Hi Ugo,
If it's a fresh 4.11.2.0 installation you don't need to do anything you'll get your KVM hosts secured after you add them. TL;DR - If you're upgrading, you simply need to run the provisionCertificate API against each of your KVM hosts after installation and upgrade. Refer: http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#securing-process - Rohit <https://cloudstack.apache.org> ________________________________ From: Ugo Vasi <ugo.v...@procne.it> Sent: Wednesday, January 30, 2019 6:43:00 PM To: Rohit Yadav; users@cloudstack.apache.org Subject: Re: secure hosts communications Hi Rohit, what I do not understand is if in this ACS version (4.11.2.0) you have to start the procedure manually or it is done during the installation. Did I skip some steps during the installation? Thanks Il 30/01/19 13:37, Rohit Yadav ha scritto: > > Hi Ugo, > > > This will be a one-time procedure, and the KVM host and the VMs do not > need a reboot but the provisionCertificate API will restart the > libvirtd process (just check if that can have any side effects for > your VMs/distro, on most modern distros restarting libvirtd does not > have any side-effects on existing running VMs). > > > - Rohit > > > > rohit.ya...@shapeblue.com > www.shapeblue.com<http://www.shapeblue.com> > @shapeblue > > ------------------------------------------------------------------------ > *From:* Ugo Vasi <ugo.v...@procne.it> > *Sent:* Wednesday, January 30, 2019 4:47:09 PM > *To:* users@cloudstack.apache.org; Rohit Yadav > *Subject:* Re: secure hosts communications > Hi Rohit, > I have a 4.11.2.0 ACS infrastructure (Ubuntu 16.04 with KVM hypervisor) > I see that all the hosts are in unsecure state from the UI and so the > live migration don't works (we had trubles with mgmt server). > > I read in the documentation that launching the provisionCertificate API > (by pressing the appropriate button in the UI) the certificates will be > renewed/regenerated for already connected agents/hosts. > > I do not understand if provisioning should be done manually on each host > or if the procedure should be done only once. > > Do this procedure reboot the host or the instances that it contains? > > > Thanks > > > > Il 27/11/18 09:49, Rohit Yadav ha scritto: > > Hi Richard, > > > > > > Please read: > http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#security > > > > > > 4.11.2 is out, please consider using it instead of 4.11.1 as it has > several bugfixes etc. > > > > In short, with all of your KVM hosts up and connected to mgmt > server, first change the auth strictness global setting to true, then > using API secure the hosts using the provisionCertificate API. In the > UI, go to your hosts that don't show up as secure and click on the key > button (a new button) to secure the host which calls the > provisionCertificate API as well. > > > > > > - Rohit > > > > <https://cloudstack.apache.org> > > > > > > > > ________________________________ > > From: Richard Persaud <richard.pers...@macys.com> > > Sent: Monday, November 26, 2018 8:19:56 PM > > To: users@cloudstack.apache.org > > Subject: RE: secure hosts communications > > > > Thank you, Rohit. > > > > I am using 4.11.1 with a full KVM environment. They are showing > unsecure with strictness set to true. > > > > What configuration needs to be adjusted to have the KVM hosts show > secure? > > > > Regards, > > > > Richard Persaud > > > > From: Rohit Yadav <rohit.ya...@shapeblue.com> > > Sent: Saturday, November 24, 2018 2:02 PM > > To: users@cloudstack.apache.org > > Subject: Re: secure hosts communications > > > > ⚠ EXT MSG: > > > > Richard, > > > > > > Starting 4.11, agent and management servers will use an in-built CA > framework to secured hosts. Only in case of KVM hosts you may see an > insecure state, otherwise all KVM hosts (agents) and SSVM/CPVM agents > will by default in Up state will be secured. There is an auth > strictness setting that should be true. > > > > > > > > - Rohit > > > > <https://cloudstack.apache.org> > > > > > > > > ________________________________ > > From: Richard Persaud > <richard.pers...@macys.com<mailto:richard.pers...@macys.com>> > > Sent: Saturday, November 24, 2018 4:21:24 AM > > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org> > > Subject: secure hosts communications > > > > Hello, > > > > Is there straight-forward to enable secure communications between > the management and the hosts? > > > > I have looked at many documentations but am still unable to get the > hosts to show a "secure" state. > > > > Regards, > > > > Richard Persaud > > > > > > rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> > > > www.shapeblue.com<https://isolate.menlosecurity.com/0/eJyrViotylGyUsooKSmw0tcvLy_XK85ILEhNyilN1UvOz1XSUSrKV7Iy1FEqyUwBqjM0MFaqBQDf4BCe> > > Amadeus House, Floral Street, London WC2E 9DPUK > > @shapeblue > > > > > > > > > > * This is an EXTERNAL EMAIL. Stop and think before clicking a link > or opening attachments. > > > > rohit.ya...@shapeblue.com > > www.shapeblue.com<http://www.shapeblue.com> <http://www.shapeblue.com> > > Amadeus House, Floral Street, London WC2E 9DPUK > > @shapeblue > > > > > > > > > > > > > > > -- > > *Ugo Vasi* / System Administrator > ugo.v...@procne.it <mailto:ugo.v...@procne.it> > > > > > *Procne S.r.l.* > +39 0432 486 523 > via Cotonificio, 45 > 33010 Tavagnacco (UD) > www.procne.it<http://www.procne.it> <http://www.procne.it> > <http://www.procne.it/> > > > Le informazioni contenute nella presente comunicazione ed i relativi > allegati possono essere riservate e sono, comunque, destinate > esclusivamente alle persone od alla Società sopraindicati. La > diffusione, distribuzione e/o copiatura del documento trasmesso da parte > di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi > dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003 > "Codice in materia di protezione dei dati personali". Se avete ricevuto > questo messaggio per errore, vi preghiamo di distruggerlo e di informare > immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail > i...@procne.it <mailto:i...@procne.it>. > -- *Ugo Vasi* / System Administrator ugo.v...@procne.it <mailto:ugo.v...@procne.it> *Procne S.r.l.* +39 0432 486 523 via Cotonificio, 45 33010 Tavagnacco (UD) www.procne.it<http://www.procne.it> <http://www.procne.it/> Le informazioni contenute nella presente comunicazione ed i relativi allegati possono essere riservate e sono, comunque, destinate esclusivamente alle persone od alla Società sopraindicati. La diffusione, distribuzione e/o copiatura del documento trasmesso da parte di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003 "Codice in materia di protezione dei dati personali". Se avete ricevuto questo messaggio per errore, vi preghiamo di distruggerlo e di informare immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail i...@procne.it <mailto:i...@procne.it>. rohit.ya...@shapeblue.com www.shapeblue.com Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue