Re: [ovirt-users] VDSM SSL validity
I just tried, it works ! Thank for your help. Here are the steps that i followed: connect to the engine database using psql - use the request as you give it select fn_db_update_config_value(' VdsCertificateValidityInYears','2','general'); - verify the option by running select * from vdc_options where option_name like '%VdsCer%'; - restart ovirt-engine New host would have their certificates with the validity under 2 years. I tested with an existing host by put it in maintenance then reinstall Thanks ! those links helped me also: https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/ https://www.ovirt.org/documentation/internal/database-upgrade-procedure/ 2018-03-23 17:52 GMT-10:00 Punaatua PAINT-KOUI : > I just tried, it works ! Thank for your help. > > Here are the steps that i followed: > > connect to the engine database using psql > > - use the request as you give it select fn_db_update_config_value(' > VdsCertificateValidityInYears','2','general'); > > - verify the option by running select * from vdc_options where option_name > like '%VdsCer%'; > > - restart ovirt-engine > > New host would have their certificates with the validity under 2 years. I > tested with an existing host by put it in maintenance then reinstall > > Thanks ! > > those links helped me also: > > https://www.ovirt.org/develop/developer-guide/db-issues/dbupgrade/ > > https://www.ovirt.org/documentation/internal/database-upgrade-procedure/ > > > > 2018-03-22 0:49 GMT-10:00 Yedidyah Bar David : > >> On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose wrote: >> > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears >> is >> > present in 4.2? >> >> I do not think it ever was exposed to engine-config - I think it's a >> bug in that page. >> >> You should be able to update it with psql, if needed - something like >> this: >> >> select fn_db_update_config_value('VdsCertificateValidityInYears',' >> 2','general'); >> >> I didn't try this myself. >> >> To get an sql prompt, you can use engine-psql, which should be >> available in 4.2.2, >> or simply copy the script from the patch page: >> >> https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f >> >> Also, some people claim that the use of certificates for communication >> between >> the engine and the hosts is an internal implementation detail, which >> should not >> be relevant to PCI DSS requirements. See e.g.: >> >> https://ovirt.org/develop/release-management/features/infra/pkireduce/ >> >> > >> > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI < >> punaatua...@gmail.com> >> > wrote: >> >> >> >> Up >> >> >> >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI : >> >>> >> >>> Any idea someone ? >> >>> >> >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" >> a >> >>> écrit : >> >> Hi, >> >> I setup an hyperconverged solution with 3 nodes, hosted engine on >> glusterfs. >> We run this setup in a PCI-DSS environment. According to PCI-DSS >> requirements, we are required to reduce the validity of any >> certificate >> under 39 months. >> >> I saw in this link >> https://www.ovirt.org/develop/release-management/features/infra/pki/ >> that i >> can use the option VdsCertificateValidityInYears at engine-config. >> >> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to >> edit the option with engine-config --all and engine-config --list >> but the >> option is not listed >> >> Am i missing something ? >> >> I thing i can regenerate a VDSM certificate with openssl and the CA >> conf >> in /etc/pki/ovirt-engine on the hosted-engine but i would rather >> modifiy the >> option for future host that I will add. >> >> -- >> - >> PAINT-KOUI Punaatua >> >> >> >> >> >> >> >> >> >> -- >> >> - >> >> PAINT-KOUI Punaatua >> >> Licence Pro Réseaux et Télecom IAR >> >> Université du Sud Toulon Var >> >> La Garde France >> >> >> >> ___ >> >> Users mailing list >> >> Users@ovirt.org >> >> http://lists.ovirt.org/mailman/listinfo/users >> >> >> > >> >> >> >> -- >> Didi >> > > > > -- > - > PAINT-KOUI Punaatua > Licence Pro Réseaux et Télecom IAR > Université du Sud Toulon Var > La Garde France > -- - PAINT-KOUI Punaatua Licence Pro Réseaux et Télecom IAR Université du Sud Toulon Var La Garde France ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] VDSM SSL validity
Thanks, I'll check it out. Le jeu. 22 mars 2018 00:49, Yedidyah Bar David a écrit : > On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose wrote: > > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears > is > > present in 4.2? > > I do not think it ever was exposed to engine-config - I think it's a > bug in that page. > > You should be able to update it with psql, if needed - something like this: > > select > fn_db_update_config_value('VdsCertificateValidityInYears','2','general'); > > I didn't try this myself. > > To get an sql prompt, you can use engine-psql, which should be > available in 4.2.2, > or simply copy the script from the patch page: > > https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f > > Also, some people claim that the use of certificates for communication > between > the engine and the hosts is an internal implementation detail, which > should not > be relevant to PCI DSS requirements. See e.g.: > > https://ovirt.org/develop/release-management/features/infra/pkireduce/ > > > > > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI < > punaatua...@gmail.com> > > wrote: > >> > >> Up > >> > >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI : > >>> > >>> Any idea someone ? > >>> > >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" > a > >>> écrit : > > Hi, > > I setup an hyperconverged solution with 3 nodes, hosted engine on > glusterfs. > We run this setup in a PCI-DSS environment. According to PCI-DSS > requirements, we are required to reduce the validity of any > certificate > under 39 months. > > I saw in this link > https://www.ovirt.org/develop/release-management/features/infra/pki/ > that i > can use the option VdsCertificateValidityInYears at engine-config. > > I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to > edit the option with engine-config --all and engine-config --list but > the > option is not listed > > Am i missing something ? > > I thing i can regenerate a VDSM certificate with openssl and the CA > conf > in /etc/pki/ovirt-engine on the hosted-engine but i would rather > modifiy the > option for future host that I will add. > > -- > - > PAINT-KOUI Punaatua > >> > >> > >> > >> > >> -- > >> - > >> PAINT-KOUI Punaatua > >> Licence Pro Réseaux et Télecom IAR > >> Université du Sud Toulon Var > >> La Garde France > >> > >> ___ > >> Users mailing list > >> Users@ovirt.org > >> http://lists.ovirt.org/mailman/listinfo/users > >> > > > > > > -- > Didi > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] VDSM SSL validity
On Thu, Mar 22, 2018 at 11:58 AM, Sahina Bose wrote: > Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is > present in 4.2? I do not think it ever was exposed to engine-config - I think it's a bug in that page. You should be able to update it with psql, if needed - something like this: select fn_db_update_config_value('VdsCertificateValidityInYears','2','general'); I didn't try this myself. To get an sql prompt, you can use engine-psql, which should be available in 4.2.2, or simply copy the script from the patch page: https://gerrit.ovirt.org/#/q/I4d9737ea72df0d7e654776a1085901284a523b7f Also, some people claim that the use of certificates for communication between the engine and the hosts is an internal implementation detail, which should not be relevant to PCI DSS requirements. See e.g.: https://ovirt.org/develop/release-management/features/infra/pkireduce/ > > On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI > wrote: >> >> Up >> >> 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI : >>> >>> Any idea someone ? >>> >>> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" a >>> écrit : Hi, I setup an hyperconverged solution with 3 nodes, hosted engine on glusterfs. We run this setup in a PCI-DSS environment. According to PCI-DSS requirements, we are required to reduce the validity of any certificate under 39 months. I saw in this link https://www.ovirt.org/develop/release-management/features/infra/pki/ that i can use the option VdsCertificateValidityInYears at engine-config. I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit the option with engine-config --all and engine-config --list but the option is not listed Am i missing something ? I thing i can regenerate a VDSM certificate with openssl and the CA conf in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy the option for future host that I will add. -- - PAINT-KOUI Punaatua >> >> >> >> >> -- >> - >> PAINT-KOUI Punaatua >> Licence Pro Réseaux et Télecom IAR >> Université du Sud Toulon Var >> La Garde France >> >> ___ >> Users mailing list >> Users@ovirt.org >> http://lists.ovirt.org/mailman/listinfo/users >> > -- Didi ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] VDSM SSL validity
Didi, Sandro - Do you know if this option VdsCertificateValidityInYears is present in 4.2? On Mon, Mar 19, 2018 at 4:43 AM, Punaatua PAINT-KOUI wrote: > Up > > 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI : > >> Any idea someone ? >> >> Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" a >> écrit : >> >>> Hi, >>> >>> I setup an hyperconverged solution with 3 nodes, hosted engine on >>> glusterfs. >>> We run this setup in a PCI-DSS environment. According to PCI-DSS >>> requirements, we are required to reduce the validity of any certificate >>> under 39 months. >>> >>> I saw in this link https://www.ovirt.org/dev >>> elop/release-management/features/infra/pki/ that i can use the option >>> VdsCertificateValidityInYears at engine-config. >>> >>> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to >>> edit the option with engine-config --all and engine-config --list but the >>> option is not listed >>> >>> Am i missing something ? >>> >>> I thing i can regenerate a VDSM certificate with openssl and the CA conf >>> in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy >>> the option for future host that I will add. >>> >>> -- >>> - >>> PAINT-KOUI Punaatua >>> >> > > > -- > - > PAINT-KOUI Punaatua > Licence Pro Réseaux et Télecom IAR > Université du Sud Toulon Var > La Garde France > > ___ > Users mailing list > Users@ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] VDSM SSL validity
Up 2018-02-17 2:57 GMT-10:00 Punaatua PAINT-KOUI : > Any idea someone ? > > Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" a > écrit : > >> Hi, >> >> I setup an hyperconverged solution with 3 nodes, hosted engine on >> glusterfs. >> We run this setup in a PCI-DSS environment. According to PCI-DSS >> requirements, we are required to reduce the validity of any certificate >> under 39 months. >> >> I saw in this link https://www.ovirt.org/dev >> elop/release-management/features/infra/pki/ that i can use the option >> VdsCertificateValidityInYears at engine-config. >> >> I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to >> edit the option with engine-config --all and engine-config --list but the >> option is not listed >> >> Am i missing something ? >> >> I thing i can regenerate a VDSM certificate with openssl and the CA conf >> in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy >> the option for future host that I will add. >> >> -- >> - >> PAINT-KOUI Punaatua >> > -- - PAINT-KOUI Punaatua Licence Pro Réseaux et Télecom IAR Université du Sud Toulon Var La Garde France ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Re: [ovirt-users] VDSM SSL validity
Any idea someone ? Le 14 févr. 2018 23:19, "Punaatua PAINT-KOUI" a écrit : > Hi, > > I setup an hyperconverged solution with 3 nodes, hosted engine on > glusterfs. > We run this setup in a PCI-DSS environment. According to PCI-DSS > requirements, we are required to reduce the validity of any certificate > under 39 months. > > I saw in this link https://www.ovirt.org/develop/release-management/ > features/infra/pki/ that i can use the option > VdsCertificateValidityInYears at engine-config. > > I'm running ovirt engine 4.2.1 and i checked when i was on 4.2 how to edit > the option with engine-config --all and engine-config --list but the option > is not listed > > Am i missing something ? > > I thing i can regenerate a VDSM certificate with openssl and the CA conf > in /etc/pki/ovirt-engine on the hosted-engine but i would rather modifiy > the option for future host that I will add. > > -- > - > PAINT-KOUI Punaatua > ___ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users