<div dir="ltr">
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">I just tried, it works ! Thank for your help.</span><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Here are the steps that i followed:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">connect to the engine database using psql</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">- use the request as you give it select fn_db_update_config_value('<wbr>VdsCertificateValidityInYears'<wbr>,'2','general');</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">- verify the option by running select * from vdc_options where option_name like '%VdsCer%';</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">- restart ovirt-engine</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">New host would have their certificates with the validity under 2 years. I tested with an existing host by put it in maintenance then reinstall</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Thanks !</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">those links helped me also:</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><a href="https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/" target="_blank" style="color:rgb(17,85,204)">https://www.ovirt.org/develop/<wbr>developer-guide/db-issues/<wbr>dbupgrade/</a><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><a href="https://www.ovirt.org/documentation/internal/database-upgrade-procedure/" target="_blank" style="color:rgb(17,85,204)">https://www.ovirt.org/<wbr>documentation/internal/<wbr>database-upgrade-procedure/</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-23 17:52 GMT-10:00 Punaatua PAINT-KOUI <span dir="ltr"><<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I just tried, it works ! Thank for your help.<div><br></div><div>Here are the steps that i followed:</div><div><br></div><div>connect to the engine database using psql</div><div><br></div><div>- use the request as you give it select fn_db_update_config_value('<wbr>VdsCertificateValidityInYears'<wbr>,'2','general');</div><div><br></div><div>- verify the option by running select * from vdc_options where option_name like '%VdsCer%';</div><div><br></div><div>- restart ovirt-engine</div><div><br></div><div>New host would have their certificates with the validity under 2 years. I tested with an existing host by put it in maintenance then reinstall</div><div><br></div><div>Thanks !</div><div><br></div><div>those links helped me also:</div><div><br></div><div><a href="https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/" target="_blank">https://www.ovirt.org/develop/<wbr>developer-guide/db-issues/<wbr>dbupgrade/</a><br></div><div><br></div><div><a href="https://www.ovirt.org/documentation/internal/database-upgrade-procedure/" target="_blank">https://www.ovirt.org/<wbr>documentation/internal/<wbr>database-upgrade-procedure/</a><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2018-03-22 0:49 GMT-10:00 Yedidyah Bar David <span dir="ltr"><<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <<a href="mailto:sabose@redhat.com" target="_blank">sabose@redhat.com</a>> wrote:<br>
> Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is<br>
> present in 4.2?<br>
<br>
I do not think it ever was exposed to engine-config - I think it's a<br>
bug in that page.<br>
<br>
You should be able to update it with psql, if needed - something like this:<br>
<br>
select fn_db_update_config_value('Vds<wbr>CertificateValidityInYears','<wbr>2','general');<br>
<br>
I didn't try this myself.<br>
<br>
To get an sql prompt, you can use engine-psql, which should be<br>
available in 4.2.2,<br>
or simply copy the script from the patch page:<br>
<br>
<a href="https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f" rel="noreferrer" target="_blank">https://gerrit.ovirt.org/#/q/I<wbr>4d9737ea72df0d7e654776a1085901<wbr>284a523b7f</a><br>
<br>
Also, some people claim that the use of certificates for communication between<br>
the engine and the hosts is an internal implementation detail, which should not<br>
be relevant to PCI DSS requirements. See e.g.:<br>
<br>
<a href="https://ovirt.org/develop/release-management/features/infra/pkireduce/" rel="noreferrer" target="_blank">https://ovirt.org/develop/rele<wbr>ase-management/features/infra/<wbr>pkireduce/</a><br>
<br>
><br>
> On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>><br>
> wrote:<br>
>><br>
>> Up<br>
>><br>
>> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>>:<br>
>>><br>
>>> Any idea someone ?<br>
>>><br>
>>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <<a href="mailto:punaatua.pk@gmail.com" target="_blank">punaatua.pk@gmail.com</a>> a<br>
>>> écrit :<br>
>>>><br>
>>>> Hi,<br>
>>>><br>
>>>> I setup an hyperconverged solution with 3 nodes, hosted engine on<br>
>>>> glusterfs.<br>
>>>> We run this setup in a PCI-DSS environment. According to PCI-DSS<br>
>>>> requirements, we are required to reduce the validity of any certificate<br>
>>>> under 39 months.<br>
>>>><br>
>>>> I saw in this link<br>
>>>> <a href="https://www.ovirt.org/develop/release-management/features/infra/pki/" rel="noreferrer" target="_blank">https://www.ovirt.org/develop/<wbr>release-management/features/in<wbr>fra/pki/</a> that i<br>
>>>> can use the option VdsCertificateValidityInYears at engine-config.<br>
>>>><br>
>>>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to<br>
>>>> edit the option with engine-config --all and engine-config --list but the<br>
>>>> option is not listed<br>
>>>><br>
>>>> Am i missing something ?<br>
>>>><br>
>>>> I thing i can regenerate a VDSM certificate with openssl and the CA conf<br>
>>>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the<br>
>>>> option for future host that I will add.<br>
>>>><br>
>>>> --<br>
>>>> ------------------------------<wbr>-------<br>
>>>> PAINT-KOUI Punaatua<br>
>><br>
>><br>
>><br>
>><br>
>> --<br>
>> ------------------------------<wbr>-------<br>
>> PAINT-KOUI Punaatua<br>
>> Licence Pro Réseaux et Télecom IAR<br>
>> Université du Sud Toulon Var<br>
>> La Garde France<br>
>><br>
>> ______________________________<wbr>_________________<br>
>> Users mailing list<br>
>> <a href="mailto:Users@ovirt.org" target="_blank">Users@ovirt.org</a><br>
>> <a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/mailman<wbr>/listinfo/users</a><br>
>><br>
><br>
<span class="m_7786583077080779832HOEnZb"><font color="#888888"><br>
<br><span class="HOEnZb"><font color="#888888">
<br>
--<br>
Didi<br>
</font></span></font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div class="m_7786583077080779832gmail_signature" data-smartmail="gmail_signature">------------------------------<wbr>-------<br>PAINT-KOUI Punaatua<br>Licence Pro Réseaux et Télecom IAR<br>Université du Sud Toulon Var<br>La Garde France<br></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">-------------------------------------<br>PAINT-KOUI Punaatua<br>Licence Pro Réseaux et Télecom IAR<br>Université du Sud Toulon Var<br>La Garde France<br></div>
</div>