[ovirt-users] VDSM SSL validity

Punaatua PAINT-KOUI punaatua.pk at gmail.com
Mon Mar 26 19:34:35 UTC 2018


 I just tried, it works ! Thank for your help.

Here are the steps that i followed:

connect to the engine database using psql

- use the request as you give it select fn_db_update_config_value('
VdsCertificateValidityInYears','2','general');

- verify the option by running select * from vdc_options where option_name
like '%VdsCer%';

- restart ovirt-engine

New host would have their certificates with the validity under 2 years. I
tested with an existing host by put it in maintenance then reinstall

Thanks !

those links helped me also:

https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/

https://www.ovirt.org/documentation/internal/database-upgrade-procedure/

2018-03-23 17:52 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk at gmail.com>:

> I just tried, it works ! Thank for your help.
>
> Here are the steps that i followed:
>
> connect to the engine database using psql
>
> - use the request as you give it select fn_db_update_config_value('
> VdsCertificateValidityInYears','2','general');
>
> - verify the option by running select * from vdc_options where option_name
> like '%VdsCer%';
>
> - restart ovirt-engine
>
> New host would have their certificates with the validity under 2 years. I
> tested with an existing host by put it in maintenance then reinstall
>
> Thanks !
>
> those links helped me also:
>
> https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/
>
> https://www.ovirt.org/documentation/internal/database-upgrade-procedure/
>
>
>
> 2018-03-22 0:49 GMT-10:00 Yedidyah Bar David <didi at redhat.com>:
>
>> On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose <sabose at redhat.com> wrote:
>> > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears
>> is
>> > present in 4.2?
>>
>> I do not think it ever was exposed to engine-config - I think it's a
>> bug in that page.
>>
>> You should be able to update it with psql, if needed - something like
>> this:
>>
>> select fn_db_update_config_value('VdsCertificateValidityInYears','
>> 2','general');
>>
>> I didn't try this myself.
>>
>> To get an sql prompt, you can use engine-psql, which should be
>> available in 4.2.2,
>> or simply copy the script from the patch page:
>>
>> https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f
>>
>> Also, some people claim that the use of certificates for communication
>> between
>> the engine and the hosts is an internal implementation detail, which
>> should not
>> be relevant to PCI DSS requirements. See e.g.:
>>
>> https://ovirt.org/develop/release-management/features/infra/pkireduce/
>>
>> >
>> > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <
>> punaatua.pk at gmail.com>
>> > wrote:
>> >>
>> >> Up
>> >>
>> >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI <punaatua.pk at gmail.com>:
>> >>>
>> >>> Any idea someone ?
>> >>>
>> >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" <punaatua.pk at gmail.com>
>> a
>> >>> écrit :
>> >>>>
>> >>>> Hi,
>> >>>>
>> >>>> I setup an hyperconverged solution with 3 nodes, hosted engine on
>> >>>> glusterfs.
>> >>>> We run this setup in a PCI-DSS environment. According to PCI-DSS
>> >>>> requirements, we are required to reduce the validity of any
>> certificate
>> >>>> under 39 months.
>> >>>>
>> >>>> I saw in this link
>> >>>> https://www.ovirt.org/develop/release-management/features/infra/pki/
>> that i
>> >>>> can use the option VdsCertificateValidityInYears at engine-config.
>> >>>>
>> >>>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to
>> >>>> edit the option with engine-config --all and engine-config --list
>> but the
>> >>>> option is not listed
>> >>>>
>> >>>> Am i missing something ?
>> >>>>
>> >>>> I thing i can regenerate a VDSM certificate with openssl and the CA
>> conf
>> >>>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather
>> modifiy the
>> >>>> option for future host that I will add.
>> >>>>
>> >>>> --
>> >>>> -------------------------------------
>> >>>> PAINT-KOUI Punaatua
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> -------------------------------------
>> >> PAINT-KOUI Punaatua
>> >> Licence Pro Réseaux et Télecom IAR
>> >> Université du Sud Toulon Var
>> >> La Garde France
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at ovirt.org
>> >> http://lists.ovirt.org/mailman/listinfo/users
>> >>
>> >
>>
>>
>>
>> --
>> Didi
>>
>
>
>
> --
> -------------------------------------
> PAINT-KOUI Punaatua
> Licence Pro Réseaux et Télecom IAR
> Université du Sud Toulon Var
> La Garde France
>



-- 
-------------------------------------
PAINT-KOUI Punaatua
Licence Pro Réseaux et Télecom IAR
Université du Sud Toulon Var
La Garde France
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180326/70f8e9dc/attachment.html>


More information about the Users mailing list