[ovirt-users] VDSM SSL validity

Fri Mar 23 08:27:00 UTC 2018

Thanks, I'll check it out.

Le jeu. 22 mars 2018 00:49, Yedidyah Bar David <didi at redhat.com> a écrit :

> On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <sabose at redhat.com> wrote:
> > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears
> is
> > present in 4.2?
>
> I do not think it ever was exposed to engine-config - I think it's a
> bug in that page.
>
> You should be able to update it with psql, if needed - something like this:
>
> select
> fn_db_update_config_value('VdsCertificateValidityInYears','2','general');
>
> I didn't try this myself.
>
> To get an sql prompt, you can use engine-psql, which should be
> available in 4.2.2,
> or simply copy the script from the patch page:
>
> https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f
>
> Also, some people claim that the use of certificates for communication
> between
> the engine and the hosts is an internal implementation detail, which
> should not
> be relevant to PCI DSS requirements. See e.g.:
>
> https://ovirt.org/develop/release-management/features/infra/pkireduce/
>
> >
> > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <
> punaatua.pk at gmail.com>
> > wrote:
> >>
> >> Up
> >>
> >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk at gmail.com>:
> >>>
> >>> Any idea someone ?
> >>>
> >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk at gmail.com>
> a
> >>> écrit :
> >>>>
> >>>> Hi,
> >>>>
> >>>> I setup an hyperconverged solution with 3 nodes, hosted engine on
> >>>> glusterfs.
> >>>> We run this setup in a PCI-DSS environment. According to PCI-DSS
> >>>> requirements, we are required to reduce the validity of any
> certificate
> >>>> under 39 months.
> >>>>
> >>>> I saw in this link
> >>>> https://www.ovirt.org/develop/release-management/features/infra/pki/
> that i
> >>>> can use the option VdsCertificateValidityInYears at engine-config.
> >>>>
> >>>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to
> >>>> edit the option with engine-config --all and engine-config --list but
> the
> >>>> option is not listed
> >>>>
> >>>> Am i missing something ?
> >>>>
> >>>> I thing i can regenerate a VDSM certificate with openssl and the CA
> conf
> >>>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather
> modifiy the
> >>>> option for future host that I will add.
> >>>>
> >>>> --
> >>>> -------------------------------------
> >>>> PAINT-KOUI Punaatua
> >>
> >>
> >>
> >>
> >> --
> >> -------------------------------------
> >> PAINT-KOUI Punaatua
> >> Licence Pro Réseaux et Télecom IAR
> >> Université du Sud Toulon Var
> >> La Garde France
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
>
>
>
> --
> Didi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180323/2977cb9d/attachment.html>