(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY, new String[] {clientSecurityToken});
+            }
+        }
+    }
+
     @Nullable
     private String saveLogString(String stringToLog) {
         return stringToLog == null ? null : stringToLog.replace(LOG_REPLACEMENTS, REPLACEMENT);
diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
index 8064b8b7114d..619825ecf430 100644
--- a/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
+++ b/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java
@@ -22,6 +22,7 @@
 import java.util.Date;
 
 import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManagerImpl;
 import org.apache.cloudstack.framework.config.dao.ConfigurationDao;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.cloudstack.framework.security.keystore.KeystoreManager;
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
similarity index 98%
rename from server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
rename to server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
index 7bf52882e605..79ec7207dfd0 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
@@ -14,12 +14,13 @@
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
-package com.cloud.consoleproxy;
+package org.apache.cloudstack.consoleproxy;
 
 import com.cloud.agent.AgentManager;
 import com.cloud.agent.api.Answer;
 import com.cloud.agent.api.GetVmVncTicketAnswer;
 import com.cloud.agent.api.GetVmVncTicketCommand;
+import com.cloud.consoleproxy.ConsoleProxyManager;
 import com.cloud.exception.AgentUnavailableException;
 import com.cloud.exception.OperationTimedoutException;
 import com.cloud.exception.PermissionDeniedException;
@@ -45,7 +46,6 @@
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import org.apache.cloudstack.api.command.user.consoleproxy.ConsoleEndpoint;
-import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
@@ -122,7 +122,7 @@ public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityT
                 return new ConsoleEndpoint(false, null, "Cannot find VM with ID " + vmId);
             }
 
-            if (!checkSessionPermision(vm, account)) {
+            if (!checkSessionPermission(vm, account)) {
                 return new ConsoleEndpoint(false, null, "Permission denied");
             }
 
@@ -146,7 +146,7 @@ public void removeSessions(String[] sessionUuids) {
         }
     }
 
-    private boolean checkSessionPermision(VirtualMachine vm, Account account) {
+    protected boolean checkSessionPermission(VirtualMachine vm, Account account) {
         if (accountManager.isRootAdmin(account.getId())) {
             return true;
         }
diff --git a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
index e57e94b4d3ad..5e75388547ca 100644
--- a/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
+++ b/server/src/main/resources/META-INF/cloudstack/core/spring-server-core-managers-context.xml
@@ -109,7 +109,7 @@
             value="#{consoleProxyAllocatorsRegistry.registered}" />
     </bean>
 
-    <bean id="consoleAccessManagerImpl" class="com.cloud.consoleproxy.ConsoleAccessManagerImpl" />
+    <bean id="consoleAccessManagerImpl" class="org.apache.cloudstack.consoleproxy.ConsoleAccessManagerImpl" />
 
     <bean id="securityGroupManagerImpl2" class="com.cloud.network.security.SecurityGroupManagerImpl2" />
 
diff --git a/server/src/test/java/com/cloud/api/ApiServletTest.java b/server/src/test/java/com/cloud/api/ApiServletTest.java
index fa582991e6b0..804340c0728d 100644
--- a/server/src/test/java/com/cloud/api/ApiServletTest.java
+++ b/server/src/test/java/com/cloud/api/ApiServletTest.java
@@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.api;
 
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.nullable;
 
 import java.io.IOException;
@@ -23,6 +25,7 @@
 import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
 import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
 import java.net.InetAddress;
 import java.net.URLEncoder;
 import java.net.UnknownHostException;
@@ -37,6 +40,10 @@
 import org.apache.cloudstack.api.auth.APIAuthenticationManager;
 import org.apache.cloudstack.api.auth.APIAuthenticationType;
 import org.apache.cloudstack.api.auth.APIAuthenticator;
+import org.apache.cloudstack.api.command.user.consoleproxy.CreateConsoleEndpointCmd;
+import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
+import org.apache.cloudstack.framework.config.ConfigKey;
+import org.apache.cloudstack.utils.consoleproxy.ConsoleAccessUtils;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -44,14 +51,17 @@
 import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
-import org.mockito.junit.MockitoJUnitRunner;
 
 import com.cloud.server.ManagementServer;
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.core.classloader.annotations.PrepareForTest;
 
 @RunWith(MockitoJUnitRunner.class)
+@PrepareForTest(ConsoleAccessManager.class)
 public class ApiServletTest {
 
     @Mock
@@ -84,6 +94,15 @@ public class ApiServletTest {
     @Mock
     ManagementServer managementServer;
 
+    @Mock
+    private ConfigKey<Boolean> enableSecurityHeaderSetting;
+
+    @Mock
+    private ConfigKey<String> securityHeaderNameSetting;
+
+    @Mock
+    private HashMap<String, Object[]> params;
+
     StringWriter responseWriter;
 
     ApiServlet servlet;
@@ -273,4 +292,50 @@ public void getClientAddressDefault() throws UnknownHostException {
         Assert.assertEquals(InetAddress.getByName("127.0.0.1"), ApiServlet.getClientAddress(request));
     }
 
+    @Test
+    public void testSetExtraHeaderSecurityToConsoleEndpointIfEnabledNotMatchingCommand() throws UnknownHostException {
+        HashMap<String, Object[]> params = Mockito.mock(HashMap.class);
+        PowerMockito.mockStatic(InetAddress.class);
+        servlet.setExtraHeaderSecurityToConsoleEndpointIfEnabled("login", params, request);
+        Mockito.verify(params, Mockito.never()).put(anyString(), any());
+    }
+
+    private <T extends Object> void replaceConsoleAccessSetting(String settingName, ConfigKey<T> replaceKey) throws Exception {
+        Field field = ConsoleAccessManager.class.getDeclaredField(settingName);
+        field.setAccessible(true);
+        // remove final modifier from field
+        Field modifiersField = Field.class.getDeclaredField("modifiers");
+        modifiersField.setAccessible(true);
+        modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
+        field.set(null, replaceKey);
+    }
+
+    @Test
+    public void testSetExtraHeaderSecurityToConsoleEndpointIfEnabledDisabledSetting() throws Exception {
+        String ip = "127.0.0.1";
+        Mockito.when(request.getHeader("Remote_Addr")).thenReturn(ip);
+        PowerMockito.mockStatic(InetAddress.class);
+        Mockito.when(enableSecurityHeaderSetting.value()).thenReturn(false);
+        replaceConsoleAccessSetting("ConsoleProxyExtraSecurityHeaderEnabled", enableSecurityHeaderSetting);
+        servlet.setExtraHeaderSecurityToConsoleEndpointIfEnabled(CreateConsoleEndpointCmd.APINAME, params, request);
+        Mockito.verify(params).put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] { ip });
+    }
+
+    @Test
+    public void testSetExtraHeaderSecurityToConsoleEndpointIfEnabledEnabledSetting() throws Exception {
+        String ip = "127.0.0.1";
+        String headerName = "HEADER_NAME";
+        String headerValue = "HEADER_VALUE";
+        Mockito.when(request.getHeader("Remote_Addr")).thenReturn(ip);
+        Mockito.when(request.getHeader(headerName)).thenReturn(headerValue);
+        PowerMockito.mockStatic(InetAddress.class);
+        Mockito.when(enableSecurityHeaderSetting.value()).thenReturn(true);
+        replaceConsoleAccessSetting("ConsoleProxyExtraSecurityHeaderEnabled", enableSecurityHeaderSetting);
+        Mockito.when(securityHeaderNameSetting.value()).thenReturn(headerName);
+        replaceConsoleAccessSetting("ConsoleProxyExtraSecurityHeaderName", securityHeaderNameSetting);
+        servlet.setExtraHeaderSecurityToConsoleEndpointIfEnabled(CreateConsoleEndpointCmd.APINAME, params, request);
+        Mockito.verify(params).put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] { ip });
+        Mockito.verify(params).put(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY, new String[] { headerValue });
+    }
+
 }
diff --git a/server/src/test/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImplTest.java b/server/src/test/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImplTest.java
new file mode 100644
index 000000000000..df218f49bfd3
--- /dev/null
+++ b/server/src/test/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImplTest.java
@@ -0,0 +1,109 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package org.apache.cloudstack.consoleproxy;
+
+import com.cloud.agent.AgentManager;
+import com.cloud.exception.PermissionDeniedException;
+import com.cloud.server.ManagementServer;
+import com.cloud.user.Account;
+import com.cloud.user.AccountManager;
+import com.cloud.utils.db.EntityManager;
+import com.cloud.vm.VirtualMachine;
+import com.cloud.vm.VirtualMachineManager;
+import com.cloud.vm.dao.UserVmDetailsDao;
+import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.framework.security.keys.KeysManager;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.mockito.Spy;
+import org.mockito.junit.MockitoJUnitRunner;
+
+import java.util.Arrays;
+import java.util.List;
+
+@RunWith(MockitoJUnitRunner.class)
+public class ConsoleAccessManagerImplTest {
+
+    @Mock
+    private AccountManager accountManager;
+    @Mock
+    private VirtualMachineManager virtualMachineManager;
+    @Mock
+    private ManagementServer managementServer;
+    @Mock
+    private EntityManager entityManager;
+    @Mock
+    private UserVmDetailsDao userVmDetailsDao;
+    @Mock
+    private KeysManager keysManager;
+    @Mock
+    private AgentManager agentManager;
+
+    @Spy
+    @InjectMocks
+    ConsoleAccessManagerImpl consoleAccessManager = new ConsoleAccessManagerImpl();
+
+    @Mock
+    VirtualMachine virtualMachine;
+    @Mock
+    Account account;
+
+    @Test
+    public void testCheckSessionPermissionAdminAccount() {
+        Mockito.when(account.getId()).thenReturn(1L);
+        Mockito.when(accountManager.isRootAdmin(1L)).thenReturn(true);
+        Assert.assertTrue(consoleAccessManager.checkSessionPermission(virtualMachine, account));
+    }
+
+    @Test
+    public void testCheckSessionPermissionUserOwnedVm() {
+        Mockito.when(account.getId()).thenReturn(1L);
+        Mockito.when(accountManager.isRootAdmin(1L)).thenReturn(false);
+        Mockito.when(virtualMachine.getType()).thenReturn(VirtualMachine.Type.User);
+        Mockito.doNothing().when(accountManager).checkAccess(
+                Mockito.eq(account), Mockito.nullable(SecurityChecker.AccessType.class),
+                Mockito.eq(true), Mockito.eq(virtualMachine));
+        Assert.assertTrue(consoleAccessManager.checkSessionPermission(virtualMachine, account));
+    }
+
+    @Test
+    public void testCheckSessionPermissionDifferentUserOwnedVm() {
+        Mockito.when(account.getId()).thenReturn(1L);
+        Mockito.when(accountManager.isRootAdmin(1L)).thenReturn(false);
+        Mockito.when(virtualMachine.getType()).thenReturn(VirtualMachine.Type.User);
+        Mockito.doThrow(PermissionDeniedException.class).when(accountManager).checkAccess(
+                Mockito.eq(account), Mockito.nullable(SecurityChecker.AccessType.class),
+                Mockito.eq(true), Mockito.eq(virtualMachine));
+        Assert.assertFalse(consoleAccessManager.checkSessionPermission(virtualMachine, account));
+    }
+
+    @Test
+    public void testCheckSessionPermissionForUsersOnSystemVms() {
+        Mockito.when(account.getId()).thenReturn(1L);
+        Mockito.when(accountManager.isRootAdmin(1L)).thenReturn(false);
+        List<VirtualMachine.Type> systemVmTypes = Arrays.asList(VirtualMachine.Type.DomainRouter,
+                VirtualMachine.Type.ConsoleProxy, VirtualMachine.Type.SecondaryStorageVm);
+        for (VirtualMachine.Type type : systemVmTypes) {
+            Mockito.when(virtualMachine.getType()).thenReturn(type);
+            Assert.assertFalse(consoleAccessManager.checkSessionPermission(virtualMachine, account));
+        }
+    }
+}

From 835c017bf3577604f87e81113a80fa0ebe135be0 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Thu, 18 Aug 2022 00:29:11 -0300
Subject: [PATCH 10/19] Check vncport file exits on CPVM before attempting to
 add rules

---
 systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh | 11 +++++++----
 systemvm/patch-sysvms.sh                            | 11 +++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh b/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
index c0e336b5e7cc..8bd45294cfb6 100755
--- a/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
@@ -32,10 +32,13 @@ setup_console_proxy() {
   public_ip=`getPublicIp`
   echo "$public_ip $NAME" >> /etc/hosts
 
-  vncport=`cat /root/vncport`
-  log_it "vncport read: ${vncport}"
-  sed -i 's/8080/${vncport}/' /etc/iptables/rules.v4
-  log_it "vnc port ${vncport} rule applied"
+  if [ -f /root/vncport ]
+  then
+    vncport=`cat /root/vncport`
+    log_it "vncport read: ${vncport}"
+    sed -i 's/8080/${vncport}/' /etc/iptables/rules.v4
+    log_it "vnc port ${vncport} rule applied"
+  fi
 
   disable_rpfilter
   enable_fwding 0
diff --git a/systemvm/patch-sysvms.sh b/systemvm/patch-sysvms.sh
index ea75784a5bf4..554218c98781 100644
--- a/systemvm/patch-sysvms.sh
+++ b/systemvm/patch-sysvms.sh
@@ -90,10 +90,13 @@ restart_services() {
       fi
     done < "$svcfile"
     if [ "$TYPE" == "consoleproxy" ]; then
-      vncport=`cat /root/vncport`
-      echo "vncport read: ${vncport}"
-      sed -i 's/8080/${vncport}/' /etc/iptables/rules.v4
-      echo "vnc port ${vncport} rule applied"
+      vncport=8080
+      if [ -f /root/vncport ]
+      then
+        vncport=`cat /root/vncport`
+        log_it "vncport read: ${vncport}"
+      fi
+      iptables -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport $vncport -j ACCEPT
     fi
 }
 

From 92d6be651d92e8a99f76e8bec419bc08d5fe2f07 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Fri, 26 Aug 2022 09:13:23 -0300
Subject: [PATCH 11/19] Change how vncport is read on cpvm

---
 .../wrapper/LibvirtStartCommandWrapper.java   | 22 -------
 .../LibvirtStartCommandWrapperTest.java       | 59 -------------------
 .../consoleproxy/ConsoleProxyManagerImpl.java |  3 +
 systemvm/debian/opt/cloud/bin/setup/common.sh |  3 +
 .../opt/cloud/bin/setup/consoleproxy.sh       | 11 ++--
 5 files changed, 10 insertions(+), 88 deletions(-)
 delete mode 100644 plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java

diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index b9e35b7d256d..38c8c3c3c9b8 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -24,7 +24,6 @@
 
 import com.cloud.agent.resource.virtualnetwork.VRScripts;
 import com.cloud.utils.FileUtil;
-import com.cloud.utils.ssh.SshHelper;
 import org.apache.log4j.Logger;
 import org.libvirt.Connect;
 import org.libvirt.DomainInfo.DomainState;
@@ -51,7 +50,6 @@
 public class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
 
     private static final Logger s_logger = Logger.getLogger(LibvirtStartCommandWrapper.class);
-    private static final String VNC_CONF_FILE_LOCATION = "/root/vncport";
 
     @Override
     public Answer execute(final StartCommand command, final LibvirtComputingResource libvirtComputingResource) {
@@ -123,10 +121,6 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
 
                     File pemFile = new File(libvirtUtilitiesHelper.retrieveSshPrvKeyPath());
 
-                    if (vmSpec.getType() == VirtualMachine.Type.ConsoleProxy && vmSpec.getVncPort() != null) {
-                        configureVncPortOnCpvm(vmSpec.getVncPort(), controlIp, pemFile);
-                    }
-
                     try {
                         FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION, Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT), pemFile, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
                         if (!virtRouterResource.isSystemVMSetup(vmName, controlIp)) {
@@ -169,22 +163,6 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
         }
     }
 
-    protected void configureVncPortOnCpvm(String novncPort, String controlIp, File pemFile) {
-        int sshPort = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
-        String addCmd = "echo " + novncPort + " > " + VNC_CONF_FILE_LOCATION;
-        for (int retries = 1; retries <= 3; retries++) {
-            try {
-                SshHelper.sshExecute(controlIp, sshPort, "root", pemFile, null, addCmd);
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug(String.format("Set noVNC port: %s to the CPVM", novncPort));
-                }
-                return;
-            } catch (Exception e) {
-                s_logger.error(String.format("Could not set the noVNC port: %s to the CPVM, attempt: %s", novncPort, retries) , e);
-            }
-        }
-    }
-
     private void performAgentStartHook(String vmName, LibvirtComputingResource libvirtComputingResource) {
         try {
             LibvirtKvmAgentHook onStartHook = libvirtComputingResource.getStartHook();
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java
deleted file mode 100644
index 02780e0f5ea5..000000000000
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapperTest.java
+++ /dev/null
@@ -1,59 +0,0 @@
-//
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements.  See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership.  The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License.  You may obtain a copy of the License at
-//
-//   http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied.  See the License for the
-// specific language governing permissions and limitations
-// under the License.
-//
-package com.cloud.hypervisor.kvm.resource.wrapper;
-
-import com.cloud.hypervisor.kvm.resource.LibvirtComputingResource;
-import com.cloud.utils.Pair;
-import com.cloud.utils.ssh.SshHelper;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.mockito.Mock;
-import org.mockito.Mockito;
-import org.mockito.Spy;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-import org.powermock.modules.junit4.PowerMockRunner;
-
-import java.io.File;
-
-@RunWith(PowerMockRunner.class)
-@PrepareForTest(SshHelper.class)
-public class LibvirtStartCommandWrapperTest {
-
-    @Mock
-    private File pemFile;
-
-    @Spy
-    private LibvirtStartCommandWrapper wrapper = new LibvirtStartCommandWrapper();
-
-    private static final String CONTROL_IP = "169.254.106.231";
-    private static final int SSH_PORT = Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT);
-
-    @Test
-    @PrepareForTest(SshHelper.class)
-    public void testConfigureVncPortOnCpvm() throws Exception {
-        PowerMockito.mockStatic(SshHelper.class);
-        PowerMockito.when(SshHelper.sshExecute(Mockito.eq(CONTROL_IP), Mockito.eq(SSH_PORT), Mockito.eq("root"),
-                        Mockito.eq(pemFile), Mockito.nullable(String.class), Mockito.anyString()))
-                .thenReturn(new Pair<>(true, ""));
-        String port = "8081";
-        PowerMockito.mockStatic(SshHelper.class);
-        wrapper.configureVncPortOnCpvm(port, CONTROL_IP, pemFile);
-    }
-}
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index a5f26e0ffd73..f05b40ce8ccb 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -1293,6 +1293,9 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
         if (dc.getDns2() != null) {
             buf.append(" dns2=").append(dc.getDns2());
         }
+        if (VirtualMachine.Type.ConsoleProxy == profile.getVirtualMachine().getType()) {
+            buf.append(" vncport=").append(ConsoleProxyManager.NoVncConsolePort.value());
+        }
         buf.append(" keystore_password=").append(VirtualMachineGuru.getEncodedString(PasswordGenerator.generateRandomPassword(16)));
         String bootArgs = buf.toString();
         if (s_logger.isDebugEnabled()) {
diff --git a/systemvm/debian/opt/cloud/bin/setup/common.sh b/systemvm/debian/opt/cloud/bin/setup/common.sh
index e908519c459c..c8b333e50888 100755
--- a/systemvm/debian/opt/cloud/bin/setup/common.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/common.sh
@@ -885,6 +885,9 @@ parse_cmd_line() {
         useHttpsToUpload)
           export USEHTTPS=$VALUE
           ;;
+        vncport)
+          export VNCPORT=$VALUE
+          ;;
       esac
   done
   echo -e "\n\t}\n}" >> ${CHEF_TMP_FILE}
diff --git a/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh b/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
index 8bd45294cfb6..aa414c4117d0 100755
--- a/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
+++ b/systemvm/debian/opt/cloud/bin/setup/consoleproxy.sh
@@ -32,13 +32,10 @@ setup_console_proxy() {
   public_ip=`getPublicIp`
   echo "$public_ip $NAME" >> /etc/hosts
 
-  if [ -f /root/vncport ]
-  then
-    vncport=`cat /root/vncport`
-    log_it "vncport read: ${vncport}"
-    sed -i 's/8080/${vncport}/' /etc/iptables/rules.v4
-    log_it "vnc port ${vncport} rule applied"
-  fi
+  log_it "Applying iptables rule for VNC port ${VNCPORT}"
+  sed -i 's/8080/${VNCPORT}/' /etc/iptables/rules.v4
+  echo "${VNCPORT}" > /root/vncport
+  log_it "Creating VNC port ${VNCPORT} file for VNC server configuration"
 
   disable_rpfilter
   enable_fwding 0

From 2e85bdc9967a34807c02769edac7df4f5fdfa5c7 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Sun, 28 Aug 2022 23:44:15 -0300
Subject: [PATCH 12/19] Extra validation refactor

---
 .../consoleproxy/ConsoleProxyResource.java    | 19 +++++-
 .../user/consoleproxy/ConsoleEndpoint.java    |  9 +++
 .../CreateConsoleEndpointCmd.java             | 14 ++--
 .../ConsoleEndpointWebsocketResponse.java     | 12 ++++
 .../consoleproxy/ConsoleAccessManager.java    | 12 ++--
 .../api/proxy/AllowConsoleAccessCommand.java  | 44 +++++++++++++
 .../java/com/cloud/info/ConsoleProxyInfo.java |  9 +++
 .../main/java/com/cloud/api/ApiServlet.java   | 10 +--
 .../consoleproxy/ConsoleProxyManagerImpl.java |  7 +-
 .../com/cloud/server/ManagementServer.java    |  2 +
 .../cloud/server/ManagementServerImpl.java    | 24 +++++++
 .../servlet/ConsoleProxyClientParam.java      | 29 +++++----
 .../ConsoleAccessManagerImpl.java             | 38 +++++++----
 .../java/com/cloud/api/ApiServletTest.java    | 65 -------------------
 .../com/cloud/consoleproxy/ConsoleProxy.java  | 35 +++++++---
 .../consoleproxy/ConsoleProxyClientParam.java | 25 ++++---
 .../ConsoleProxyHttpHandlerHelper.java        | 13 ++--
 .../ConsoleProxyNoVNCHandler.java             | 11 ++--
 .../ConsoleProxyHttpHandlerHelperTest.java    | 51 +++++++++++++++
 systemvm/agent/noVNC/app/ui.js                |  9 ++-
 systemvm/agent/noVNC/vnc.html                 |  4 ++
 ui/src/components/widgets/Console.vue         | 56 ++++++++++++++--
 .../consoleproxy/ConsoleAccessUtils.java      |  1 -
 23 files changed, 349 insertions(+), 150 deletions(-)
 create mode 100644 core/src/main/java/com/cloud/agent/api/proxy/AllowConsoleAccessCommand.java
 create mode 100644 services/console-proxy/server/src/test/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelperTest.java

diff --git a/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java b/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
index 3f5372af9aa6..5b04f5751e3d 100644
--- a/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
+++ b/agent/src/main/java/com/cloud/agent/resource/consoleproxy/ConsoleProxyResource.java
@@ -32,6 +32,7 @@
 
 import javax.naming.ConfigurationException;
 
+import com.cloud.agent.api.proxy.AllowConsoleAccessCommand;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
 import org.apache.log4j.Logger;
 
@@ -105,12 +106,28 @@ public Answer executeRequest(final Command cmd) {
         } else if (cmd instanceof CheckHealthCommand) {
             return new CheckHealthAnswer((CheckHealthCommand)cmd, true);
         } else if (cmd instanceof StartConsoleProxyAgentHttpHandlerCommand) {
-            return execute((StartConsoleProxyAgentHttpHandlerCommand)cmd);
+            return execute((StartConsoleProxyAgentHttpHandlerCommand) cmd);
+        } else if (cmd instanceof AllowConsoleAccessCommand) {
+            return execute((AllowConsoleAccessCommand) cmd);
         } else {
             return Answer.createUnsupportedCommandAnswer(cmd);
         }
     }
 
+    private Answer execute(AllowConsoleAccessCommand cmd) {
+        String sessionUuid = cmd.getSessionUuid();
+        try {
+            Class<?> consoleProxyClazz = Class.forName("com.cloud.consoleproxy.ConsoleProxy");
+            Method methodSetup = consoleProxyClazz.getMethod("addAllowedSession", String.class);
+            methodSetup.invoke(null, sessionUuid);
+            return new Answer(cmd);
+        } catch (SecurityException | NoSuchMethodException | ClassNotFoundException | InvocationTargetException | IllegalAccessException e) {
+            String errorMsg = "Unable to add allowed session due to: " + e.getMessage();
+            s_logger.error(errorMsg, e);
+            return new Answer(cmd, false, errorMsg);
+        }
+    }
+
     private Answer execute(StartConsoleProxyAgentHttpHandlerCommand cmd) {
         s_logger.info("Invoke launchConsoleProxy() in responding to StartConsoleProxyAgentHttpHandlerCommand");
         launchConsoleProxy(cmd.getKeystoreBits(), cmd.getKeystorePassword(), cmd.getEncryptorPassword(), cmd.isSourceIpCheckEnabled());
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
index 4b47a60b27e0..84922dc3272f 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/ConsoleEndpoint.java
@@ -25,6 +25,7 @@ public class ConsoleEndpoint {
     private String websocketPath;
     private String websocketHost;
     private String websocketPort;
+    private String websocketExtra;
 
     public ConsoleEndpoint(boolean result, String url) {
         this.result = result;
@@ -91,4 +92,12 @@ public String getWebsocketPort() {
     public void setWebsocketPort(String websocketPort) {
         this.websocketPort = websocketPort;
     }
+
+    public String getWebsocketExtra() {
+        return websocketExtra;
+    }
+
+    public void setWebsocketExtra(String websocketExtra) {
+        this.websocketExtra = websocketExtra;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
index 319db1debf6e..35e34268cfd5 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
@@ -59,11 +59,16 @@ public class CreateConsoleEndpointCmd extends BaseCmd {
             description = "ID of the VM")
     private Long vmId;
 
+    @Parameter(name = ApiConstants.TOKEN,
+            type = CommandType.STRING,
+            required = false,
+            description = "(optional) extra security token, valid when the extra validation is enabled")
+    private String extraSecurityToken;
+
     @Override
     public void execute() throws ResourceUnavailableException, InsufficientCapacityException, ServerApiException, ConcurrentOperationException, ResourceAllocationException, NetworkRuleConflictException {
-        String clientSecurityToken = getClientSecurityToken();
         String clientAddress = getClientAddress();
-        ConsoleEndpoint endpoint = consoleManager.generateConsoleEndpoint(vmId, clientSecurityToken, clientAddress);
+        ConsoleEndpoint endpoint = consoleManager.generateConsoleEndpoint(vmId, extraSecurityToken, clientAddress);
         if (endpoint != null) {
             CreateConsoleEndpointResponse response = createResponse(endpoint);
             setResponseObject(response);
@@ -89,6 +94,7 @@ private ConsoleEndpointWebsocketResponse createWebsocketResponse(ConsoleEndpoint
         wsResponse.setPort(endpoint.getWebsocketPort());
         wsResponse.setPath(endpoint.getWebsocketPath());
         wsResponse.setToken(endpoint.getWebsocketToken());
+        wsResponse.setExtra(endpoint.getWebsocketExtra());
         wsResponse.setObjectName("websocket");
         return wsResponse;
     }
@@ -102,10 +108,6 @@ private String getClientAddress() {
         return getParameterBase(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY);
     }
 
-    private String getClientSecurityToken() {
-        return getParameterBase(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY);
-    }
-
     @Override
     public String getCommandName() {
         return APINAME.toLowerCase() + BaseCmd.RESPONSE_SUFFIX;
diff --git a/api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java b/api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java
index a453a1237909..d98b52d08636 100644
--- a/api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java
+++ b/api/src/main/java/org/apache/cloudstack/api/response/ConsoleEndpointWebsocketResponse.java
@@ -42,6 +42,10 @@ public ConsoleEndpointWebsocketResponse() {
     @Param(description = "the console websocket path")
     private String path;
 
+    @SerializedName("extra")
+    @Param(description = "the console websocket extra field for validation (if enabled)")
+    private String extra;
+
     public String getToken() {
         return token;
     }
@@ -73,4 +77,12 @@ public String getPath() {
     public void setPath(String path) {
         this.path = path;
     }
+
+    public String getExtra() {
+        return extra;
+    }
+
+    public void setExtra(String extra) {
+        this.extra = extra;
+    }
 }
diff --git a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
index 38c71a7b38e4..80c6b30f5e28 100644
--- a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
+++ b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
@@ -23,15 +23,11 @@
 
 public interface ConsoleAccessManager extends Manager, Configurable {
 
-    ConfigKey<Boolean> ConsoleProxyExtraSecurityHeaderEnabled = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class,
-            "consoleproxy.extra.security.header.enabled", "false",
-            "Enable/disable extra security validation for console proxy using client header", true);
+    ConfigKey<Boolean> ConsoleProxyExtraSecurityValidationEnabled = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class,
+            "consoleproxy.extra.security.validation.enabled", "false",
+            "Enable/disable extra security validation for console proxy using an extra token", true);
 
-    ConfigKey<String> ConsoleProxyExtraSecurityHeaderName = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, String.class,
-            "consoleproxy.extra.security.header.name", "SECURITY_TOKEN",
-            "A client header for extra security validation when using the console proxy", true);
-
-    ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityToken, String clientAddress);
+    ConsoleEndpoint generateConsoleEndpoint(Long vmId, String extraSecurityToken, String clientAddress);
 
     boolean isSessionAllowed(String sessionUuid);
 
diff --git a/core/src/main/java/com/cloud/agent/api/proxy/AllowConsoleAccessCommand.java b/core/src/main/java/com/cloud/agent/api/proxy/AllowConsoleAccessCommand.java
new file mode 100644
index 000000000000..782dc3ab9350
--- /dev/null
+++ b/core/src/main/java/com/cloud/agent/api/proxy/AllowConsoleAccessCommand.java
@@ -0,0 +1,44 @@
+//
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+//
+package com.cloud.agent.api.proxy;
+
+public class AllowConsoleAccessCommand extends ProxyCommand {
+
+    private String sessionUuid;
+
+    public AllowConsoleAccessCommand() {
+    }
+
+    public AllowConsoleAccessCommand(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
+
+    @Override
+    public boolean executeInSequence() {
+        return false;
+    }
+
+    public String getSessionUuid() {
+        return sessionUuid;
+    }
+
+    public void setSessionUuid(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
+    }
+}
diff --git a/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java b/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java
index f92b93a39796..1e5ad11b49dd 100644
--- a/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java
+++ b/core/src/main/java/com/cloud/info/ConsoleProxyInfo.java
@@ -28,6 +28,7 @@ public class ConsoleProxyInfo {
     private int proxyPort;
     private String proxyImageUrl;
     private int proxyUrlPort = 8000;
+    private String proxyName;
 
     public ConsoleProxyInfo(int proxyUrlPort) {
         this.proxyUrlPort = proxyUrlPort;
@@ -100,4 +101,12 @@ public boolean isSslEnabled() {
     public void setSslEnabled(boolean sslEnabled) {
         this.sslEnabled = sslEnabled;
     }
+
+    public String getProxyName() {
+        return proxyName;
+    }
+
+    public void setProxyName(String proxyName) {
+        this.proxyName = proxyName;
+    }
 }
diff --git a/server/src/main/java/com/cloud/api/ApiServlet.java b/server/src/main/java/com/cloud/api/ApiServlet.java
index bd0a406388b6..1ab12d326af0 100644
--- a/server/src/main/java/com/cloud/api/ApiServlet.java
+++ b/server/src/main/java/com/cloud/api/ApiServlet.java
@@ -42,11 +42,9 @@
 import org.apache.cloudstack.api.auth.APIAuthenticationType;
 import org.apache.cloudstack.api.auth.APIAuthenticator;
 import org.apache.cloudstack.api.command.user.consoleproxy.CreateConsoleEndpointCmd;
-import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.managed.context.ManagedContext;
 import org.apache.cloudstack.utils.consoleproxy.ConsoleAccessUtils;
-import org.apache.commons.lang3.BooleanUtils;
 import org.apache.log4j.Logger;
 import org.jetbrains.annotations.Nullable;
 import org.springframework.stereotype.Component;
@@ -328,7 +326,7 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
                 // Add the HTTP method (GET/POST/PUT/DELETE) as well into the params map.
                 params.put("httpmethod", new String[]{req.getMethod()});
                 setProjectContext(params);
-                setExtraHeaderSecurityToConsoleEndpointIfEnabled(command, params, req);
+                setClientAddressForConsoleEndpointAccess(command, params, req);
                 final String response = apiServer.handleRequest(params, responseType, auditTrailSb);
                 HttpUtils.writeHttpResponse(resp, response != null ? response : "", HttpServletResponse.SC_OK, responseType, ApiServer.JSONcontentType.value());
             } else {
@@ -361,16 +359,12 @@ void processRequestInContext(final HttpServletRequest req, final HttpServletResp
         }
     }
 
-    protected void setExtraHeaderSecurityToConsoleEndpointIfEnabled(String command, Map<String, Object[]> params, HttpServletRequest req) throws UnknownHostException {
+    protected void setClientAddressForConsoleEndpointAccess(String command, Map<String, Object[]> params, HttpServletRequest req) throws UnknownHostException {
         if (org.apache.commons.lang3.StringUtils.isNotBlank(command) &&
                 command.equalsIgnoreCase(CreateConsoleEndpointCmd.APINAME)) {
             InetAddress addr = getClientAddress(req);
             String clientAddress = addr != null ? addr.getHostAddress() : null;
             params.put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] {clientAddress});
-            if (BooleanUtils.isTrue(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderEnabled.value())) {
-                String clientSecurityToken = req.getHeader(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
-                params.put(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY, new String[] {clientSecurityToken});
-            }
         }
     }
 
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index f05b40ce8ccb..77b3a5cae88f 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -344,11 +344,14 @@ public ConsoleProxyInfo assignProxy(final long dataCenterId, final long vmId) {
             s_logger.warn(String.format("SSL is enabled for console proxy [%s] but no server certificate found in database.", proxy.toString()));
         }
 
+        ConsoleProxyInfo info;
         if (staticPublicIp == null) {
-            return new ConsoleProxyInfo(proxy.isSslEnabled(), proxy.getPublicIpAddress(), consoleProxyPort, proxy.getPort(), consoleProxyUrlDomain);
+            info = new ConsoleProxyInfo(proxy.isSslEnabled(), proxy.getPublicIpAddress(), consoleProxyPort, proxy.getPort(), consoleProxyUrlDomain);
         } else {
-            return new ConsoleProxyInfo(proxy.isSslEnabled(), staticPublicIp, consoleProxyPort, staticPort, consoleProxyUrlDomain);
+            info = new ConsoleProxyInfo(proxy.isSslEnabled(), staticPublicIp, consoleProxyPort, staticPort, consoleProxyUrlDomain);
         }
+        info.setProxyName(proxy.getHostName());
+        return  info;
     }
 
     public ConsoleProxyVO doAssignProxy(long dataCenterId, long vmId) {
diff --git a/server/src/main/java/com/cloud/server/ManagementServer.java b/server/src/main/java/com/cloud/server/ManagementServer.java
index 6b54702655d6..611ba9b4200f 100644
--- a/server/src/main/java/com/cloud/server/ManagementServer.java
+++ b/server/src/main/java/com/cloud/server/ManagementServer.java
@@ -52,6 +52,8 @@ public interface ManagementServer extends ManagementService, PluggableService {
 
     DetailVO findDetail(long hostId, String name);
 
+    Pair<Boolean, String> setConsoleAccessForVm(long vmId, String sessionUuid);
+
     String getConsoleAccessUrlRoot(long vmId);
 
     String getConsoleAccessAddress(long vmId);
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index 2787762be515..6574b0d08841 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -47,6 +47,7 @@
 import com.cloud.agent.api.Command;
 import com.cloud.agent.api.PatchSystemVmAnswer;
 import com.cloud.agent.api.PatchSystemVmCommand;
+import com.cloud.agent.api.proxy.AllowConsoleAccessCommand;
 import com.cloud.agent.api.routing.NetworkElementCommand;
 import com.cloud.agent.manager.Commands;
 import com.cloud.dc.DomainVlanMapVO;
@@ -2848,6 +2849,29 @@ public String getConsoleAccessUrlRoot(final long vmId) {
         return null;
     }
 
+    @Override
+    public Pair<Boolean, String> setConsoleAccessForVm(long vmId, String sessionUuid) {
+        final VMInstanceVO vm = _vmInstanceDao.findById(vmId);
+        if (vm == null) {
+            return new Pair<>(false, "Cannot find a VM with id = " + vmId);
+        }
+        final ConsoleProxyInfo proxy = getConsoleProxyForVm(vm.getDataCenterId(), vmId);
+        if (proxy == null) {
+            return new Pair<>(false, "Cannot find a console proxy for the VM " + vmId);
+        }
+        AllowConsoleAccessCommand cmd = new AllowConsoleAccessCommand(sessionUuid);
+        HostVO hostVO = _hostDao.findByTypeNameAndZoneId(vm.getDataCenterId(), proxy.getProxyName(), Type.ConsoleProxy);
+        Answer answer = null;
+        try {
+            answer = _agentMgr.send(hostVO.getId(), cmd);
+        } catch (AgentUnavailableException | OperationTimedoutException e) {
+            String errorMsg = "Could not send allow session command to CPVM: " + e.getMessage();
+            s_logger.error(errorMsg, e);
+            return new Pair<>(false, errorMsg);
+        }
+        return new Pair<>(answer != null && answer.getResult(), answer != null ? answer.getDetails() : "null answer");
+    }
+
     @Override
     public String getConsoleAccessAddress(long vmId) {
         final VMInstanceVO vm = _vmInstanceDao.findById(vmId);
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
index 51ab3b8c2f0c..fed6318a0543 100644
--- a/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
+++ b/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
@@ -37,8 +37,13 @@ public class ConsoleProxyClientParam {
     private String websocketUrl;
 
     private String sessionUuid;
-    private String clientSecurityHeader;
-    private String clientSecurityToken;
+
+    // The server-side generated value for extra console endpoint validation
+    private String extraSecurityToken;
+
+    // The extra parameter received in the console URL, must be compared against the server-side generated value
+    // for extra validation (if has been enabled)
+    private String clientProvidedExtraSecurityToken;
 
     public ConsoleProxyClientParam() {
         clientHostPort = 0;
@@ -168,23 +173,23 @@ public String getSessionUuid() {
         return sessionUuid;
     }
 
-    public String getClientSecurityHeader() {
-        return clientSecurityHeader;
+    public String getExtraSecurityToken() {
+        return extraSecurityToken;
     }
 
-    public void setClientSecurityHeader(String clientSecurityHeader) {
-        this.clientSecurityHeader = clientSecurityHeader;
+    public void setExtraSecurityToken(String extraSecurityToken) {
+        this.extraSecurityToken = extraSecurityToken;
     }
 
-    public void setSessionUuid(String sessionUuid) {
-        this.sessionUuid = sessionUuid;
+    public String getClientProvidedExtraSecurityToken() {
+        return clientProvidedExtraSecurityToken;
     }
 
-    public String getClientSecurityToken() {
-        return clientSecurityToken;
+    public void setClientProvidedExtraSecurityToken(String clientProvidedExtraSecurityToken) {
+        this.clientProvidedExtraSecurityToken = clientProvidedExtraSecurityToken;
     }
 
-    public void setClientSecurityToken(String clientSecurityToken) {
-        this.clientSecurityToken = clientSecurityToken;
+    public void setSessionUuid(String sessionUuid) {
+        this.sessionUuid = sessionUuid;
     }
 }
diff --git a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
index 79ec7207dfd0..f3f0ff1227b0 100644
--- a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
@@ -50,6 +50,7 @@
 import org.apache.cloudstack.framework.config.ConfigKey;
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 
@@ -96,7 +97,7 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
     }
 
     @Override
-    public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityToken, String clientAddress) {
+    public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String extraSecurityToken, String clientAddress) {
         try {
             if (accountManager == null || virtualMachineManager == null || managementServer == null) {
                 return new ConsoleEndpoint(false, null,"Console service is not ready");
@@ -126,8 +127,15 @@ public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String clientSecurityT
                 return new ConsoleEndpoint(false, null, "Permission denied");
             }
 
-            String sessionToken = UUID.randomUUID().toString();
-            return generateAccessEndpoint(vmId, sessionToken, clientSecurityToken, clientAddress);
+            if (BooleanUtils.isTrue(ConsoleAccessManager.ConsoleProxyExtraSecurityValidationEnabled.value()) &&
+                StringUtils.isBlank(extraSecurityToken)) {
+                String errorMsg = "Extra security validation is enabled but the extra token is missing";
+                s_logger.error(errorMsg);
+                return new ConsoleEndpoint(false, errorMsg);
+            }
+
+            String sessionUuid = UUID.randomUUID().toString();
+            return generateAccessEndpoint(vmId, sessionUuid, extraSecurityToken, clientAddress);
         } catch (Exception e) {
             s_logger.error("Unexepected exception in ConsoleAccessManager", e);
             return new ConsoleEndpoint(false, null, "Server Internal Error: " + e.getMessage());
@@ -183,7 +191,7 @@ protected boolean checkSessionPermission(VirtualMachine vm, Account account) {
         return true;
     }
 
-    private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionToken, String clientSecurityToken, String clientAddress) {
+    private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionUuid, String extraSecurityToken, String clientAddress) {
         VirtualMachine vm = virtualMachineManager.findById(vmId);
         String msg;
         if (vm == null) {
@@ -214,13 +222,13 @@ private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionToken, S
             throw new CloudRuntimeException("Console access will be ready in a few minutes. Please try it again later.");
         }
 
-        ConsoleEndpoint consoleEndpoint = composeConsoleAccessEndpoint(rootUrl, vm, host, clientAddress, sessionToken, clientSecurityToken);
+        ConsoleEndpoint consoleEndpoint = composeConsoleAccessEndpoint(rootUrl, vm, host, clientAddress, sessionUuid, extraSecurityToken);
         s_logger.debug("The console URL is: " + consoleEndpoint.getUrl());
         return consoleEndpoint;
     }
 
     private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMachine vm, HostVO hostVo, String addr,
-                                                         String sessionUuid, String clientSecurityToken) {
+                                                         String sessionUuid, String extraSecurityToken) {
         StringBuilder sb = new StringBuilder(rootUrl);
         String host = hostVo.getPrivateIpAddress();
 
@@ -271,10 +279,9 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         param.setSessionUuid(sessionUuid);
         param.setSourceIP(addr);
 
-        if (StringUtils.isNotBlank(clientSecurityToken)) {
-            param.setClientSecurityHeader(ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
-            param.setClientSecurityToken(clientSecurityToken);
-            s_logger.debug("Added security token " + clientSecurityToken + " for header " + ConsoleAccessManager.ConsoleProxyExtraSecurityHeaderName.value());
+        if (StringUtils.isNotBlank(extraSecurityToken)) {
+            param.setExtraSecurityToken(extraSecurityToken);
+            s_logger.debug("Added security token for client validation");
         }
 
         if (requiresVncOverWebSocketConnection(vm, hostVo)) {
@@ -306,6 +313,10 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
                     .append("&token=" + token);
         }
 
+        if (StringUtils.isNotBlank(param.getExtraSecurityToken())) {
+            sb.append("&extra=" + param.getExtraSecurityToken());
+        }
+
         // for console access, we need guest OS type to help implement keyboard
         long guestOs = vm.getGuestOSId();
         GuestOSVO guestOsVo = managementServer.getGuestOs(guestOs);
@@ -317,6 +328,7 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         }
         s_logger.debug("Adding allowed session: " + sessionUuid);
         allowedSessions.add(sessionUuid);
+        managementServer.setConsoleAccessForVm(vm.getId(), sessionUuid);
 
         String url = sb.toString().startsWith("https") ? sb.toString() : "http:" + sb;
         ConsoleEndpoint consoleEndpoint = new ConsoleEndpoint(true, url);
@@ -324,6 +336,9 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         consoleEndpoint.setWebsocketPort(String.valueOf(ConsoleProxyManager.NoVncConsolePort.value()));
         consoleEndpoint.setWebsocketPath("websockify");
         consoleEndpoint.setWebsocketToken(token);
+        if (StringUtils.isNotBlank(param.getExtraSecurityToken())) {
+            consoleEndpoint.setWebsocketExtra(param.getExtraSecurityToken());
+        }
         return consoleEndpoint;
     }
 
@@ -449,7 +464,6 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey[] { ConsoleProxyExtraSecurityHeaderName,
-                ConsoleProxyExtraSecurityHeaderEnabled };
+        return new ConfigKey[] { ConsoleProxyExtraSecurityValidationEnabled };
     }
 }
diff --git a/server/src/test/java/com/cloud/api/ApiServletTest.java b/server/src/test/java/com/cloud/api/ApiServletTest.java
index 804340c0728d..fa467e877f01 100644
--- a/server/src/test/java/com/cloud/api/ApiServletTest.java
+++ b/server/src/test/java/com/cloud/api/ApiServletTest.java
@@ -16,8 +16,6 @@
 // under the License.
 package com.cloud.api;
 
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.nullable;
 
 import java.io.IOException;
@@ -25,7 +23,6 @@
 import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
 import java.lang.reflect.Field;
-import java.lang.reflect.Modifier;
 import java.net.InetAddress;
 import java.net.URLEncoder;
 import java.net.UnknownHostException;
@@ -40,10 +37,6 @@
 import org.apache.cloudstack.api.auth.APIAuthenticationManager;
 import org.apache.cloudstack.api.auth.APIAuthenticationType;
 import org.apache.cloudstack.api.auth.APIAuthenticator;
-import org.apache.cloudstack.api.command.user.consoleproxy.CreateConsoleEndpointCmd;
-import org.apache.cloudstack.consoleproxy.ConsoleAccessManager;
-import org.apache.cloudstack.framework.config.ConfigKey;
-import org.apache.cloudstack.utils.consoleproxy.ConsoleAccessUtils;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
@@ -57,11 +50,8 @@
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
 import org.mockito.junit.MockitoJUnitRunner;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
 
 @RunWith(MockitoJUnitRunner.class)
-@PrepareForTest(ConsoleAccessManager.class)
 public class ApiServletTest {
 
     @Mock
@@ -94,15 +84,6 @@ public class ApiServletTest {
     @Mock
     ManagementServer managementServer;
 
-    @Mock
-    private ConfigKey<Boolean> enableSecurityHeaderSetting;
-
-    @Mock
-    private ConfigKey<String> securityHeaderNameSetting;
-
-    @Mock
-    private HashMap<String, Object[]> params;
-
     StringWriter responseWriter;
 
     ApiServlet servlet;
@@ -292,50 +273,4 @@ public void getClientAddressDefault() throws UnknownHostException {
         Assert.assertEquals(InetAddress.getByName("127.0.0.1"), ApiServlet.getClientAddress(request));
     }
 
-    @Test
-    public void testSetExtraHeaderSecurityToConsoleEndpointIfEnabledNotMatchingCommand() throws UnknownHostException {
-        HashMap<String, Object[]> params = Mockito.mock(HashMap.class);
-        PowerMockito.mockStatic(InetAddress.class);
-        servlet.setExtraHeaderSecurityToConsoleEndpointIfEnabled("login", params, request);
-        Mockito.verify(params, Mockito.never()).put(anyString(), any());
-    }
-
-    private <T extends Object> void replaceConsoleAccessSetting(String settingName, ConfigKey<T> replaceKey) throws Exception {
-        Field field = ConsoleAccessManager.class.getDeclaredField(settingName);
-        field.setAccessible(true);
-        // remove final modifier from field
-        Field modifiersField = Field.class.getDeclaredField("modifiers");
-        modifiersField.setAccessible(true);
-        modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
-        field.set(null, replaceKey);
-    }
-
-    @Test
-    public void testSetExtraHeaderSecurityToConsoleEndpointIfEnabledDisabledSetting() throws Exception {
-        String ip = "127.0.0.1";
-        Mockito.when(request.getHeader("Remote_Addr")).thenReturn(ip);
-        PowerMockito.mockStatic(InetAddress.class);
-        Mockito.when(enableSecurityHeaderSetting.value()).thenReturn(false);
-        replaceConsoleAccessSetting("ConsoleProxyExtraSecurityHeaderEnabled", enableSecurityHeaderSetting);
-        servlet.setExtraHeaderSecurityToConsoleEndpointIfEnabled(CreateConsoleEndpointCmd.APINAME, params, request);
-        Mockito.verify(params).put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] { ip });
-    }
-
-    @Test
-    public void testSetExtraHeaderSecurityToConsoleEndpointIfEnabledEnabledSetting() throws Exception {
-        String ip = "127.0.0.1";
-        String headerName = "HEADER_NAME";
-        String headerValue = "HEADER_VALUE";
-        Mockito.when(request.getHeader("Remote_Addr")).thenReturn(ip);
-        Mockito.when(request.getHeader(headerName)).thenReturn(headerValue);
-        PowerMockito.mockStatic(InetAddress.class);
-        Mockito.when(enableSecurityHeaderSetting.value()).thenReturn(true);
-        replaceConsoleAccessSetting("ConsoleProxyExtraSecurityHeaderEnabled", enableSecurityHeaderSetting);
-        Mockito.when(securityHeaderNameSetting.value()).thenReturn(headerName);
-        replaceConsoleAccessSetting("ConsoleProxyExtraSecurityHeaderName", securityHeaderNameSetting);
-        servlet.setExtraHeaderSecurityToConsoleEndpointIfEnabled(CreateConsoleEndpointCmd.APINAME, params, request);
-        Mockito.verify(params).put(ConsoleAccessUtils.CLIENT_INET_ADDRESS_KEY, new String[] { ip });
-        Mockito.verify(params).put(ConsoleAccessUtils.CLIENT_SECURITY_HEADER_PARAM_KEY, new String[] { headerValue });
-    }
-
 }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
index 770e32f63d96..5f81e8857e91 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
@@ -26,9 +26,11 @@
 import java.net.InetSocketAddress;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.util.HashSet;
 import java.util.Hashtable;
 import java.util.Map;
 import java.util.Properties;
+import java.util.Set;
 import java.util.concurrent.Executor;
 
 import org.apache.commons.lang3.ArrayUtils;
@@ -77,6 +79,12 @@ public class ConsoleProxy {
     static String encryptorPassword = "Dummy";
     static final String[] skipProperties = new String[]{"certificate", "cacertificate", "keystore_password", "privatekey"};
 
+    static Set<String> allowedSessions = new HashSet<>();
+
+    public static void addAllowedSession(String sessionUuid) {
+        allowedSessions.add(sessionUuid);
+    }
+
     private static void configLog4j() {
         final ClassLoader loader = Thread.currentThread().getContextClassLoader();
         URL configUrl = loader.getResource("/conf/log4j-cloud.xml");
@@ -179,20 +187,29 @@ public static ConsoleProxyAuthenticationResult authenticateConsoleAccess(Console
         authResult.setHost(param.getClientHostAddress());
         authResult.setPort(param.getClientHostPort());
 
-        if (session != null && param.getClientSecurityToken() != null) {
-            String clientSecurityHeader = param.getClientSecurityHeader();
-            String headerValue = session.getUpgradeRequest().getHeader(clientSecurityHeader);
-            if (!param.getClientSecurityToken().equals(headerValue)) {
-                s_logger.error("Security token found but not matching the expected value for this session");
-                if (s_logger.isDebugEnabled()) {
-                    s_logger.debug(String.format("Expected value for header %s was %s but found %s",
-                            clientSecurityHeader, param.getClientSecurityToken(), headerValue));
-                }
+        if (org.apache.commons.lang3.StringUtils.isNotBlank(param.getExtraSecurityToken())) {
+            String extraToken = param.getExtraSecurityToken();
+            String clientProvidedToken = param.getClientProvidedExtraSecurityToken();
+            s_logger.debug(String.format("Extra security validation for the console access, provided %s " +
+                    "to validate against %s", clientProvidedToken, extraToken));
+
+            if (!extraToken.equals(clientProvidedToken)) {
+                s_logger.error("The provided extra token does not match the expected value for this console endpoint");
                 authResult.setSuccess(false);
                 return authResult;
             }
         }
 
+        String sessionUuid = param.getSessionUuid();
+        if (allowedSessions.contains(sessionUuid)) {
+            s_logger.debug("Acquiring the session " + sessionUuid + " not available for future use");
+            allowedSessions.remove(sessionUuid);
+        } else {
+            s_logger.info("Session " + sessionUuid + " has already been used, cannot connect");
+            authResult.setSuccess(false);
+            return authResult;
+        }
+
         String websocketUrl = param.getWebsocketUrl();
         if (StringUtils.isNotBlank(websocketUrl)) {
             return authResult;
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
index 198fd05f60fb..018ca3853329 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
@@ -41,8 +41,13 @@ public class ConsoleProxyClientParam {
     private String sourceIP;
 
     private String sessionUuid;
-    private String clientSecurityHeader;
-    private String clientSecurityToken;
+
+    // The server-side generated value for extra console endpoint validation
+    private String extraSecurityToken;
+
+    // The extra parameter received in the console URL, must be compared against the server-side generated value
+    // for extra validation (if has been enabled)
+    private String clientProvidedExtraSecurityToken;
 
     public ConsoleProxyClientParam() {
         clientHostPort = 0;
@@ -175,19 +180,19 @@ public void setSessionUuid(String sessionUuid) {
         this.sessionUuid = sessionUuid;
     }
 
-    public String getClientSecurityHeader() {
-        return clientSecurityHeader;
+    public String getExtraSecurityToken() {
+        return extraSecurityToken;
     }
 
-    public void setClientSecurityHeader(String clientSecurityHeader) {
-        this.clientSecurityHeader = clientSecurityHeader;
+    public void setExtraSecurityToken(String extraSecurityToken) {
+        this.extraSecurityToken = extraSecurityToken;
     }
 
-    public String getClientSecurityToken() {
-        return clientSecurityToken;
+    public String getClientProvidedExtraSecurityToken() {
+        return clientProvidedExtraSecurityToken;
     }
 
-    public void setClientSecurityToken(String clientSecurityToken) {
-        this.clientSecurityToken = clientSecurityToken;
+    public void setClientProvidedExtraSecurityToken(String clientProvidedExtraSecurityToken) {
+        this.clientProvidedExtraSecurityToken = clientProvidedExtraSecurityToken;
     }
 }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
index 2d4a6c1e1a6a..d51a46680e70 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java
@@ -51,7 +51,6 @@ public static Map<String, String> getQueryMap(String query) {
 
             ConsoleProxyClientParam param = encryptor.decryptObject(ConsoleProxyClientParam.class, map.get("token"));
 
-            // make sure we get information from token only
             guardUserInput(map);
             if (param != null) {
                 if (param.getClientHostAddress() != null) {
@@ -99,11 +98,8 @@ public static Map<String, String> getQueryMap(String query) {
                 if (param.getSessionUuid() != null) {
                     map.put("sessionUuid", param.getSessionUuid());
                 }
-                if (param.getClientSecurityHeader() != null) {
-                    map.put("clientSecurityHeader", param.getClientSecurityHeader());
-                }
-                if (param.getClientSecurityToken() != null) {
-                    map.put("clientSecurityToken", param.getClientSecurityToken());
+                if (param.getExtraSecurityToken() != null) {
+                    map.put("extraSecurityToken", param.getExtraSecurityToken());
                 }
             } else {
                 s_logger.error("Unable to decode token");
@@ -113,6 +109,11 @@ public static Map<String, String> getQueryMap(String query) {
             guardUserInput(map);
         }
 
+        if (map.containsKey("extra")) {
+            s_logger.debug(String.format("Found extra parameter: %s for client security validation check " +
+                    "on the VNC server", map.get("extra")));
+        }
+
         return map;
     }
 
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java
index 1b96b14f6717..72f019bd3d12 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java
@@ -71,7 +71,6 @@ public void handle(String target, Request baseRequest, HttpServletRequest reques
 
     @OnWebSocketConnect
     public void onConnect(final Session session) throws IOException, InterruptedException {
-
         String queries = session.getUpgradeRequest().getQueryString();
         Map<String, String> queryMap = ConsoleProxyHttpHandlerHelper.getQueryMap(queries);
 
@@ -90,8 +89,6 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
         String sourceIP = queryMap.get("sourceIP");
         String websocketUrl = queryMap.get("websocketUrl");
         String sessionUuid = queryMap.get("sessionUuid");
-        String clientSecurityToken = queryMap.get("clientSecurityToken");
-        String clientSecurityHeader = queryMap.get("clientSecurityHeader");
 
         if (tag == null)
             tag = "";
@@ -137,8 +134,12 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
             param.setPassword(password);
             param.setWebsocketUrl(websocketUrl);
             param.setSessionUuid(sessionUuid);
-            param.setClientSecurityHeader(clientSecurityHeader);
-            param.setClientSecurityToken(clientSecurityToken);
+            if (queryMap.containsKey("extraSecurityToken")) {
+                param.setExtraSecurityToken(queryMap.get("extraSecurityToken"));
+            }
+            if (queryMap.containsKey("extra")) {
+                param.setClientProvidedExtraSecurityToken(queryMap.get("extra"));
+            }
             viewer = ConsoleProxy.getNoVncViewer(param, ajaxSessionIdStr, session);
         } catch (Exception e) {
             s_logger.warn("Failed to create viewer due to " + e.getMessage(), e);
diff --git a/services/console-proxy/server/src/test/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelperTest.java b/services/console-proxy/server/src/test/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelperTest.java
new file mode 100644
index 000000000000..690b0c19a9e9
--- /dev/null
+++ b/services/console-proxy/server/src/test/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelperTest.java
@@ -0,0 +1,51 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+package com.cloud.consoleproxy;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.powermock.api.mockito.PowerMockito;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+
+import java.util.Map;
+
+@RunWith(PowerMockRunner.class)
+public class ConsoleProxyHttpHandlerHelperTest {
+
+    @Mock
+    ConsoleProxyPasswordBasedEncryptor encryptor;
+
+    @Test
+    @PrepareForTest({ConsoleProxy.class, ConsoleProxyHttpHandlerHelper.class})
+    public void testQueryMapExtraParameter() throws Exception {
+        PowerMockito.mockStatic(ConsoleProxy.class);
+        PowerMockito.when(ConsoleProxy.getEncryptorPassword()).thenReturn("password");
+        PowerMockito.whenNew(ConsoleProxyPasswordBasedEncryptor.class).withArguments(Mockito.anyString()).thenReturn(encryptor);
+        Mockito.when(encryptor.decryptObject(Mockito.eq(ConsoleProxyClientParam.class), Mockito.anyString())).thenReturn(null);
+
+        String extraValidationToken = "test-token";
+        String query = String.format("token=SOME_TOKEN&extra=%s", extraValidationToken);
+
+        Map<String, String> queryMap = ConsoleProxyHttpHandlerHelper.getQueryMap(query);
+        Assert.assertTrue(queryMap.containsKey("extra"));
+        Assert.assertEquals(extraValidationToken, queryMap.get("extra"));
+    }
+}
diff --git a/systemvm/agent/noVNC/app/ui.js b/systemvm/agent/noVNC/app/ui.js
index 1c6a00799c3f..824a2f29f63f 100644
--- a/systemvm/agent/noVNC/app/ui.js
+++ b/systemvm/agent/noVNC/app/ui.js
@@ -157,6 +157,8 @@ const UI = {
             }
         }
 
+        console.log(window.location)
+        UI.initSetting('extra', window.location.extra)
         /* Populate the controls if defaults are provided in the URL */
         UI.initSetting('host', window.location.hostname);
         UI.initSetting('port', port);
@@ -997,7 +999,8 @@ const UI = {
         const host = UI.getSetting('host');
         const port = UI.getSetting('port');
         const path = UI.getSetting('path');
-        const token = UI.getSetting('token')
+        const token = UI.getSetting('token');
+        const extra = UI.getSetting('extra');
 
         if (typeof password === 'undefined') {
             password = WebUtil.getConfigVar('password');
@@ -1031,6 +1034,10 @@ const UI = {
         url += '/' + path;
         url += '?token=' + token;
 
+        if (extra) {
+            url += '&extra=' + extra
+        }
+
         UI.rfb = new RFB(document.getElementById('noVNC_container'), url,
                          { shared: UI.getSetting('shared'),
                            repeaterID: UI.getSetting('repeaterID'),
diff --git a/systemvm/agent/noVNC/vnc.html b/systemvm/agent/noVNC/vnc.html
index 6f1b7998fe44..060dc736aa87 100644
--- a/systemvm/agent/noVNC/vnc.html
+++ b/systemvm/agent/noVNC/vnc.html
@@ -234,6 +234,10 @@ <h1 class="noVNC_logo" translate="no" style="display: none;"><span>no</span><br>
                                             <label for="noVNC_setting_token">Token:</label>
                                             <input id="noVNC_setting_token" type="text">
                                         </li>
+                                        <li>
+                                            <label for="noVNC_setting_extra">Extra:</label>
+                                            <input id="noVNC_setting_extra" type="text">
+                                        </li>
                                     </ul></div>
                                 </li>
                                 <li><hr></li>
diff --git a/ui/src/components/widgets/Console.vue b/ui/src/components/widgets/Console.vue
index 81053225bb12..aae42eac4309 100644
--- a/ui/src/components/widgets/Console.vue
+++ b/ui/src/components/widgets/Console.vue
@@ -18,16 +18,28 @@
 <template>
   <a
     v-if="['vm', 'systemvm', 'router', 'ilbvm'].includes($route.meta.name) && 'listVirtualMachines' in $store.getters.apis && 'createConsoleEndpoint' in $store.getters.apis"
-    @click="consoleUrl">
+    @click="consoleAccessCheck">
     <a-button style="margin-left: 5px" shape="circle" type="dashed" :size="size" :disabled="['Stopped', 'Error', 'Destroyed'].includes(resource.state)" >
       <code-outlined />
     </a-button>
+    <a-modal :visible="tokenModalVisible" title="Extra validation token requested" @ok="handleSubmit" @cancel="() => tokenModalVisible = false">
+      <div class="form-layout" v-ctrl-enter="handleSubmit">
+        <a-form :form="form" layout="horizontal" @submit="handleSubmit">
+          <p>The admin has enabled the extra validation for the console access. Please specify a security token:</p>
+          <a-form-item>
+            <tooltip-label slot="label" title="Token" tooltip="Extra security token"/>
+            <a-input v-decorator="['token', { initialValue: '', rules: [{ required: true, message: 'Please provide a token' }] }]"/>
+          </a-form-item>
+        </a-form>
+      </div>
+    </a-modal>
   </a>
 </template>
 
 <script>
 import { SERVER_MANAGER } from '@/store/mutation-types'
 import { api } from '@/api'
+import TooltipLabel from '@/components/widgets/TooltipLabel'
 
 export default {
   name: 'Console',
@@ -43,15 +55,51 @@ export default {
   },
   data () {
     return {
-      url: ''
+      url: '',
+      tokenModalVisible: false,
+      tokenValidationEnabled: false
     }
   },
+  components: {
+    TooltipLabel
+  },
+  beforeCreate () {
+    this.form = this.$form.createForm(this)
+  },
+  mounted () {
+    this.verifyExtraValidationEnabled()
+  },
   methods: {
-    consoleUrl () {
-      api('createConsoleEndpoint', { virtualmachineid: this.resource.id }).then(json => {
+    verifyExtraValidationEnabled () {
+      api('listConfigurations', { name: 'consoleproxy.extra.security.validation.enabled' }).then(json => {
+        this.tokenValidationEnabled = json.listconfigurationsresponse.configuration !== null && json.listconfigurationsresponse.configuration[0].value === 'true'
+      })
+    },
+    consoleAccessCheck () {
+      if (this.tokenValidationEnabled) {
+        this.tokenModalVisible = true
+      } else {
+        this.consoleUrl()
+      }
+    },
+    consoleUrl (token) {
+      const params = {}
+      if (token) {
+        params.extra = token
+      }
+      params.virtualmachineid = this.resource.id
+      api('createConsoleEndpoint', params).then(json => {
         this.url = (json && json.createconsoleendpointresponse) ? json.createconsoleendpointresponse.consoleendpoint.url : '#/exception/404'
         window.open(this.url, '_blank')
       })
+    },
+    handleSubmit (e) {
+      e.preventDefault()
+      this.form.validateFieldsAndScroll((err, values) => {
+        if (err) return
+        this.tokenModalVisible = false
+        this.consoleUrl(values.token)
+      })
     }
   },
   computed: {
diff --git a/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java b/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
index fb2efe40d1dd..2c407d290d5a 100644
--- a/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
+++ b/utils/src/main/java/org/apache/cloudstack/utils/consoleproxy/ConsoleAccessUtils.java
@@ -21,6 +21,5 @@ public class ConsoleAccessUtils {
     private ConsoleAccessUtils() {
     }
 
-    public static final String CLIENT_SECURITY_HEADER_PARAM_KEY = "client-security-token";
     public static final String CLIENT_INET_ADDRESS_KEY = "client-inet-address";
 }

From 02ce0cd5bf68d88049c67fef803a99c1d88a9b56 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Sun, 28 Aug 2022 23:52:37 -0300
Subject: [PATCH 13/19] Fix wrong token API param on UI

---
 ui/src/components/widgets/Console.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ui/src/components/widgets/Console.vue b/ui/src/components/widgets/Console.vue
index aae42eac4309..3012adfc4ce8 100644
--- a/ui/src/components/widgets/Console.vue
+++ b/ui/src/components/widgets/Console.vue
@@ -85,7 +85,7 @@ export default {
     consoleUrl (token) {
       const params = {}
       if (token) {
-        params.extra = token
+        params.token = token
       }
       params.virtualmachineid = this.resource.id
       api('createConsoleEndpoint', params).then(json => {

From 44bb753a27b3aa5070683e377eac3a123ca0cd91 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Mon, 29 Aug 2022 23:47:51 -0300
Subject: [PATCH 14/19] Refactor vnc port selection to 8080 or 8443

---
 .../cloud/agent/api/to/VirtualMachineTO.java  |  9 --
 .../AgentBasedConsoleProxyManager.java        |  5 ++
 .../consoleproxy/ConsoleProxyManager.java     |  5 +-
 .../consoleproxy/ConsoleProxyManagerImpl.java |  9 +-
 .../cloud/hypervisor/HypervisorGuruBase.java  | 10 ---
 .../cloud/server/ManagementServerImpl.java    |  5 +-
 .../ConsoleAccessManagerImpl.java             |  7 +-
 .../com/cloud/consoleproxy/ConsoleProxy.java  |  7 +-
 .../consoleproxy/ConsoleProxyNoVNCServer.java | 23 +++---
 .../smoke/test_console_endpoint.py            | 82 +------------------
 10 files changed, 40 insertions(+), 122 deletions(-)

diff --git a/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java b/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
index d612fb624858..5fc248343ecc 100644
--- a/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
+++ b/api/src/main/java/com/cloud/agent/api/to/VirtualMachineTO.java
@@ -59,7 +59,6 @@ public class VirtualMachineTO {
     boolean enableDynamicallyScaleVm;
     String vncPassword;
     String vncAddr;
-    String vncPort;
     Map<String, String> params;
     String uuid;
     String bootType;
@@ -284,14 +283,6 @@ public void setVncAddr(String vncAddr) {
         this.vncAddr = vncAddr;
     }
 
-    public String getVncPort() {
-        return vncPort;
-    }
-
-    public void setVncPort(String vncPort) {
-        this.vncPort = vncPort;
-    }
-
     public Map<String, String> getDetails() {
         return params;
     }
diff --git a/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java b/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java
index f7594e8d0401..a71c692aab11 100644
--- a/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java
+++ b/server/src/main/java/com/cloud/consoleproxy/AgentBasedConsoleProxyManager.java
@@ -187,6 +187,11 @@ public boolean destroyProxy(long proxyVmId) {
         return false;
     }
 
+    @Override
+    public int getVncPort() {
+        return _consoleProxyPort;
+    }
+
     @Override
     public boolean rebootProxy(long proxyVmId) {
         return false;
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
index bae9ee613630..6280495fb1a9 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManager.java
@@ -42,9 +42,6 @@ public interface ConsoleProxyManager extends Manager, ConsoleProxyService {
     ConfigKey<Boolean> NoVncConsoleSourceIpCheckEnabled = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class, "novnc.console.sourceip.check.enabled", "false",
         "If true, The source IP to access novnc console must be same as the IP in request to management server for console URL. Needs to reconnect CPVM to management server when this changes (via restart CPVM, or management server, or cloud service in CPVM)", false);
 
-    ConfigKey<Integer> NoVncConsolePort = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Integer.class, "novnc.console.port",
-            "8080", "The listen port for noVNC console", true);
-
     void setManagementState(ConsoleProxyManagementState state);
 
     ConsoleProxyManagementState getManagementState();
@@ -59,4 +56,6 @@ public interface ConsoleProxyManager extends Manager, ConsoleProxyService {
 
     boolean destroyProxy(long proxyVmId);
 
+    int getVncPort();
+
 }
diff --git a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
index 77b3a5cae88f..e0c48956a63a 100644
--- a/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
+++ b/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyManagerImpl.java
@@ -1103,6 +1103,11 @@ public boolean destroyProxy(long vmId) {
         }
     }
 
+    @Override
+    public int getVncPort() {
+        return sslEnabled && _ksDao.findByName(ConsoleProxyManager.CERTIFICATE_NAME) != null ? 8443 : 8080;
+    }
+
     private String getAllocProxyLockName() {
         return "consoleproxy.alloc";
     }
@@ -1297,7 +1302,7 @@ public boolean finalizeVirtualMachineProfile(VirtualMachineProfile profile, Depl
             buf.append(" dns2=").append(dc.getDns2());
         }
         if (VirtualMachine.Type.ConsoleProxy == profile.getVirtualMachine().getType()) {
-            buf.append(" vncport=").append(ConsoleProxyManager.NoVncConsolePort.value());
+            buf.append(" vncport=").append(getVncPort());
         }
         buf.append(" keystore_password=").append(VirtualMachineGuru.getEncodedString(PasswordGenerator.generateRandomPassword(16)));
         String bootArgs = buf.toString();
@@ -1608,7 +1613,7 @@ public String getConfigComponentName() {
 
     @Override
     public ConfigKey<?>[] getConfigKeys() {
-        return new ConfigKey<?>[] { NoVncConsoleDefault, NoVncConsoleSourceIpCheckEnabled, NoVncConsolePort };
+        return new ConfigKey<?>[] { NoVncConsoleDefault, NoVncConsoleSourceIpCheckEnabled };
     }
 
     protected ConsoleProxyStatus parseJsonToConsoleProxyStatus(String json) throws JsonParseException {
diff --git a/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java b/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
index 93b37381ffcd..20b7a2b67d6b 100644
--- a/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
+++ b/server/src/main/java/com/cloud/hypervisor/HypervisorGuruBase.java
@@ -22,7 +22,6 @@
 
 import javax.inject.Inject;
 
-import com.cloud.consoleproxy.ConsoleProxyManager;
 import org.apache.cloudstack.api.ApiConstants;
 import org.apache.cloudstack.backup.Backup;
 import org.apache.cloudstack.engine.orchestration.service.NetworkOrchestrationService;
@@ -284,15 +283,6 @@ protected VirtualMachineTO toVirtualMachineTO(VirtualMachineProfile vmProfile) {
         to.setConfigDriveLocation(vmProfile.getConfigDriveLocation());
         to.setState(vm.getState());
 
-        if (vmInstance.getType() == VirtualMachine.Type.ConsoleProxy) {
-            try {
-                String vncPort = String.valueOf(ConsoleProxyManager.NoVncConsolePort.value());
-                to.setVncPort(vncPort);
-            } catch (Exception e) {
-                s_logger.error("Could not parse the noVNC port set on " + ConsoleProxyManager.NoVncConsolePort.key(), e);
-            }
-        }
-
         return to;
     }
 
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index 6574b0d08841..0f5c48c4d324 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -2861,7 +2861,10 @@ public Pair<Boolean, String> setConsoleAccessForVm(long vmId, String sessionUuid
         }
         AllowConsoleAccessCommand cmd = new AllowConsoleAccessCommand(sessionUuid);
         HostVO hostVO = _hostDao.findByTypeNameAndZoneId(vm.getDataCenterId(), proxy.getProxyName(), Type.ConsoleProxy);
-        Answer answer = null;
+        if (hostVO == null) {
+            return new Pair<>(false, "Cannot find a console proxy agent for CPVM with name " + proxy.getProxyName());
+        }
+        Answer answer;
         try {
             answer = _agentMgr.send(hostVO.getId(), cmd);
         } catch (AgentUnavailableException | OperationTimedoutException e) {
diff --git a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
index f3f0ff1227b0..78900121db04 100644
--- a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
@@ -81,6 +81,8 @@ public class ConsoleAccessManagerImpl extends ManagerBase implements ConsoleAcce
     private KeysManager keysManager;
     @Inject
     private AgentManager agentManager;
+    @Inject
+    private ConsoleProxyManager consoleProxyManager;
 
     private static KeysManager secretKeysManager;
     private final Gson gson = new GsonBuilder().create();
@@ -304,12 +306,13 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         }
 
         String token = encryptor.encryptObject(ConsoleProxyClientParam.class, param);
+        int vncPort = consoleProxyManager.getVncPort();
         if (param.getHypervHost() != null || !ConsoleProxyManager.NoVncConsoleDefault.value()) {
             sb.append("/ajax?token=" + token);
         } else {
             sb.append("/resource/noVNC/vnc.html")
                     .append("?autoconnect=true")
-                    .append("&port=" + ConsoleProxyManager.NoVncConsolePort.value())
+                    .append("&port=" + vncPort)
                     .append("&token=" + token);
         }
 
@@ -333,7 +336,7 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         String url = sb.toString().startsWith("https") ? sb.toString() : "http:" + sb;
         ConsoleEndpoint consoleEndpoint = new ConsoleEndpoint(true, url);
         consoleEndpoint.setWebsocketHost(managementServer.getConsoleAccessAddress(vm.getId()));
-        consoleEndpoint.setWebsocketPort(String.valueOf(ConsoleProxyManager.NoVncConsolePort.value()));
+        consoleEndpoint.setWebsocketPort(String.valueOf(vncPort));
         consoleEndpoint.setWebsocketPath("websockify");
         consoleEndpoint.setWebsocketToken(token);
         if (StringUtils.isNotBlank(param.getExtraSecurityToken())) {
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
index 5f81e8857e91..3d64705f8b61 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
@@ -404,9 +404,10 @@ private static void startupHttpMain() {
     }
 
     private static ConsoleProxyNoVNCServer getNoVNCServer() {
-        if (httpListenPort == 443)
-            return new ConsoleProxyNoVNCServer(ksBits, ksPassword);
-        return new ConsoleProxyNoVNCServer();
+        int vncPort = ConsoleProxyNoVNCServer.getVNCPort();
+        return vncPort == ConsoleProxyNoVNCServer.WSS_PORT ?
+                new ConsoleProxyNoVNCServer(ksBits, ksPassword) :
+                new ConsoleProxyNoVNCServer();
     }
 
     private static void startupHttpCmdPort() {
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
index 3f109d83ca41..025e4c985871 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
@@ -17,6 +17,7 @@
 package com.cloud.consoleproxy;
 
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.KeyStore;
@@ -34,30 +35,30 @@
 public class ConsoleProxyNoVNCServer {
 
     private static final Logger s_logger = Logger.getLogger(ConsoleProxyNoVNCServer.class);
-    private static int WS_PORT = 8080;
+    public static final int WS_PORT = 8080;
+    public static final int WSS_PORT = 8443;
     private static final String vncConfFileLocation = "/root/vncport";
 
     private Server server;
 
-    private void init() {
+    public static int getVNCPort() {
+        String portStr;
         try {
-            String portStr = Files.readString(Path.of(vncConfFileLocation)).trim();
-            ConsoleProxyNoVNCServer.WS_PORT = Integer.parseInt(portStr);
-            s_logger.info("Setting port to: " + WS_PORT);
-        } catch (Exception e) {
-            s_logger.error("Error loading properties from " + vncConfFileLocation, e);
+            portStr = Files.readString(Path.of(vncConfFileLocation)).trim();
+        } catch (IOException e) {
+            s_logger.error("Cannot read the VNC port from the file " + vncConfFileLocation + " setting it to 8080", e);
+            return WS_PORT;
         }
+        return Integer.parseInt(portStr);
     }
 
     public ConsoleProxyNoVNCServer() {
-        init();
         this.server = new Server(WS_PORT);
         ConsoleProxyNoVNCHandler handler = new ConsoleProxyNoVNCHandler();
         this.server.setHandler(handler);
     }
 
     public ConsoleProxyNoVNCServer(byte[] ksBits, String ksPassword) {
-        init();
         this.server = new Server();
         ConsoleProxyNoVNCHandler handler = new ConsoleProxyNoVNCHandler();
         this.server.setHandler(handler);
@@ -65,7 +66,7 @@ public ConsoleProxyNoVNCServer(byte[] ksBits, String ksPassword) {
         try {
             final HttpConfiguration httpConfig = new HttpConfiguration();
             httpConfig.setSecureScheme("https");
-            httpConfig.setSecurePort(WS_PORT);
+            httpConfig.setSecurePort(WSS_PORT);
 
             final HttpConfiguration httpsConfig = new HttpConfiguration(httpConfig);
             httpsConfig.addCustomizer(new SecureRequestCustomizer());
@@ -81,7 +82,7 @@ public ConsoleProxyNoVNCServer(byte[] ksBits, String ksPassword) {
             final ServerConnector sslConnector = new ServerConnector(server,
                 new SslConnectionFactory(sslContextFactory, "http/1.1"),
                 new HttpConnectionFactory(httpsConfig));
-            sslConnector.setPort(WS_PORT);
+            sslConnector.setPort(WSS_PORT);
             server.addConnector(sslConnector);
         } catch (Exception e) {
             s_logger.error("Unable to secure server due to exception ", e);
diff --git a/test/integration/smoke/test_console_endpoint.py b/test/integration/smoke/test_console_endpoint.py
index baf7cf25ac0c..84b893e57012 100644
--- a/test/integration/smoke/test_console_endpoint.py
+++ b/test/integration/smoke/test_console_endpoint.py
@@ -16,15 +16,12 @@
 # specific language governing permissions and limitations
 # under the License.
 
-from marvin.codes import FAILED
 from marvin.cloudstackTestCase import *
-from marvin.cloudstackAPI import (createConsoleEndpoint, updateConfiguration, listConfigurations, destroySystemVm)
 from marvin.lib.utils import *
 from marvin.lib.base import *
 from marvin.lib.common import (get_domain,
                                get_zone,
-                               get_template,
-                               list_ssvms)
+                               get_template)
 from nose.plugins.attrib import attr
 
 class TestConsoleEndpoint(cloudstackTestCase):
@@ -124,80 +121,3 @@ def test_console_endpoint_permissions(self):
         self.assertFalse(endpoint.success)
         self.assertTrue(endpoint.url is None)
         return
-
-    def checkForRunningSystemVM(self, ssvm, ssvm_type=None):
-        if not ssvm:
-            return None
-
-        def checkRunningState():
-            if not ssvm_type:
-                response = list_ssvms(
-                    self.apiclient,
-                    id=ssvm.id
-                )
-            else:
-                response = list_ssvms(
-                    self.apiclient,
-                    zoneid=self.zone.id,
-                    systemvmtype=ssvm_type
-                )
-
-            if isinstance(response, list):
-                ssvm_response = response[0]
-                return ssvm_response.state == 'Running', ssvm_response
-            return False, None
-
-        res, ssvm_response = wait_until(3, 300, checkRunningState)
-        if not res:
-            self.fail("Failed to reach systemvm state to Running")
-        return ssvm_response
-
-    def destroy_cpvm(self):
-        list_cpvm_response = list_ssvms(
-            self.apiclient,
-            systemvmtype='consoleproxy',
-            zoneid=self.zone.id
-        )
-        self.assertEqual(isinstance(list_cpvm_response, list), True, "Check list response returns a valid list")
-        cpvm_response = list_cpvm_response[0]
-        self.debug("Destroying CPVM: %s" % cpvm_response.id)
-        cmd = destroySystemVm.destroySystemVmCmd()
-        cmd.id = cpvm_response.id
-        self.apiclient.destroySystemVm(cmd)
-        self.checkForRunningSystemVM(cpvm_response, 'consoleproxy')
-
-    @attr(tags=["basic", "advanced"], required_hardware="false")
-    def test_console_endpoint_change_websocket_traffic(self):
-        cmd = listConfigurations.listConfigurationsCmd()
-        cmd.name = "novnc.console.port"
-        vncport = self.apiclient.listConfigurations(cmd)[0].value
-
-        updateConfigurationCmd = updateConfiguration.updateConfigurationCmd()
-        updateConfigurationCmd.name = "novnc.console.port"
-        updateConfigurationCmd.value = "8099"
-        self.apiclient.updateConfiguration(updateConfigurationCmd)
-
-        self.destroy_cpvm()
-
-        cmd = createConsoleEndpoint.createConsoleEndpointCmd()
-        cmd.virtualmachineid=self.vm1.id
-        endpoint = self.apiclient.createConsoleEndpoint(cmd)
-
-        if not endpoint:
-            self.fail("Failed to get generate VM console endpoint")
-
-        self.assertTrue(endpoint.success)
-        self.assertEqual(endpoint.websocket.port, "8099")
-
-        updateConfigurationCmd.value = vncport
-        self.apiclient.updateConfiguration(updateConfigurationCmd)
-
-        self.destroy_cpvm()
-
-        endpoint = self.apiclient.createConsoleEndpoint(cmd)
-
-        if not endpoint:
-            self.fail("Failed to get generate VM console endpoint")
-
-        self.assertTrue(endpoint.success)
-        self.assertEqual(endpoint.websocket.port, vncport)
\ No newline at end of file

From f9faa03225147934846a6a7878030a3426446488 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Tue, 30 Aug 2022 09:42:43 -0300
Subject: [PATCH 15/19] Do not display the input token modal and improve error
 message on console

---
 systemvm/agent/noVNC/app/ui.js        |  4 +--
 ui/package.json                       |  1 +
 ui/src/components/widgets/Console.vue | 36 ++++-----------------------
 3 files changed, 7 insertions(+), 34 deletions(-)

diff --git a/systemvm/agent/noVNC/app/ui.js b/systemvm/agent/noVNC/app/ui.js
index 824a2f29f63f..f503f55c6c9f 100644
--- a/systemvm/agent/noVNC/app/ui.js
+++ b/systemvm/agent/noVNC/app/ui.js
@@ -157,7 +157,6 @@ const UI = {
             }
         }
 
-        console.log(window.location)
         UI.initSetting('extra', window.location.extra)
         /* Populate the controls if defaults are provided in the URL */
         UI.initSetting('host', window.location.hostname);
@@ -1123,14 +1122,13 @@ const UI = {
         UI.connected = false;
 
         UI.rfb = undefined;
-
         if (!e.detail.clean) {
             UI.updateVisualState('disconnected');
             if (wasConnected) {
                 UI.showStatus(_("Something went wrong, connection is closed"),
                               'error');
             } else {
-                UI.showStatus(_("Failed to connect to server"), 'error');
+                UI.showStatus(_("Failed to connect to server / access token has expired"), 'error');
             }
         } else if (UI.getSetting('reconnect', false) === true && !UI.inhibitReconnect) {
             UI.updateVisualState('reconnecting');
diff --git a/ui/package.json b/ui/package.json
index 42d33a402f8d..174502905af2 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -58,6 +58,7 @@
     "vue-router": "^4.0.14",
     "vue-web-storage": "^6.1.0",
     "vue3-clipboard": "^1.0.0",
+    "vue-uuid": "^3.0.0",
     "vuedraggable": "^4.0.3",
     "vuex": "^4.0.0-0"
   },
diff --git a/ui/src/components/widgets/Console.vue b/ui/src/components/widgets/Console.vue
index 3012adfc4ce8..5cc14a6f8d15 100644
--- a/ui/src/components/widgets/Console.vue
+++ b/ui/src/components/widgets/Console.vue
@@ -18,21 +18,10 @@
 <template>
   <a
     v-if="['vm', 'systemvm', 'router', 'ilbvm'].includes($route.meta.name) && 'listVirtualMachines' in $store.getters.apis && 'createConsoleEndpoint' in $store.getters.apis"
-    @click="consoleAccessCheck">
+    @click="consoleUrl">
     <a-button style="margin-left: 5px" shape="circle" type="dashed" :size="size" :disabled="['Stopped', 'Error', 'Destroyed'].includes(resource.state)" >
       <code-outlined />
     </a-button>
-    <a-modal :visible="tokenModalVisible" title="Extra validation token requested" @ok="handleSubmit" @cancel="() => tokenModalVisible = false">
-      <div class="form-layout" v-ctrl-enter="handleSubmit">
-        <a-form :form="form" layout="horizontal" @submit="handleSubmit">
-          <p>The admin has enabled the extra validation for the console access. Please specify a security token:</p>
-          <a-form-item>
-            <tooltip-label slot="label" title="Token" tooltip="Extra security token"/>
-            <a-input v-decorator="['token', { initialValue: '', rules: [{ required: true, message: 'Please provide a token' }] }]"/>
-          </a-form-item>
-        </a-form>
-      </div>
-    </a-modal>
   </a>
 </template>
 
@@ -40,6 +29,7 @@
 import { SERVER_MANAGER } from '@/store/mutation-types'
 import { api } from '@/api'
 import TooltipLabel from '@/components/widgets/TooltipLabel'
+import { uuid } from 'vue-uuid'
 
 export default {
   name: 'Console',
@@ -56,7 +46,6 @@ export default {
   data () {
     return {
       url: '',
-      tokenModalVisible: false,
       tokenValidationEnabled: false
     }
   },
@@ -75,31 +64,16 @@ export default {
         this.tokenValidationEnabled = json.listconfigurationsresponse.configuration !== null && json.listconfigurationsresponse.configuration[0].value === 'true'
       })
     },
-    consoleAccessCheck () {
-      if (this.tokenValidationEnabled) {
-        this.tokenModalVisible = true
-      } else {
-        this.consoleUrl()
-      }
-    },
-    consoleUrl (token) {
+    consoleUrl () {
       const params = {}
-      if (token) {
-        params.token = token
+      if (this.tokenValidationEnabled) {
+        params.token = uuid.v4()
       }
       params.virtualmachineid = this.resource.id
       api('createConsoleEndpoint', params).then(json => {
         this.url = (json && json.createconsoleendpointresponse) ? json.createconsoleendpointresponse.consoleendpoint.url : '#/exception/404'
         window.open(this.url, '_blank')
       })
-    },
-    handleSubmit (e) {
-      e.preventDefault()
-      this.form.validateFieldsAndScroll((err, values) => {
-        if (err) return
-        this.tokenModalVisible = false
-        this.consoleUrl(values.token)
-      })
     }
   },
   computed: {

From 6c4271c0da64b04859526fd6a2c6ca0e3fd63a01 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Wed, 31 Aug 2022 13:12:43 -0300
Subject: [PATCH 16/19] Refactor and cleanup

---
 .../wrapper/LibvirtStartCommandWrapper.java   |  5 +-
 .../LibvirtComputingResourceTest.java         |  7 --
 .../ConsoleAccessManagerImpl.java             | 97 +++++++++++--------
 .../com/cloud/consoleproxy/ConsoleProxy.java  | 17 ++--
 .../consoleproxy/ConsoleProxyNoVNCServer.java |  6 +-
 5 files changed, 70 insertions(+), 62 deletions(-)

diff --git a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
index 38c8c3c3c9b8..7b69993f2e5e 100644
--- a/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
+++ b/plugins/hypervisors/kvm/src/main/java/com/cloud/hypervisor/kvm/resource/wrapper/LibvirtStartCommandWrapper.java
@@ -47,7 +47,7 @@
 import com.cloud.vm.VirtualMachine;
 
 @ResourceWrapper(handles =  StartCommand.class)
-public class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
+public final class LibvirtStartCommandWrapper extends CommandWrapper<StartCommand, Answer, LibvirtComputingResource> {
 
     private static final Logger s_logger = Logger.getLogger(LibvirtStartCommandWrapper.class);
 
@@ -119,9 +119,8 @@ public Answer execute(final StartCommand command, final LibvirtComputingResource
                         }
                     }
 
-                    File pemFile = new File(libvirtUtilitiesHelper.retrieveSshPrvKeyPath());
-
                     try {
+                        File pemFile = new File(LibvirtComputingResource.SSHPRVKEYPATH);
                         FileUtil.scpPatchFiles(controlIp, VRScripts.CONFIG_CACHE_LOCATION, Integer.parseInt(LibvirtComputingResource.DEFAULTDOMRSSHPORT), pemFile, LibvirtComputingResource.systemVmPatchFiles, LibvirtComputingResource.BASEPATH);
                         if (!virtRouterResource.isSystemVMSetup(vmName, controlIp)) {
                             String errMsg = "Failed to patch systemVM";
diff --git a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
index 33b375709804..6741c61eb818 100644
--- a/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
+++ b/plugins/hypervisors/kvm/src/test/java/com/cloud/hypervisor/kvm/resource/LibvirtComputingResourceTest.java
@@ -27,7 +27,6 @@
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.doNothing;
 import static org.mockito.Mockito.doThrow;
-import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
@@ -5313,9 +5312,6 @@ public void testStartCommand() throws Exception {
         when(libvirtComputingResource.getLibvirtUtilitiesHelper()).thenReturn(libvirtUtilitiesHelper);
         try {
             when(libvirtUtilitiesHelper.getConnectionByType(vmDef.getHvsType())).thenReturn(conn);
-            when(libvirtUtilitiesHelper.retrieveSshPrvKeyPath()).thenReturn(LibvirtComputingResource.SSHPRVKEYPATH);
-            File pemFile = mock(File.class);
-            PowerMockito.whenNew(File.class).withAnyArguments().thenReturn(pemFile);
             when(conn.listDomains()).thenReturn(vms);
             doNothing().when(libvirtComputingResource).createVbd(conn, vmSpec, vmName, vmDef);
         } catch (final LibvirtException e) {
@@ -5393,9 +5389,6 @@ public void testStartCommandIsolationEc2() throws Exception {
         when(libvirtComputingResource.getLibvirtUtilitiesHelper()).thenReturn(libvirtUtilitiesHelper);
         try {
             when(libvirtUtilitiesHelper.getConnectionByType(vmDef.getHvsType())).thenReturn(conn);
-            when(libvirtUtilitiesHelper.retrieveSshPrvKeyPath()).thenReturn(LibvirtComputingResource.SSHPRVKEYPATH);
-            File pemFile = mock(File.class);
-            PowerMockito.whenNew(File.class).withAnyArguments().thenReturn(pemFile);
             when(conn.listDomains()).thenReturn(vms);
             doNothing().when(libvirtComputingResource).createVbd(conn, vmSpec, vmName, vmDef);
         } catch (final LibvirtException e) {
diff --git a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
index 78900121db04..91ca97381d93 100644
--- a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
@@ -231,7 +231,6 @@ private ConsoleEndpoint generateAccessEndpoint(Long vmId, String sessionUuid, St
 
     private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMachine vm, HostVO hostVo, String addr,
                                                          String sessionUuid, String extraSecurityToken) {
-        StringBuilder sb = new StringBuilder(rootUrl);
         String host = hostVo.getPrivateIpAddress();
 
         Pair<String, Integer> portInfo = null;
@@ -272,6 +271,62 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
 
         String ticket = genAccessTicket(parsedHostInfo.first(), String.valueOf(port), sid, tag, sessionUuid);
         ConsoleProxyPasswordBasedEncryptor encryptor = new ConsoleProxyPasswordBasedEncryptor(getEncryptorPassword());
+        ConsoleProxyClientParam param = generateConsoleProxyClientParam(parsedHostInfo, port, sid, tag, ticket,
+                sessionUuid, addr, extraSecurityToken, vm, hostVo, details, portInfo, host);
+        String token = encryptor.encryptObject(ConsoleProxyClientParam.class, param);
+        int vncPort = consoleProxyManager.getVncPort();
+
+        String url = generateConsoleAccessUrl(rootUrl, param, token, vncPort, vm);
+
+        s_logger.debug("Adding allowed session: " + sessionUuid);
+        allowedSessions.add(sessionUuid);
+        managementServer.setConsoleAccessForVm(vm.getId(), sessionUuid);
+
+        ConsoleEndpoint consoleEndpoint = new ConsoleEndpoint(true, url);
+        consoleEndpoint.setWebsocketHost(managementServer.getConsoleAccessAddress(vm.getId()));
+        consoleEndpoint.setWebsocketPort(String.valueOf(vncPort));
+        consoleEndpoint.setWebsocketPath("websockify");
+        consoleEndpoint.setWebsocketToken(token);
+        if (StringUtils.isNotBlank(param.getExtraSecurityToken())) {
+            consoleEndpoint.setWebsocketExtra(param.getExtraSecurityToken());
+        }
+        return consoleEndpoint;
+    }
+
+    private String generateConsoleAccessUrl(String rootUrl, ConsoleProxyClientParam param, String token, int vncPort,
+                                            VirtualMachine vm) {
+        StringBuilder sb = new StringBuilder(rootUrl);
+        if (param.getHypervHost() != null || !ConsoleProxyManager.NoVncConsoleDefault.value()) {
+            sb.append("/ajax?token=" + token);
+        } else {
+            sb.append("/resource/noVNC/vnc.html")
+                    .append("?autoconnect=true")
+                    .append("&port=" + vncPort)
+                    .append("&token=" + token);
+        }
+
+        if (StringUtils.isNotBlank(param.getExtraSecurityToken())) {
+            sb.append("&extra=" + param.getExtraSecurityToken());
+        }
+
+        // for console access, we need guest OS type to help implement keyboard
+        long guestOs = vm.getGuestOSId();
+        GuestOSVO guestOsVo = managementServer.getGuestOs(guestOs);
+        if (guestOsVo.getCategoryId() == 6)
+            sb.append("&guest=windows");
+
+        if (s_logger.isDebugEnabled()) {
+            s_logger.debug("Compose console url: " + sb);
+        }
+        return sb.toString().startsWith("https") ? sb.toString() : "http:" + sb;
+    }
+
+    private ConsoleProxyClientParam generateConsoleProxyClientParam(Ternary<String, String, String> parsedHostInfo,
+                                                                    int port, String sid, String tag, String ticket,
+                                                                    String sessionUuid, String addr,
+                                                                    String extraSecurityToken, VirtualMachine vm,
+                                                                    HostVO hostVo, UserVmDetailVO details,
+                                                                    Pair<String, Integer> portInfo, String host) {
         ConsoleProxyClientParam param = new ConsoleProxyClientParam();
         param.setClientHostAddress(parsedHostInfo.first());
         param.setClientHostPort(port);
@@ -304,45 +359,7 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
             param.setClientTunnelUrl(parsedHostInfo.second());
             param.setClientTunnelSession(parsedHostInfo.third());
         }
-
-        String token = encryptor.encryptObject(ConsoleProxyClientParam.class, param);
-        int vncPort = consoleProxyManager.getVncPort();
-        if (param.getHypervHost() != null || !ConsoleProxyManager.NoVncConsoleDefault.value()) {
-            sb.append("/ajax?token=" + token);
-        } else {
-            sb.append("/resource/noVNC/vnc.html")
-                    .append("?autoconnect=true")
-                    .append("&port=" + vncPort)
-                    .append("&token=" + token);
-        }
-
-        if (StringUtils.isNotBlank(param.getExtraSecurityToken())) {
-            sb.append("&extra=" + param.getExtraSecurityToken());
-        }
-
-        // for console access, we need guest OS type to help implement keyboard
-        long guestOs = vm.getGuestOSId();
-        GuestOSVO guestOsVo = managementServer.getGuestOs(guestOs);
-        if (guestOsVo.getCategoryId() == 6)
-            sb.append("&guest=windows");
-
-        if (s_logger.isDebugEnabled()) {
-            s_logger.debug("Compose console url: " + sb);
-        }
-        s_logger.debug("Adding allowed session: " + sessionUuid);
-        allowedSessions.add(sessionUuid);
-        managementServer.setConsoleAccessForVm(vm.getId(), sessionUuid);
-
-        String url = sb.toString().startsWith("https") ? sb.toString() : "http:" + sb;
-        ConsoleEndpoint consoleEndpoint = new ConsoleEndpoint(true, url);
-        consoleEndpoint.setWebsocketHost(managementServer.getConsoleAccessAddress(vm.getId()));
-        consoleEndpoint.setWebsocketPort(String.valueOf(vncPort));
-        consoleEndpoint.setWebsocketPath("websockify");
-        consoleEndpoint.setWebsocketToken(token);
-        if (StringUtils.isNotBlank(param.getExtraSecurityToken())) {
-            consoleEndpoint.setWebsocketExtra(param.getExtraSecurityToken());
-        }
-        return consoleEndpoint;
+        return param;
     }
 
     public static Ternary<String, String, String> parseHostInfo(String hostInfo) {
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
index 3d64705f8b61..c2b54e991909 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxy.java
@@ -178,8 +178,7 @@ public static ConsoleProxyServerFactory getHttpServerFactory() {
         }
     }
 
-    public static ConsoleProxyAuthenticationResult authenticateConsoleAccess(ConsoleProxyClientParam param,
-                                                                             boolean reauthentication, Session session) {
+    public static ConsoleProxyAuthenticationResult authenticateConsoleAccess(ConsoleProxyClientParam param, boolean reauthentication) {
 
         ConsoleProxyAuthenticationResult authResult = new ConsoleProxyAuthenticationResult();
         authResult.setSuccess(true);
@@ -490,7 +489,7 @@ public static ConsoleProxyClient getAjaxVncViewer(ConsoleProxyClientParam param,
         synchronized (connectionMap) {
             ConsoleProxyClient viewer = connectionMap.get(clientKey);
             if (viewer == null || viewer.getClass() == ConsoleProxyNoVncClient.class) {
-                authenticationExternally(param, null);
+                authenticationExternally(param);
                 viewer = getClient(param);
                 viewer.initClient(param);
 
@@ -511,7 +510,7 @@ public static ConsoleProxyClient getAjaxVncViewer(ConsoleProxyClientParam param,
 
                 if (!viewer.isFrontEndAlive()) {
 
-                    authenticationExternally(param, null);
+                    authenticationExternally(param);
                     viewer.initClient(param);
                     reportLoadChange = true;
                 }
@@ -553,8 +552,8 @@ public static ConsoleProxyClientStatsCollector getStatsCollector() {
         }
     }
 
-    public static void authenticationExternally(ConsoleProxyClientParam param, Session session) throws AuthenticationException {
-        ConsoleProxyAuthenticationResult authResult = authenticateConsoleAccess(param, false, session);
+    public static void authenticationExternally(ConsoleProxyClientParam param) throws AuthenticationException {
+        ConsoleProxyAuthenticationResult authResult = authenticateConsoleAccess(param, false);
 
         if (authResult == null || !authResult.isSuccess()) {
             s_logger.warn("External authenticator failed authentication request for vm " + param.getClientTag() + " with sid " + param.getClientHostPassword());
@@ -564,7 +563,7 @@ public static void authenticationExternally(ConsoleProxyClientParam param, Sessi
     }
 
     public static ConsoleProxyAuthenticationResult reAuthenticationExternally(ConsoleProxyClientParam param) {
-        return authenticateConsoleAccess(param, true, null);
+        return authenticateConsoleAccess(param, true);
     }
 
     public static String getEncryptorPassword() {
@@ -593,7 +592,7 @@ public static ConsoleProxyNoVncClient getNoVncViewer(ConsoleProxyClientParam par
         synchronized (connectionMap) {
             ConsoleProxyClient viewer = connectionMap.get(clientKey);
             if (viewer == null || viewer.getClass() != ConsoleProxyNoVncClient.class) {
-                authenticationExternally(param, session);
+                authenticationExternally(param);
                 viewer = new ConsoleProxyNoVncClient(session);
                 viewer.initClient(param);
 
@@ -605,7 +604,7 @@ public static ConsoleProxyNoVncClient getNoVncViewer(ConsoleProxyClientParam par
                     throw new AuthenticationException("Cannot use the existing viewer " + viewer + ": bad sid");
 
                 try {
-                    authenticationExternally(param, session);
+                    authenticationExternally(param);
                 } catch (Exception e) {
                     s_logger.error("Authentication failed for param: " + param);
                     return null;
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
index 025e4c985871..a8e300429ae5 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCServer.java
@@ -37,16 +37,16 @@ public class ConsoleProxyNoVNCServer {
     private static final Logger s_logger = Logger.getLogger(ConsoleProxyNoVNCServer.class);
     public static final int WS_PORT = 8080;
     public static final int WSS_PORT = 8443;
-    private static final String vncConfFileLocation = "/root/vncport";
+    private static final String VNC_CONF_FILE_LOCATION = "/root/vncport";
 
     private Server server;
 
     public static int getVNCPort() {
         String portStr;
         try {
-            portStr = Files.readString(Path.of(vncConfFileLocation)).trim();
+            portStr = Files.readString(Path.of(VNC_CONF_FILE_LOCATION)).trim();
         } catch (IOException e) {
-            s_logger.error("Cannot read the VNC port from the file " + vncConfFileLocation + " setting it to 8080", e);
+            s_logger.error("Cannot read the VNC port from the file " + VNC_CONF_FILE_LOCATION + " setting it to 8080", e);
             return WS_PORT;
         }
         return Integer.parseInt(portStr);

From 4e04a9ef2a5664f94dfdfd311871bd6a33e2aacf Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Thu, 1 Sep 2022 10:46:29 -0300
Subject: [PATCH 17/19] Improve error message and prevent opening blank popup
 when errors

---
 ui/src/components/widgets/Console.vue | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ui/src/components/widgets/Console.vue b/ui/src/components/widgets/Console.vue
index 5cc14a6f8d15..9c91072217a0 100644
--- a/ui/src/components/widgets/Console.vue
+++ b/ui/src/components/widgets/Console.vue
@@ -72,7 +72,16 @@ export default {
       params.virtualmachineid = this.resource.id
       api('createConsoleEndpoint', params).then(json => {
         this.url = (json && json.createconsoleendpointresponse) ? json.createconsoleendpointresponse.consoleendpoint.url : '#/exception/404'
-        window.open(this.url, '_blank')
+        if (json.createconsoleendpointresponse.consoleendpoint.success) {
+          window.open(this.url, '_blank')
+        } else {
+          this.$notification.error({
+            message: this.$t('error.execute.api.failed') + ' ' + 'createConsoleEndpoint',
+            description: json.createconsoleendpointresponse.consoleendpoint.details
+          })
+        }
+      }).catch(error => {
+        this.$notifyError(error)
       })
     }
   },

From 998f23f4000dcfcb3c6e6750f80528ba48f45a09 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Fri, 2 Sep 2022 08:20:29 -0300
Subject: [PATCH 18/19] Fix logging exception due to algorithm

---
 .../cloudstack/consoleproxy/ConsoleAccessManagerImpl.java       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
index 91ca97381d93..4272aabe3563 100644
--- a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
@@ -408,7 +408,7 @@ public static String genAccessTicket(String host, String port, String sid, Strin
         String params = "host=" + host + "&port=" + port + "&sid=" + sid + "&tag=" + tag + "&session=" + sessionUuid;
 
         try {
-            Mac mac = Mac.getInstance("SHA-512");
+            Mac mac = Mac.getInstance("HmacSHA512");
 
             long ts = normalizedHashTime.getTime();
             ts = ts / 60000;        // round up to 1 minute

From 42e449769d5a9d9d3716f90d3da32d877573a9f5 Mon Sep 17 00:00:00 2001
From: nvazquez <nicovazquez90@gmail.com>
Date: Tue, 13 Sep 2022 00:42:05 -0300
Subject: [PATCH 19/19] Address review comments

---
 .../consoleproxy/CreateConsoleEndpointCmd.java  |  2 +-
 .../consoleproxy/ConsoleAccessManager.java      |  2 +-
 .../com/cloud/server/ManagementServerImpl.java  |  9 ++++++++-
 .../cloud/servlet/ConsoleProxyClientParam.java  | 10 +++++++---
 .../consoleproxy/ConsoleAccessManagerImpl.java  | 17 +++++++++++------
 .../consoleproxy/ConsoleProxyClientParam.java   | 10 +++++++---
 6 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
index 35e34268cfd5..37b9871ceae8 100644
--- a/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
+++ b/api/src/main/java/org/apache/cloudstack/api/command/user/consoleproxy/CreateConsoleEndpointCmd.java
@@ -101,7 +101,7 @@ private ConsoleEndpointWebsocketResponse createWebsocketResponse(ConsoleEndpoint
 
     private String getParameterBase(String paramKey) {
         Map<String, String> params = getFullUrlParams();
-        return MapUtils.isNotEmpty(params) && params.containsKey(paramKey) ? params.get(paramKey) : null;
+        return MapUtils.isNotEmpty(params) ? params.get(paramKey) : null;
     }
 
     private String getClientAddress() {
diff --git a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
index 80c6b30f5e28..ac503c9ef6d7 100644
--- a/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
+++ b/api/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManager.java
@@ -25,7 +25,7 @@ public interface ConsoleAccessManager extends Manager, Configurable {
 
     ConfigKey<Boolean> ConsoleProxyExtraSecurityValidationEnabled = new ConfigKey<>(ConfigKey.CATEGORY_ADVANCED, Boolean.class,
             "consoleproxy.extra.security.validation.enabled", "false",
-            "Enable/disable extra security validation for console proxy using an extra token", true);
+            "Enable/disable extra security validation for console proxy using an extra token.", true);
 
     ConsoleEndpoint generateConsoleEndpoint(Long vmId, String extraSecurityToken, String clientAddress);
 
diff --git a/server/src/main/java/com/cloud/server/ManagementServerImpl.java b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
index 0f5c48c4d324..9f1b5fe78fa1 100644
--- a/server/src/main/java/com/cloud/server/ManagementServerImpl.java
+++ b/server/src/main/java/com/cloud/server/ManagementServerImpl.java
@@ -2872,7 +2872,14 @@ public Pair<Boolean, String> setConsoleAccessForVm(long vmId, String sessionUuid
             s_logger.error(errorMsg, e);
             return new Pair<>(false, errorMsg);
         }
-        return new Pair<>(answer != null && answer.getResult(), answer != null ? answer.getDetails() : "null answer");
+        boolean result = false;
+        String details = "null answer";
+
+        if (answer != null) {
+            result = answer.getResult();
+            details = answer.getDetails();
+        }
+        return new Pair<>(result, details);
     }
 
     @Override
diff --git a/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java b/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
index fed6318a0543..7f0fb0ba7f7f 100644
--- a/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
+++ b/server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java
@@ -38,11 +38,15 @@ public class ConsoleProxyClientParam {
 
     private String sessionUuid;
 
-    // The server-side generated value for extra console endpoint validation
+    /**
+     * The server-side generated value for extra console endpoint validation
+     */
     private String extraSecurityToken;
 
-    // The extra parameter received in the console URL, must be compared against the server-side generated value
-    // for extra validation (if has been enabled)
+    /**
+     * The extra parameter received in the console URL, must be compared against the server-side generated value
+     * for extra validation (if has been enabled)
+     */
     private String clientProvidedExtraSecurityToken;
 
     public ConsoleProxyClientParam() {
diff --git a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
index 4272aabe3563..f6dd2e061580 100644
--- a/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
+++ b/server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java
@@ -51,6 +51,7 @@
 import org.apache.cloudstack.framework.security.keys.KeysManager;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.lang3.BooleanUtils;
+import org.apache.commons.lang3.ObjectUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.log4j.Logger;
 
@@ -101,8 +102,8 @@ public boolean configure(String name, Map<String, Object> params) throws Configu
     @Override
     public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String extraSecurityToken, String clientAddress) {
         try {
-            if (accountManager == null || virtualMachineManager == null || managementServer == null) {
-                return new ConsoleEndpoint(false, null,"Console service is not ready");
+            if (ObjectUtils.anyNull(accountManager, virtualMachineManager, managementServer)) {
+                return new ConsoleEndpoint(false, null, "Console service is not ready");
             }
 
             if (keysManager.getHashKey() == null) {
@@ -139,7 +140,9 @@ public ConsoleEndpoint generateConsoleEndpoint(Long vmId, String extraSecurityTo
             String sessionUuid = UUID.randomUUID().toString();
             return generateAccessEndpoint(vmId, sessionUuid, extraSecurityToken, clientAddress);
         } catch (Exception e) {
-            s_logger.error("Unexepected exception in ConsoleAccessManager", e);
+            String errorMsg = String.format("Unexepected exception in ConsoleAccessManager - vmId: %s, clientAddress: %s",
+                    vmId, clientAddress);
+            s_logger.error(errorMsg, e);
             return new ConsoleEndpoint(false, null, "Server Internal Error: " + e.getMessage());
         }
     }
@@ -168,13 +171,15 @@ protected boolean checkSessionPermission(VirtualMachine vm, Account account) {
                 } catch (PermissionDeniedException ex) {
                     if (accountManager.isNormalUser(account.getId())) {
                         if (s_logger.isDebugEnabled()) {
-                            s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId() + " does not match the account id in session " +
+                            s_logger.debug("VM access is denied for VM ID " + vm.getUuid() + ". VM owner account " +
+                                    vm.getAccountId() + " does not match the account id in session " +
                                     account.getId() + " and caller is a normal user");
                         }
                     } else if ((accountManager.isDomainAdmin(account.getId())
                             || account.getType() == Account.Type.READ_ONLY_ADMIN) && s_logger.isDebugEnabled()) {
-                        s_logger.debug("VM access is denied. VM owner account " + vm.getAccountId()
-                                + " does not match the account id in session " + account.getId() + " and the domain-admin caller does not manage the target domain");
+                        s_logger.debug("VM access is denied for VM ID " + vm.getUuid() + ". VM owner account " +
+                                vm.getAccountId() + " does not match the account id in session " +
+                                account.getId() + " and the domain-admin caller does not manage the target domain");
                     }
                     return false;
                 }
diff --git a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
index 018ca3853329..b27532edd371 100644
--- a/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
+++ b/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java
@@ -42,11 +42,15 @@ public class ConsoleProxyClientParam {
 
     private String sessionUuid;
 
-    // The server-side generated value for extra console endpoint validation
+    /**
+     * The server-side generated value for extra console endpoint validation
+     */
     private String extraSecurityToken;
 
-    // The extra parameter received in the console URL, must be compared against the server-side generated value
-    // for extra validation (if has been enabled)
+    /**
+     * The extra parameter received in the console URL, must be compared against the server-side generated value
+     * for extra validation (if has been enabled)
+     */
     private String clientProvidedExtraSecurityToken;
 
     public ConsoleProxyClientParam() {