[Users] replace engine hostname /pki

Hi, I'm just curious, is this wiki page still correct for 3.3.2 ? (It mentions 3.1) http://www.ovirt.org/How_to_change_engine_host_name -- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Users@ovirt.org List" <Users@ovirt.org> Sent: Wednesday, January 29, 2014 12:20:58 PM Subject: [Users] replace engine hostname /pki
Hi,
I'm just curious, is this wiki page still correct for 3.3.2 ? (It mentions 3.1)
It was actually replaced with a utility that does that: http://www.ovirt.org/Changing_Engine_Hostname You might want to add a link there. I noticed that there are other such pages and did not bother to fix them all, some in other sites :-( Best, -- Didi

I updated the wiki page with: "This procedure is obsoleted by Changing_Engine_Hostname in oVirt 3.3.2" but I'm not sure this is right, since which version does this script work? 3.3.1? 3.2.3? Am 29.01.2014 11:34, schrieb Yedidyah Bar David:
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Users@ovirt.org List" <Users@ovirt.org> Sent: Wednesday, January 29, 2014 12:20:58 PM Subject: [Users] replace engine hostname /pki
Hi,
I'm just curious, is this wiki page still correct for 3.3.2 ? (It mentions 3.1)
It was actually replaced with a utility that does that:
http://www.ovirt.org/Changing_Engine_Hostname
You might want to add a link there. I noticed that there are other such pages and did not bother to fix them all, some in other sites :-(
Best,
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Yedidyah Bar David" <didi@redhat.com> Cc: "Users@ovirt.org List" <Users@ovirt.org> Sent: Wednesday, January 29, 2014 1:15:30 PM Subject: Re: [Users] replace engine hostname /pki
I updated the wiki page with:
"This procedure is obsoleted by Changing_Engine_Hostname in oVirt 3.3.2"
but I'm not sure this is right, since which version does this script work? 3.3.1? 3.2.3?
3.3.0. Actually since the nightly builds of Aug 8 or so [1] [1] http://gerrit.ovirt.org/17408 Thanks! -- Didi

Additional question regarding the certificates/pki: the wikipage states: "The bigger concern is with the engine's certificate. Currently, to the best of our knowledge, there is no component that actually checks this trust." (All three certificates (CA, httpd, engine) are for the Common Name (CN) whose value is the hostname entered during engine-setup, which is supposed to be the hostname of the engine's machine, exist in the dns (forward and reverse records), and point to an IP address of the engine's machine. ) Is there a list of values that get checked? e.g. the validity dates before and after? users might run into trouble in 10 years if this gets checked, because that is the current expiration date. if _nothing_ gets checked I wonder why the PKI is used at all ;) (I assume at least the keys get checked) Am 29.01.2014 11:34, schrieb Yedidyah Bar David:
It was actually replaced with a utility that does that:
http://www.ovirt.org/Changing_Engine_Hostname
You might want to add a link there. I noticed that there are other such pages and did not bother to fix them all, some in other sites :-(
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen

(Following a discussion with Alon) ----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Yedidyah Bar David" <didi@redhat.com> Cc: "Users@ovirt.org List" <Users@ovirt.org> Sent: Wednesday, January 29, 2014 1:24:40 PM Subject: Re: [Users] replace engine hostname /pki
Additional question regarding the certificates/pki:
the wikipage states:
"The bigger concern is with the engine's certificate. Currently, to the best of our knowledge, there is no component that actually checks this trust."
Well, this is not accurate. The trust path _is_ checked, but against the saved ca cert. On host deploy the host saves the ca cert and so can verify the trust path even if the ca's hostname does not exist any more and can't be connected to to get /ca.crt . The point was that if there is something (e.g. spice client, web browser) that checks the trust path, this will fail, if this client did not have the ca cert, or tries to download it again after the rename.
(All three certificates (CA, httpd, engine) are for the Common Name (CN) whose value is the hostname entered during engine-setup, which is supposed to be the hostname of the engine's machine, exist in the dns (forward and reverse records), and point to an IP address of the engine's machine. )
Is there a list of values that get checked? e.g. the validity dates before and after?
Yes, these are checked.
users might run into trouble in 10 years if this gets checked, because that is the current expiration date.
Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-), 2. all certificates will need to be reissued. You can verify this today by moving the clock.
if _nothing_ gets checked I wonder why the PKI is used at all ;)
(I assume at least the keys get checked)
Yes. Alon also added: Revocations are not checked. This means that if someone breaks into your engine, there is no simple way to tell the hosts to not trust the old engine key anymore. -- Didi

----- Original Message -----
From: "Yedidyah Bar David" <didi@redhat.com> To: "Sven Kieske" <S.Kieske@mittwald.de> Cc: "Users@ovirt.org List" <Users@ovirt.org>, "Alon Bar-Lev" <alonbl@redhat.com> Sent: Wednesday, January 29, 2014 3:12:21 PM Subject: Re: [Users] replace engine hostname /pki
(Following a discussion with Alon)
Hi, I hope you find this[1] helpful, if not we should work to make it better. Thanks, [1] http://www.ovirt.org/Features/PKI
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Yedidyah Bar David" <didi@redhat.com> Cc: "Users@ovirt.org List" <Users@ovirt.org> Sent: Wednesday, January 29, 2014 1:24:40 PM Subject: Re: [Users] replace engine hostname /pki
Additional question regarding the certificates/pki:
the wikipage states:
"The bigger concern is with the engine's certificate. Currently, to the best of our knowledge, there is no component that actually checks this trust."
Well, this is not accurate. The trust path _is_ checked, but against the saved ca cert. On host deploy the host saves the ca cert and so can verify the trust path even if the ca's hostname does not exist any more and can't be connected to to get /ca.crt .
The point was that if there is something (e.g. spice client, web browser) that checks the trust path, this will fail, if this client did not have the ca cert, or tries to download it again after the rename.
(All three certificates (CA, httpd, engine) are for the Common Name (CN) whose value is the hostname entered during engine-setup, which is supposed to be the hostname of the engine's machine, exist in the dns (forward and reverse records), and point to an IP address of the engine's machine. )
Is there a list of values that get checked? e.g. the validity dates before and after?
Yes, these are checked.
users might run into trouble in 10 years if this gets checked, because that is the current expiration date.
Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-), 2. all certificates will need to be reissued. You can verify this today by moving the clock.
if _nothing_ gets checked I wonder why the PKI is used at all ;)
(I assume at least the keys get checked)
Yes.
Alon also added: Revocations are not checked. This means that if someone breaks into your engine, there is no simple way to tell the hosts to not trust the old engine key anymore. -- Didi

----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Yedidyah Bar David" <didi@redhat.com> Cc: "Sven Kieske" <S.Kieske@mittwald.de>, "Users@ovirt.org List" <Users@ovirt.org> Sent: Wednesday, January 29, 2014 3:23:10 PM Subject: Re: [Users] replace engine hostname /pki
----- Original Message -----
From: "Yedidyah Bar David" <didi@redhat.com> To: "Sven Kieske" <S.Kieske@mittwald.de> Cc: "Users@ovirt.org List" <Users@ovirt.org>, "Alon Bar-Lev" <alonbl@redhat.com> Sent: Wednesday, January 29, 2014 3:12:21 PM Subject: Re: [Users] replace engine hostname /pki
(Following a discussion with Alon)
Hi,
I hope you find this[1] helpful, if not we should work to make it better.
Thanks,
Thanks, I didn't know about that page. Added a link to it from the rename page. -- Didi

Thanks for the link, I will work through the page and see if any questions pop up. also thanks to yedidyah for the clarification! Am 29.01.2014 14:23, schrieb Alon Bar-Lev:
----- Original Message -----
From: "Yedidyah Bar David" <didi@redhat.com> To: "Sven Kieske" <S.Kieske@mittwald.de> Cc: "Users@ovirt.org List" <Users@ovirt.org>, "Alon Bar-Lev" <alonbl@redhat.com> Sent: Wednesday, January 29, 2014 3:12:21 PM Subject: Re: [Users] replace engine hostname /pki
(Following a discussion with Alon)
Hi,
I hope you find this[1] helpful, if not we should work to make it better.
Thanks,
[1] http://www.ovirt.org/Features/PKI
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Yedidyah Bar David" <didi@redhat.com> Cc: "Users@ovirt.org List" <Users@ovirt.org> Sent: Wednesday, January 29, 2014 1:24:40 PM Subject: Re: [Users] replace engine hostname /pki
Additional question regarding the certificates/pki:
the wikipage states:
"The bigger concern is with the engine's certificate. Currently, to the best of our knowledge, there is no component that actually checks this trust."
Well, this is not accurate. The trust path _is_ checked, but against the saved ca cert. On host deploy the host saves the ca cert and so can verify the trust path even if the ca's hostname does not exist any more and can't be connected to to get /ca.crt .
The point was that if there is something (e.g. spice client, web browser) that checks the trust path, this will fail, if this client did not have the ca cert, or tries to download it again after the rename.
(All three certificates (CA, httpd, engine) are for the Common Name (CN) whose value is the hostname entered during engine-setup, which is supposed to be the hostname of the engine's machine, exist in the dns (forward and reverse records), and point to an IP address of the engine's machine. )
Is there a list of values that get checked? e.g. the validity dates before and after?
Yes, these are checked.
users might run into trouble in 10 years if this gets checked, because that is the current expiration date.
Indeed. If ovirt systems will live 10 years, 1. We'll be very happy :-), 2. all certificates will need to be reissued. You can verify this today by moving the clock.
if _nothing_ gets checked I wonder why the PKI is used at all ;)
(I assume at least the keys get checked)
Yes.
Alon also added: Revocations are not checked. This means that if someone breaks into your engine, there is no simple way to tell the hosts to not trust the old engine key anymore. -- Didi
-- Mit freundlichen Grüßen / Regards Sven Kieske Systemadministrator Mittwald CM Service GmbH & Co. KG Königsberger Straße 6 32339 Espelkamp T: +49-5772-293-100 F: +49-5772-293-333 https://www.mittwald.de Geschäftsführer: Robert Meyer St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
participants (3)
-
Alon Bar-Lev
-
Sven Kieske
-
Yedidyah Bar David