Red Hat ENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE Manual page 263
Hide thumbs
Also See for ENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE:
- Deployment manual (848 pages) ,
- Manual (126 pages) ,
- Configuration (86 pages)
Table of Contents
Advertisement
based on x509 certificates. In addition the VNC console for each guest virtual machine will be setup to
use TLS with x509 certificate authentication.
This method does not require shell accounts on the remote machines being managed. However, extra
firewall rules are needed to access the management service or VNC console. Certificate revocation
lists can revoke users' access.
Steps to setup TLS/SSL access for virt-manager
The following short guide assuming you are starting from scratch and you do not have any TLS/
SSL certificate knowledge. If you are lucky enough to have a certificate management server you can
probably skip the first steps.
libvirt server setup
For more information on creating certificates, refer to the libvirt website,
remote.html.
Xen VNC Server
The Xen VNC server can have TLS enabled by editing the configuration file, /etc/xen/xend-
config.sxp. Remove the commenting on the (vnc-tls 1) configuration parameter in the
configuration file.
The /etc/xen/vnc directory needs the following 3 files:
• ca-cert.pem - The CA certificate
• server-cert.pem - The Server certificate signed by the CA
• server-key.pem - The server private key
This provides encryption of the data channel. It might be appropriate to require that clients
present their own x509 certificate as a form of authentication. To enable this remove the
commenting on the (vnc-x509-verify 1) parameter.
virt-manager and virsh client setup
The setup for clients is slightly inconsistent at this time. To enable the libvirt management API
over TLS, the CA and client certificates must be placed in /etc/pki. For details on this consult
http://libvirt.org/remote.html
In the virt-manager user interface, use the 'SSL/TLS' transport mechanism option when
connecting to a host.
For virsh, the URI has the following format:
• qemu://hostname.guestname/system for KVM.
• xen://hostname.guestname/ for Xen.
To enable SSL and TLS for VNC, it is necessary to put the certificate authority and client certificates
into $HOME/.pki, that is the following three files:
• CA or ca-cert.pem - The CA certificate.
• libvirt-vnc or clientcert.pem - The client certificate signed by the CA.
• libvirt-vnc or clientkey.pem - The client private key.
Remote management over TLS and SSL
http://libvirt.org/
249
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Red Hat ENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE
Related Products for Red Hat ENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE
- Red Hat CLUSTER FOR ENTERPRISE LINUX 5.0
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 5.1
- Red Hat ENTERPRISE LINUX 5 - DM MULTIPATH
- Red Hat ENTERPRISE LINUX 5.1 DM MULTIPATH
- Red Hat ENTERPRISE LINUX 5.1 - LVM ADMINISTRATION
- Red Hat ENTERPRISE LINUX 5.1 - LINUX ORACLE
- Red Hat ENTERPRISE LINUX 5.3 - RELEASE MANIFEST
- Red Hat ENTERPRISE LINUX 5.5 - S 2010
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 5.2
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.5
- Red Hat CLUSTER SUITE FOR ENTERPRISE LINUX 4.7
- Red Hat ENTERPRISE LINUX 3 - SECURITY GUIDE
- Red Hat ENTERPRISE LINUX 3 - USING BINUTILS
- Red Hat ENTERPRISE LINUX 3 - STEP BY STEP GUIDE
- Red Hat ENTERPRISE LINUX 4 - DM MULTIPATH
- Red Hat ENTERPRISE LINUX 4.5.0 -