Old keystore if any on the KVM hosts (at /etc/cloudstack/agent/cloud.jks) will be removed.
- Rohit <https://cloudstack.apache.org> ________________________________ From: Ugo Vasi <ugo.v...@procne.it> Sent: Thursday, January 31, 2019 2:24:06 PM To: Rohit Yadav; users@cloudstack.apache.org Subject: Re: secure hosts communications Hi Rohit, sorry if I insist with the questions... by launching the procedure, does the framework rebuild and "overwrite" the configuration of the certificates? Il 31/01/19 09:28, Ugo Vasi ha scritto: > Hi Rohit, > this is a fresh installed infrastructure, but we had some hardware > problems (a mgms server restart) and now the hosts are in "unsecure" > state. > > Do you have any idea how it could have happened to go to this state? > I'm analyzing the logs but I do not find much about it. > > Il 31/01/19 08:38, Rohit Yadav ha scritto: >> >> Hi Ugo, >> >> >> If it's a fresh 4.11.2.0 installation you don't need to do anything >> you'll get your KVM hosts secured after you add them. >> >> >> TL;DR - If you're upgrading, you simply need to run the >> provisionCertificate API against each of your KVM hosts after >> installation and upgrade. Refer: >> http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#securing-process >> >> >> >> - Rohit >> >> >> >> rohit.ya...@shapeblue.com >> www.shapeblue.com<http://www.shapeblue.com> >> @shapeblue >> >> ------------------------------------------------------------------------ >> *From:* Ugo Vasi <ugo.v...@procne.it> >> *Sent:* Wednesday, January 30, 2019 6:43:00 PM >> *To:* Rohit Yadav; users@cloudstack.apache.org >> *Subject:* Re: secure hosts communications >> Hi Rohit, >> what I do not understand is if in this ACS version (4.11.2.0) you have >> to start the procedure manually or it is done during the installation. >> Did I skip some steps during the installation? >> >> Thanks >> >> Il 30/01/19 13:37, Rohit Yadav ha scritto: >> > >> > Hi Ugo, >> > >> > >> > This will be a one-time procedure, and the KVM host and the VMs do not >> > need a reboot but the provisionCertificate API will restart the >> > libvirtd process (just check if that can have any side effects for >> > your VMs/distro, on most modern distros restarting libvirtd does not >> > have any side-effects on existing running VMs). >> > >> > >> > - Rohit >> > >> > >> > >> > rohit.ya...@shapeblue.com >> > www.shapeblue.com<http://www.shapeblue.com> <http://www.shapeblue.com> >> > @shapeblue >> > >> > >> ------------------------------------------------------------------------ >> > *From:* Ugo Vasi <ugo.v...@procne.it> >> > *Sent:* Wednesday, January 30, 2019 4:47:09 PM >> > *To:* users@cloudstack.apache.org; Rohit Yadav >> > *Subject:* Re: secure hosts communications >> > Hi Rohit, >> > I have a 4.11.2.0 ACS infrastructure (Ubuntu 16.04 with KVM >> hypervisor) >> > I see that all the hosts are in unsecure state from the UI and so the >> > live migration don't works (we had trubles with mgmt server). >> > >> > I read in the documentation that launching the provisionCertificate >> API >> > (by pressing the appropriate button in the UI) the certificates >> will be >> > renewed/regenerated for already connected agents/hosts. >> > >> > I do not understand if provisioning should be done manually on each >> host >> > or if the procedure should be done only once. >> > >> > Do this procedure reboot the host or the instances that it contains? >> > >> > >> > Thanks >> > >> > >> > >> > Il 27/11/18 09:49, Rohit Yadav ha scritto: >> > > Hi Richard, >> > > >> > > >> > > Please read: >> > >> http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#security >> > > >> > > >> > > 4.11.2 is out, please consider using it instead of 4.11.1 as it has >> > several bugfixes etc. >> > > >> > > In short, with all of your KVM hosts up and connected to mgmt >> > server, first change the auth strictness global setting to true, then >> > using API secure the hosts using the provisionCertificate API. In the >> > UI, go to your hosts that don't show up as secure and click on the key >> > button (a new button) to secure the host which calls the >> > provisionCertificate API as well. >> > > >> > > >> > > - Rohit >> > > >> > > <https://cloudstack.apache.org> >> > > >> > > >> > > >> > > ________________________________ >> > > From: Richard Persaud <richard.pers...@macys.com> >> > > Sent: Monday, November 26, 2018 8:19:56 PM >> > > To: users@cloudstack.apache.org >> > > Subject: RE: secure hosts communications >> > > >> > > Thank you, Rohit. >> > > >> > > I am using 4.11.1 with a full KVM environment. They are showing >> > unsecure with strictness set to true. >> > > >> > > What configuration needs to be adjusted to have the KVM hosts show >> > secure? >> > > >> > > Regards, >> > > >> > > Richard Persaud >> > > >> > > From: Rohit Yadav <rohit.ya...@shapeblue.com> >> > > Sent: Saturday, November 24, 2018 2:02 PM >> > > To: users@cloudstack.apache.org >> > > Subject: Re: secure hosts communications >> > > >> > > ⚠ EXT MSG: >> > > >> > > Richard, >> > > >> > > >> > > Starting 4.11, agent and management servers will use an in-built CA >> > framework to secured hosts. Only in case of KVM hosts you may see an >> > insecure state, otherwise all KVM hosts (agents) and SSVM/CPVM agents >> > will by default in Up state will be secured. There is an auth >> > strictness setting that should be true. >> > > >> > > >> > > >> > > - Rohit >> > > >> > > <https://cloudstack.apache.org> >> > > >> > > >> > > >> > > ________________________________ >> > > From: Richard Persaud >> > <richard.pers...@macys.com<mailto:richard.pers...@macys.com>> >> > > Sent: Saturday, November 24, 2018 4:21:24 AM >> > > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> >> > > Subject: secure hosts communications >> > > >> > > Hello, >> > > >> > > Is there straight-forward to enable secure communications between >> > the management and the hosts? >> > > >> > > I have looked at many documentations but am still unable to get the >> > hosts to show a "secure" state. >> > > >> > > Regards, >> > > >> > > Richard Persaud >> > > >> > > >> > > rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> >> > > >> > >> www.shapeblue.com<https://isolate.menlosecurity.com/0/eJyrViotylGyUsooKSmw0tcvLy_XK85ILEhNyilN1UvOz1XSUSrKV7Iy1FEqyUwBqjM0MFaqBQDf4BCe> >> > > Amadeus House, Floral Street, London WC2E 9DPUK >> > > @shapeblue >> > > >> > > >> > > >> > > >> > > * This is an EXTERNAL EMAIL. Stop and think before clicking a link >> > or opening attachments. >> > > >> > > rohit.ya...@shapeblue.com >> > > www.shapeblue.com<http://www.shapeblue.com> <http://www.shapeblue.com> >> <http://www.shapeblue.com> >> > > Amadeus House, Floral Street, London WC2E 9DPUK >> > > @shapeblue >> > > >> > > >> > > >> > > >> > > >> > > >> > >> > >> > -- >> > >> > *Ugo Vasi* / System Administrator >> > ugo.v...@procne.it <mailto:ugo.v...@procne.it> >> > >> > >> > >> > >> > *Procne S.r.l.* >> > +39 0432 486 523 >> > via Cotonificio, 45 >> > 33010 Tavagnacco (UD) >> > www.procne.it<http://www.procne.it> <http://www.procne.it> >> > <http://www.procne.it> >> <http://www.procne.it/> >> > >> > >> > Le informazioni contenute nella presente comunicazione ed i relativi >> > allegati possono essere riservate e sono, comunque, destinate >> > esclusivamente alle persone od alla Società sopraindicati. La >> > diffusione, distribuzione e/o copiatura del documento trasmesso da >> parte >> > di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi >> > dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003 >> > "Codice in materia di protezione dei dati personali". Se avete >> ricevuto >> > questo messaggio per errore, vi preghiamo di distruggerlo e di >> informare >> > immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail >> > i...@procne.it <mailto:i...@procne.it>. >> > >> >> >> -- >> >> *Ugo Vasi* / System Administrator >> ugo.v...@procne.it <mailto:ugo.v...@procne.it> >> >> >> >> >> *Procne S.r.l.* >> +39 0432 486 523 >> via Cotonificio, 45 >> 33010 Tavagnacco (UD) >> www.procne.it<http://www.procne.it> <http://www.procne.it> >> <http://www.procne.it/> >> >> >> Le informazioni contenute nella presente comunicazione ed i relativi >> allegati possono essere riservate e sono, comunque, destinate >> esclusivamente alle persone od alla Società sopraindicati. La >> diffusione, distribuzione e/o copiatura del documento trasmesso da parte >> di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi >> dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003 >> "Codice in materia di protezione dei dati personali". Se avete ricevuto >> questo messaggio per errore, vi preghiamo di distruggerlo e di informare >> immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail >> i...@procne.it <mailto:i...@procne.it>. >> > > -- *Ugo Vasi* / System Administrator ugo.v...@procne.it <mailto:ugo.v...@procne.it> *Procne S.r.l.* +39 0432 486 523 via Cotonificio, 45 33010 Tavagnacco (UD) www.procne.it<http://www.procne.it> <http://www.procne.it/> Le informazioni contenute nella presente comunicazione ed i relativi allegati possono essere riservate e sono, comunque, destinate esclusivamente alle persone od alla Società sopraindicati. La diffusione, distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003 "Codice in materia di protezione dei dati personali". Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di informare immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail i...@procne.it <mailto:i...@procne.it>. rohit.ya...@shapeblue.com www.shapeblue.com Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue