<div dir="ltr">

<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I just tried, it works ! Thank for your help.</span><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Here are the steps that i followed:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">connect to the engine database using psql</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">- use the request as you give it select fn_db_update_config_value(&#39;<wbr>VdsCertificateValidityInYears&#39;<wbr>,&#39;2&#39;,&#39;general&#39;);</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">- verify the option by running select * from vdc_options where option_name like &#39;%VdsCer%&#39;;</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">- restart ovirt-engine</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">New host would have their certificates with the validity under 2 years. I tested with an existing host by put it in maintenance then reinstall</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Thanks !</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">those links helped me also:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><a href="https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/" target="_blank" style="color:rgb(17,85,204)">https://www.ovirt.org/develop/<wbr>developer-guide/db-issues/<wbr>dbupgrade/</a><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><a href="https://www.ovirt.org/documentation/internal/database-upgrade-procedure/" target="_blank" style="color:rgb(17,85,204)">https://www.ovirt.org/<wbr>documentation/internal/<wbr>database-upgrade-procedure/</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-23 17:52 GMT-10:00 Punaatua PAINT-KOUI <span dir="ltr">&lt;<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I just tried, it works ! Thank for your help.<div><br></div><div>Here are the steps that i followed:</div><div><br></div><div>connect to the engine database using psql</div><div><br></div><div>- use the request as you give it select fn_db_update_config_value(&#39;<wbr>VdsCertificateValidityInYears&#39;<wbr>,&#39;2&#39;,&#39;general&#39;);</div><div><br></div><div>- verify the option by running select * from vdc_options where option_name like &#39;%VdsCer%&#39;;</div><div><br></div><div>- restart ovirt-engine</div><div><br></div><div>New host would have their certificates with the validity under 2 years. I tested with an existing host by put it in maintenance then reinstall</div><div><br></div><div>Thanks !</div><div><br></div><div>those links helped me also:</div><div><br></div><div><a href="https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/" target="_blank">https://www.ovirt.org/develop/<wbr>developer-guide/db-issues/<wbr>dbupgrade/</a><br></div><div><br></div><div><a href="https://www.ovirt.org/documentation/internal/database-upgrade-procedure/" target="_blank">https://www.ovirt.org/<wbr>documentation/internal/<wbr>database-upgrade-procedure/</a><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-22 0:49 GMT-10:00 Yedidyah Bar David <span dir="ltr">&lt;<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose &lt;<a href="mailto:sabose@redhat.com" target="_blank">sabose@redhat.com</a>&gt; wrote:<br>
&gt; Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is<br>
&gt; present in 4.2?<br>
<br>
I do not think it ever was exposed to engine-config - I think it&#39;s a<br>
bug in that page.<br>
<br>
You should be able to update it with psql, if needed - something like this:<br>
<br>
select fn_db_update_config_value(&#39;Vds<wbr>CertificateValidityInYears&#39;,&#39;<wbr>2&#39;,&#39;general&#39;);<br>
<br>
I didn&#39;t try this myself.<br>
<br>
To get an sql prompt, you can use engine-psql, which should be<br>
available in 4.2.2,<br>
or simply copy the script from the patch page:<br>
<br>
<a href="https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/#/q/I<wbr>4d9737ea72df0d7e654776a1085901<wbr>284a523b7f</a><br>
<br>
Also, some people claim that the use of certificates for communication between<br>
the engine and the hosts is an internal implementation detail, which should not<br>
be relevant to PCI DSS requirements. See e.g.:<br>
<br>
<a href="https://ovirt.org/develop/release-management/features/infra/pkireduce/" rel="noreferrer" target="_blank">https://ovirt.org/develop/rele<wbr>ase-management/features/infra/<wbr>pkireduce/</a><br>
<br>
&gt;<br>
&gt; On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI &lt;<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>&gt;<br>
&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; Up<br>
&gt;&gt;<br>
&gt;&gt; 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI &lt;<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>&gt;:<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Any idea someone ?<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Le 14 févr. 2018 23:19, &quot;Punaatua PAINT-KOUI&quot; &lt;<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>&gt; a<br>
&gt;&gt;&gt; écrit :<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; Hi,<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; I setup an hyperconverged solution with 3 nodes, hosted engine on<br>
&gt;&gt;&gt;&gt; glusterfs.<br>
&gt;&gt;&gt;&gt; We run this setup in a PCI-DSS environment. According to PCI-DSS<br>
&gt;&gt;&gt;&gt; requirements, we are required to reduce the validity of any certificate<br>
&gt;&gt;&gt;&gt; under 39 months.<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; I saw in this link<br>
&gt;&gt;&gt;&gt; <a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" rel="noreferrer" target="_blank">https://www.ovirt.org/develop/<wbr>release-management/features/in<wbr>fra/pki/</a> that i<br>
&gt;&gt;&gt;&gt; can use the option VdsCertificateValidityInYears at engine-config.<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; I&#39;m running ovirt engine 4.2.1 and i checked when i was on 4.2 how to<br>
&gt;&gt;&gt;&gt; edit the option with engine-config --all and engine-config --list but the<br>
&gt;&gt;&gt;&gt; option is not listed<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; Am i missing something ?<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; I thing i can regenerate a VDSM certificate with openssl and the CA conf<br>
&gt;&gt;&gt;&gt; in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the<br>
&gt;&gt;&gt;&gt; option for future host that I will add.<br>
&gt;&gt;&gt;&gt;<br>
&gt;&gt;&gt;&gt; --<br>
&gt;&gt;&gt;&gt; ------------------------------<wbr>-------<br>
&gt;&gt;&gt;&gt; PAINT-KOUI Punaatua<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt; --<br>
&gt;&gt; ------------------------------<wbr>-------<br>
&gt;&gt; PAINT-KOUI Punaatua<br>
&gt;&gt; Licence Pro Réseaux et Télecom IAR<br>
&gt;&gt; Université du Sud Toulon Var<br>
&gt;&gt; La Garde France<br>
&gt;&gt;<br>
&gt;&gt; ______________________________<wbr>_________________<br>
&gt;&gt; Users mailing list<br>
&gt;&gt; <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
&gt;&gt; <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
&gt;&gt;<br>
&gt;<br>
<span class="m_7786583077080779832HOEnZb"><font color="#888888"><br>
<br><span class="HOEnZb"><font color="#888888">
<br>
--<br>
Didi<br>
</font></span></font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div class="m_7786583077080779832gmail_signature" data-smartmail="gmail_signature">------------------------------<wbr>-------<br>PAINT-KOUI Punaatua<br>Licence Pro Réseaux et Télecom IAR<br>Université du Sud Toulon Var<br>La Garde France<br></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">-------------------------------------<br>PAINT-KOUI Punaatua<br>Licence Pro Réseaux et Télecom IAR<br>Université du Sud Toulon Var<br>La Garde France<br></div>
</div>