- Access to CA henceforth known as 'the CA'.
- Server key, server cert signed by the CA.
- Client key, client cert signed by the CA.
Once you have a CA, have a look at the libvirtd help on your server.
From the output above, it's evident that you will need to copy the CA's certificate to /etc/pki/CA/cacert.pem, generate a server key, a server CSR then get the CSR to the CA. The CA will then provision you with a server cert which you can place in the appropriate path.xen02:~/pki# libvirtd -hlibvirtd: invalid option -- 'h'Usage:libvirtd [options]Options:-v | --verbose Verbose messages.-d | --daemon Run as a daemon & write PID file.-l | --listen Listen for TCP/IP connections.-t | --timeoutExit after timeout period. -f | --configConfiguration file. | --version Display version information.-p | --pid-fileChange name of PID file. .......TLS:CA certificate: /etc/pki/CA/cacert.pemServer certificate: /etc/pki/libvirt/servercert.pemServer private key: /etc/pki/libvirt/private/serverkey.pem.......
You will need to enable TLS in /etc/libvirt/libvirtd.conf
listen_tls = 1
You will probably want to enable TLS authentication for VNC as well as listening on interfaces other than localhost:
vnc_listen = "0.0.0.0"vnc_tls = 1#Read the documentation for thisvnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"vnc_tls_x509_verify = 1
Here's my PKI directory
PKI directory listing
$ find /etc/pki//etc/pki//etc/pki/libvirt-vnc/etc/pki/libvirt-vnc/ca-cert.pem/etc/pki/libvirt-vnc/server-key.pem/etc/pki/libvirt-vnc/server-cert.pem/etc/pki/libvirt/etc/pki/libvirt/servercert.pem/etc/pki/libvirt/private/etc/pki/libvirt/private/serverkey.pem/etc/pki/CA/etc/pki/CA/cacert.pem
To make life easier, You can make VNC and libvirt to share the same keys and certs.
Restart the libvirt service
/etc/init.d/libvirt-bin restart
The client requires a similar PKI setup. The same CA should sign the server and client certs.
$ find /etc/pki//etc/pki//etc/pki/CA/etc/pki/CA/cacert.pem/etc/pki/libvirt/etc/pki/libvirt/private/etc/pki/libvirt/private/clientkey.pem/etc/pki/libvirt/clientcert.pem
Add a connection from your virt-manager that utilizes TLS or use the virsh tools:
virt-viewer -c qemu+tls://xen02.example.net/system box2virsh -c qemu+tls://xen02.example.net/system listId Name State----------------------------------7 box1 running10 box2 running11 box3 running13 box4 running14 box5 running15 box6 running16 box7 running
No comments:
Post a Comment