Hi, I setup an hyperconverged solution with 3 nodes, hosted engine on glusterfs. We run this setup in a PCI-DSS environment. According to PCI-DSS requirements, we are required to reduce the validity of any certificate under 39 months. I saw in this link https://www.ovirt.org/develop/release-management/features/infra/pki/ that i can use the option VdsCertificateValidityInYears at engine-config. I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit the option with engine-config --all and engine-config --list but the option is not listed Am i missing something ? I thing i can regenerate a VDSM certificate with openssl and the CA conf in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the option for future host that I will add. -- ------------------------------------- PAINT-KOUI Punaatua
Any idea someone ? Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk@gmail.com> a écrit :
Hi,
I setup an hyperconverged solution with 3 nodes, hosted engine on glusterfs. We run this setup in a PCI-DSS environment. According to PCI-DSS requirements, we are required to reduce the validity of any certificate under 39 months.
I saw in this link https://www.ovirt.org/develop/release-management/ features/infra/pki/ that i can use the option VdsCertificateValidityInYears at engine-config.
I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit the option with engine-config --all and engine-config --list but the option is not listed
Am i missing something ?
I thing i can regenerate a VDSM certificate with openssl and the CA conf in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the option for future host that I will add.
-- ------------------------------------- PAINT-KOUI Punaatua
Up 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk@gmail.com>:
Any idea someone ?
Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk@gmail.com> a écrit :
Hi,
I setup an hyperconverged solution with 3 nodes, hosted engine on glusterfs. We run this setup in a PCI-DSS environment. According to PCI-DSS requirements, we are required to reduce the validity of any certificate under 39 months.
I saw in this link https://www.ovirt.org/dev elop/release-management/features/infra/pki/ that i can use the option VdsCertificateValidityInYears at engine-config.
I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit the option with engine-config --all and engine-config --list but the option is not listed
Am i missing something ?
I thing i can regenerate a VDSM certificate with openssl and the CA conf in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the option for future host that I will add.
-- ------------------------------------- PAINT-KOUI Punaatua
-- ------------------------------------- PAINT-KOUI Punaatua Licence Pro Réseaux et Télecom IAR Université du Sud Toulon Var La Garde France
Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is present in 4.2? On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <punaatua.pk@gmail.com> wrote:
Up
2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk@gmail.com>:
Any idea someone ?
Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk@gmail.com> a écrit :
Hi,
I setup an hyperconverged solution with 3 nodes, hosted engine on glusterfs. We run this setup in a PCI-DSS environment. According to PCI-DSS requirements, we are required to reduce the validity of any certificate under 39 months.
I saw in this link https://www.ovirt.org/dev elop/release-management/features/infra/pki/ that i can use the option VdsCertificateValidityInYears at engine-config.
I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit the option with engine-config --all and engine-config --list but the option is not listed
Am i missing something ?
I thing i can regenerate a VDSM certificate with openssl and the CA conf in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the option for future host that I will add.
-- ------------------------------------- PAINT-KOUI Punaatua
-- ------------------------------------- PAINT-KOUI Punaatua Licence Pro Réseaux et Télecom IAR Université du Sud Toulon Var La Garde France
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <sabose@redhat.com> wrote:
Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is present in 4.2?
I do not think it ever was exposed to engine-config - I think it's a bug in that page. You should be able to update it with psql, if needed - something like this: select fn_db_update_config_value('VdsCertificateValidityInYears','2','general'); I didn't try this myself. To get an sql prompt, you can use engine-psql, which should be available in 4.2.2, or simply copy the script from the patch page: https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f Also, some people claim that the use of certificates for communication between the engine and the hosts is an internal implementation detail, which should not be relevant to PCI DSS requirements. See e.g.: https://ovirt.org/develop/release-management/features/infra/pkireduce/
On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <punaatua.pk@gmail.com> wrote:
Up
2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk@gmail.com>:
Any idea someone ?
Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk@gmail.com> a écrit :
Hi,
I setup an hyperconverged solution with 3 nodes, hosted engine on glusterfs. We run this setup in a PCI-DSS environment. According to PCI-DSS requirements, we are required to reduce the validity of any certificate under 39 months.
I saw in this link https://www.ovirt.org/develop/release-management/features/infra/pki/ that i can use the option VdsCertificateValidityInYears at engine-config.
I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit the option with engine-config --all and engine-config --list but the option is not listed
Am i missing something ?
I thing i can regenerate a VDSM certificate with openssl and the CA conf in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the option for future host that I will add.
-- ------------------------------------- PAINT-KOUI Punaatua
-- ------------------------------------- PAINT-KOUI Punaatua Licence Pro Réseaux et Télecom IAR Université du Sud Toulon Var La Garde France
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
Thanks, I'll check it out. Le jeu. 22 mars 2018 00:49, Yedidyah Bar David <didi@redhat.com> a écrit :
On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <sabose@redhat.com> wrote:
Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is present in 4.2?
I do not think it ever was exposed to engine-config - I think it's a bug in that page.
You should be able to update it with psql, if needed - something like this:
select fn_db_update_config_value('VdsCertificateValidityInYears','2','general');
I didn't try this myself.
To get an sql prompt, you can use engine-psql, which should be available in 4.2.2, or simply copy the script from the patch page:
https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f
Also, some people claim that the use of certificates for communication between the engine and the hosts is an internal implementation detail, which should not be relevant to PCI DSS requirements. See e.g.:
https://ovirt.org/develop/release-management/features/infra/pkireduce/
On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <
wrote:
Up
2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk@gmail.com>:
Any idea someone ?
Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk@gmail.com>
a
écrit :
Hi,
I setup an hyperconverged solution with 3 nodes, hosted engine on glusterfs. We run this setup in a PCI-DSS environment. According to PCI-DSS requirements, we are required to reduce the validity of any
certificate
under 39 months.
I saw in this link https://www.ovirt.org/develop/release-management/features/infra/pki/
can use the option VdsCertificateValidityInYears at engine-config.
I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit the option with engine-config --all and engine-config --list but
punaatua.pk@gmail.com> that i the
option is not listed
Am i missing something ?
I thing i can regenerate a VDSM certificate with openssl and the CA conf in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the option for future host that I will add.
-- ------------------------------------- PAINT-KOUI Punaatua
-- ------------------------------------- PAINT-KOUI Punaatua Licence Pro Réseaux et Télecom IAR Université du Sud Toulon Var La Garde France
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- Didi
participants (3)
-
Punaatua PAINT-KOUI -
Sahina Bose -
Yedidyah Bar David