[ovirt-users] VDSM SSL validity
Yedidyah Bar David
didi at redhat.com
Thu Mar 22 10:49:25 UTC 2018
On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <sabose at redhat.com> wrote:
> Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is
> present in 4.2?
I do not think it ever was exposed to engine-config - I think it's a
bug in that page.
You should be able to update it with psql, if needed - something like this:
select fn_db_update_config_value('VdsCertificateValidityInYears','2','general');
I didn't try this myself.
To get an sql prompt, you can use engine-psql, which should be
available in 4.2.2,
or simply copy the script from the patch page:
https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f
Also, some people claim that the use of certificates for communication between
the engine and the hosts is an internal implementation detail, which should not
be relevant to PCI DSS requirements. See e.g.:
https://ovirt.org/develop/release-management/features/infra/pkireduce/
>
> On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <punaatua.pk at gmail.com>
> wrote:
>>
>> Up
>>
>> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk at gmail.com>:
>>>
>>> Any idea someone ?
>>>
>>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk at gmail.com> a
>>> écrit :
>>>>
>>>> Hi,
>>>>
>>>> I setup an hyperconverged solution with 3 nodes, hosted engine on
>>>> glusterfs.
>>>> We run this setup in a PCI-DSS environment. According to PCI-DSS
>>>> requirements, we are required to reduce the validity of any certificate
>>>> under 39 months.
>>>>
>>>> I saw in this link
>>>> https://www.ovirt.org/develop/release-management/features/infra/pki/ that i
>>>> can use the option VdsCertificateValidityInYears at engine-config.
>>>>
>>>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to
>>>> edit the option with engine-config --all and engine-config --list but the
>>>> option is not listed
>>>>
>>>> Am i missing something ?
>>>>
>>>> I thing i can regenerate a VDSM certificate with openssl and the CA conf
>>>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the
>>>> option for future host that I will add.
>>>>
>>>> --
>>>> -------------------------------------
>>>> PAINT-KOUI Punaatua
>>
>>
>>
>>
>> --
>> -------------------------------------
>> PAINT-KOUI Punaatua
>> Licence Pro Réseaux et Télecom IAR
>> Université du Sud Toulon Var
>> La Garde France
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>
--
Didi
More information about the Users
mailing list