<div dir="auto">Thanks, I'll check it out. </div><br><div class="gmail_quote"><div dir="ltr">Le jeu. 22 mars 2018 00:49, Yedidyah Bar David <<a href="mailto:didi@redhat.com">didi@redhat.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <<a href="mailto:sabose@redhat.com" target="_blank" rel="noreferrer">sabose@redhat.com</a>> wrote:<br>
> Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is<br>
> present in 4.2?<br>
<br>
I do not think it ever was exposed to engine-config - I think it's a<br>
bug in that page.<br>
<br>
You should be able to update it with psql, if needed - something like this:<br>
<br>
select fn_db_update_config_value('VdsCertificateValidityInYears','2','general');<br>
<br>
I didn't try this myself.<br>
<br>
To get an sql prompt, you can use engine-psql, which should be<br>
available in 4.2.2,<br>
or simply copy the script from the patch page:<br>
<br>
<a href="https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f" rel="noreferrer noreferrer" target="_blank">https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f</a><br>
<br>
Also, some people claim that the use of certificates for communication between<br>
the engine and the hosts is an internal implementation detail, which should not<br>
be relevant to PCI DSS requirements. See e.g.:<br>
<br>
<a href="https://ovirt.org/develop/release-management/features/infra/pkireduce/" rel="noreferrer noreferrer" target="_blank">https://ovirt.org/develop/release-management/features/infra/pkireduce/</a><br>
<br>
><br>
> On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <<a href="mailto:punaatua.pk@gmail.com" target="_blank" rel="noreferrer">punaatua.pk@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Up<br>
>><br>
>> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <<a href="mailto:punaatua.pk@gmail.com" target="_blank" rel="noreferrer">punaatua.pk@gmail.com</a>>:<br>
>>><br>
>>> Any idea someone ?<br>
>>><br>
>>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <<a href="mailto:punaatua.pk@gmail.com" target="_blank" rel="noreferrer">punaatua.pk@gmail.com</a>> a<br>
>>> écrit :<br>
>>>><br>
>>>> Hi,<br>
>>>><br>
>>>> I setup an hyperconverged solution with 3 nodes, hosted engine on<br>
>>>> glusterfs.<br>
>>>> We run this setup in a PCI-DSS environment. According to PCI-DSS<br>
>>>> requirements, we are required to reduce the validity of any certificate<br>
>>>> under 39 months.<br>
>>>><br>
>>>> I saw in this link<br>
>>>> <a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" rel="noreferrer noreferrer" target="_blank">https://www.ovirt.org/develop/release-management/features/infra/pki/</a> that i<br>
>>>> can use the option VdsCertificateValidityInYears at engine-config.<br>
>>>><br>
>>>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to<br>
>>>> edit the option with engine-config --all and engine-config --list but the<br>
>>>> option is not listed<br>
>>>><br>
>>>> Am i missing something ?<br>
>>>><br>
>>>> I thing i can regenerate a VDSM certificate with openssl and the CA conf<br>
>>>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the<br>
>>>> option for future host that I will add.<br>
>>>><br>
>>>> --<br>
>>>> -------------------------------------<br>
>>>> PAINT-KOUI Punaatua<br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> -------------------------------------<br>
>> PAINT-KOUI Punaatua<br>
>> Licence Pro Réseaux et Télecom IAR<br>
>> Université du Sud Toulon Var<br>
>> La Garde France<br>
>><br>
>> _______________________________________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@ovirt.org" target="_blank" rel="noreferrer">Users@ovirt.org</a><br>
>> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer noreferrer" target="_blank">http://lists.ovirt.org/mailman/listinfo/users</a><br>
>><br>
><br>
<br>
<br>
<br>
--<br>
Didi<br>
</blockquote></div>