subject:"Re\: \[ovirt\-users\] VDSM SSL validity"

Re: [ovirt-users] VDSM SSL validity

2018-03-26 Thread Punaatua PAINT-KOUI

 I just tried, it works ! Thank for your help.

Here are the steps that i followed:

connect to the engine database using psql

- use the request as you give it select fn_db_update_config_value('
VdsCertificateValidityInYears','2','general');

- verify the option by running select * from vdc_options where option_name
like '%VdsCer%';

- restart ovirt-engine

New host would have their certificates with the validity under 2 years. I
tested with an existing host by put it in maintenance then reinstall

Thanks !

those links helped me also:

https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/

https://www.ovirt.org/documentation/internal/database-upgrade-procedure/

2018-03-23 17:52 GMT-10:00 Punaatua PAINT-KOUI :

> I just tried, it works ! Thank for your help.
>
> Here are the steps that i followed:
>
> connect to the engine database using psql
>
> - use the request as you give it select fn_db_update_config_value('
> VdsCertificateValidityInYears','2','general');
>
> - verify the option by running select * from vdc_options where option_name
> like '%VdsCer%';
>
> - restart ovirt-engine
>
> New host would have their certificates with the validity under 2 years. I
> tested with an existing host by put it in maintenance then reinstall
>
> Thanks !
>
> those links helped me also:
>
> https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/
>
> https://www.ovirt.org/documentation/internal/database-upgrade-procedure/
>
>
>
> 2018-03-22 0:49 GMT-10:00 Yedidyah Bar David :
>
>> On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose  wrote:
>> > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears
>> is
>> > present in 4.2?
>>
>> I do not think it ever was exposed to engine-config - I think it's a
>> bug in that page.
>>
>> You should be able to update it with psql, if needed - something like
>> this:
>>
>> select fn_db_update_config_value('VdsCertificateValidityInYears','
>> 2','general');
>>
>> I didn't try this myself.
>>
>> To get an sql prompt, you can use engine-psql, which should be
>> available in 4.2.2,
>> or simply copy the script from the patch page:
>>
>> https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f
>>
>> Also, some people claim that the use of certificates for communication
>> between
>> the engine and the hosts is an internal implementation detail, which
>> should not
>> be relevant to PCI DSS requirements. See e.g.:
>>
>> https://ovirt.org/develop/release-management/features/infra/pkireduce/
>>
>> >
>> > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <
>> punaatua...@gmail.com>
>> > wrote:
>> >>
>> >> Up
>> >>
>> >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI :
>> >>>
>> >>> Any idea someone ?
>> >>>
>> >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" 
>> a
>> >>> écrit :
>> 
>>  Hi,
>> 
>>  I setup an hyperconverged solution with 3 nodes, hosted engine on
>>  glusterfs.
>>  We run this setup in a PCI-DSS environment. According to PCI-DSS
>>  requirements, we are required to reduce the validity of any
>> certificate
>>  under 39 months.
>> 
>>  I saw in this link
>>  https://www.ovirt.org/develop/release-management/features/infra/pki/
>> that i
>>  can use the option VdsCertificateValidityInYears at engine-config.
>> 
>>  I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to
>>  edit the option with engine-config --all and engine-config --list
>> but the
>>  option is not listed
>> 
>>  Am i missing something ?
>> 
>>  I thing i can regenerate a VDSM certificate with openssl and the CA
>> conf
>>  in /etc/pki/ovirt-engine on the hosted-engine but i would rather
>> modifiy the
>>  option for future host that I will add.
>> 
>>  --
>>  -
>>  PAINT-KOUI Punaatua
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> -
>> >> PAINT-KOUI Punaatua
>> >> Licence Pro Réseaux et Télecom IAR
>> >> Université du Sud Toulon Var
>> >> La Garde France
>> >>
>> >> ___
>> >> Users mailing list
>> >> Users@ovirt.org
>> >> http://lists.ovirt.org/mailman/listinfo/users
>> >>
>> >
>>
>>
>>
>> --
>> Didi
>>
>
>
>
> --
> -
> PAINT-KOUI Punaatua
> Licence Pro Réseaux et Télecom IAR
> Université du Sud Toulon Var
> La Garde France
>



-- 
-
PAINT-KOUI Punaatua
Licence Pro Réseaux et Télecom IAR
Université du Sud Toulon Var
La Garde France
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] VDSM SSL validity

2018-03-23 Thread Punaatua PAINT-KOUI

Thanks, I'll check it out.

Le jeu. 22 mars 2018 00:49, Yedidyah Bar David  a écrit :

> On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose  wrote:
> > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears
> is
> > present in 4.2?
>
> I do not think it ever was exposed to engine-config - I think it's a
> bug in that page.
>
> You should be able to update it with psql, if needed - something like this:
>
> select
> fn_db_update_config_value('VdsCertificateValidityInYears','2','general');
>
> I didn't try this myself.
>
> To get an sql prompt, you can use engine-psql, which should be
> available in 4.2.2,
> or simply copy the script from the patch page:
>
> https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f
>
> Also, some people claim that the use of certificates for communication
> between
> the engine and the hosts is an internal implementation detail, which
> should not
> be relevant to PCI DSS requirements. See e.g.:
>
> https://ovirt.org/develop/release-management/features/infra/pkireduce/
>
> >
> > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI <
> punaatua...@gmail.com>
> > wrote:
> >>
> >> Up
> >>
> >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI :
> >>>
> >>> Any idea someone ?
> >>>
> >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" 
> a
> >>> écrit :
> 
>  Hi,
> 
>  I setup an hyperconverged solution with 3 nodes, hosted engine on
>  glusterfs.
>  We run this setup in a PCI-DSS environment. According to PCI-DSS
>  requirements, we are required to reduce the validity of any
> certificate
>  under 39 months.
> 
>  I saw in this link
>  https://www.ovirt.org/develop/release-management/features/infra/pki/
> that i
>  can use the option VdsCertificateValidityInYears at engine-config.
> 
>  I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to
>  edit the option with engine-config --all and engine-config --list but
> the
>  option is not listed
> 
>  Am i missing something ?
> 
>  I thing i can regenerate a VDSM certificate with openssl and the CA
> conf
>  in /etc/pki/ovirt-engine on the hosted-engine but i would rather
> modifiy the
>  option for future host that I will add.
> 
>  --
>  -
>  PAINT-KOUI Punaatua
> >>
> >>
> >>
> >>
> >> --
> >> -
> >> PAINT-KOUI Punaatua
> >> Licence Pro Réseaux et Télecom IAR
> >> Université du Sud Toulon Var
> >> La Garde France
> >>
> >> ___
> >> Users mailing list
> >> Users@ovirt.org
> >> http://lists.ovirt.org/mailman/listinfo/users
> >>
> >
>
>
>
> --
> Didi
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] VDSM SSL validity

2018-03-22 Thread Yedidyah Bar David

On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose  wrote:
> Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is
> present in 4.2?

I do not think it ever was exposed to engine-config - I think it's a
bug in that page.

You should be able to update it with psql, if needed - something like this:

select fn_db_update_config_value('VdsCertificateValidityInYears','2','general');

I didn't try this myself.

To get an sql prompt, you can use engine-psql, which should be
available in 4.2.2,
or simply copy the script from the patch page:

https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f

Also, some people claim that the use of certificates for communication between
the engine and the hosts is an internal implementation detail, which should not
be relevant to PCI DSS requirements. See e.g.:

https://ovirt.org/develop/release-management/features/infra/pkireduce/

>
> On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI 
> wrote:
>>
>> Up
>>
>> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI :
>>>
>>> Any idea someone ?
>>>
>>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI"  a
>>> écrit :

 Hi,

 I setup an hyperconverged solution with 3 nodes, hosted engine on
 glusterfs.
 We run this setup in a PCI-DSS environment. According to PCI-DSS
 requirements, we are required to reduce the validity of any certificate
 under 39 months.

 I saw in this link
 https://www.ovirt.org/develop/release-management/features/infra/pki/ that i
 can use the option VdsCertificateValidityInYears at engine-config.

 I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to
 edit the option with engine-config --all and engine-config --list but the
 option is not listed

 Am i missing something ?

 I thing i can regenerate a VDSM certificate with openssl and the CA conf
 in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy 
 the
 option for future host that I will add.

 --
 -
 PAINT-KOUI Punaatua
>>
>>
>>
>>
>> --
>> -
>> PAINT-KOUI Punaatua
>> Licence Pro Réseaux et Télecom IAR
>> Université du Sud Toulon Var
>> La Garde France
>>
>> ___
>> Users mailing list
>> Users@ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>>
>

-- 
Didi
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] VDSM SSL validity

2018-03-18 Thread Punaatua PAINT-KOUI

Up

2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI :

> Any idea someone ?
>
> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI"  a
> écrit :
>
>> Hi,
>>
>> I setup an hyperconverged solution with 3 nodes, hosted engine on
>> glusterfs.
>> We run this setup in a PCI-DSS environment. According to PCI-DSS
>> requirements, we are required to reduce the validity of any certificate
>> under 39 months.
>>
>> I saw in this link https://www.ovirt.org/dev
>> elop/release-management/features/infra/pki/ that i can use the option
>> VdsCertificateValidityInYears at engine-config.
>>
>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to
>> edit the option with engine-config --all and engine-config --list but the
>> option is not listed
>>
>> Am i missing something ?
>>
>> I thing i can regenerate a VDSM certificate with openssl and the CA conf
>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy
>> the option for future host that I will add.
>>
>> --
>> -
>> PAINT-KOUI Punaatua
>>
>


-- 
-
PAINT-KOUI Punaatua
Licence Pro Réseaux et Télecom IAR
Université du Sud Toulon Var
La Garde France
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] VDSM SSL validity

2018-02-17 Thread Punaatua PAINT-KOUI

Any idea someone ?

Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI"  a
écrit :

> Hi,
>
> I setup an hyperconverged solution with 3 nodes, hosted engine on
> glusterfs.
> We run this setup in a PCI-DSS environment. According to PCI-DSS
> requirements, we are required to reduce the validity of any certificate
> under 39 months.
>
> I saw in this link https://www.ovirt.org/develop/release-management/
> features/infra/pki/ that i can use the option
> VdsCertificateValidityInYears at engine-config.
>
> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit
> the option with engine-config --all and engine-config --list but the option
> is not listed
>
> Am i missing something ?
>
> I thing i can regenerate a VDSM certificate with openssl and the CA conf
> in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy
> the option for future host that I will add.
>
> --
> -
> PAINT-KOUI Punaatua
>
___
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users

Re: [ovirt-users] VDSM SSL validity

Re: [ovirt-users] VDSM SSL validity

Re: [ovirt-users] VDSM SSL validity

Re: [ovirt-users] VDSM SSL validity

Re: [ovirt-users] VDSM SSL validity

5 matches

Site Navigation

Mail list logo

Footer information