cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <rohit.ya...@shapeblue.com>
Subject Re: secure hosts communications
Date Thu, 31 Jan 2019 10:02:50 GMT
Old keystore if any on the KVM hosts (at /etc/cloudstack/agent/cloud.jks) will be removed.


- Rohit

<https://cloudstack.apache.org>



________________________________
From: Ugo Vasi <ugo.vasi@procne.it>
Sent: Thursday, January 31, 2019 2:24:06 PM
To: Rohit Yadav; users@cloudstack.apache.org
Subject: Re: secure hosts communications

Hi Rohit,
sorry if I insist with the questions... by launching the procedure, does
the framework rebuild and "overwrite" the configuration of the certificates?

Il 31/01/19 09:28, Ugo Vasi ha scritto:
> Hi Rohit,
> this is a fresh installed infrastructure, but we had some hardware
> problems (a mgms server restart) and now the hosts are in "unsecure"
> state.
>
> Do you have any idea how it could have happened to go to this state?
> I'm analyzing the logs but I do not find much about it.
>
> Il 31/01/19 08:38, Rohit Yadav ha scritto:
>>
>> Hi Ugo,
>>
>>
>> If it's a fresh 4.11.2.0 installation you don't need to do anything
>> you'll get your KVM hosts secured after you add them.
>>
>>
>> TL;DR - If you're upgrading, you simply need to run the
>> provisionCertificate API against each of your KVM hosts after
>> installation and upgrade. Refer:
>> http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#securing-process
>>
>>
>>
>> - Rohit
>>
>>
>>
>> rohit.yadav@shapeblue.com
>> www.shapeblue.com<http://www.shapeblue.com>
>> @shapeblue
>>
>> ------------------------------------------------------------------------
>> *From:* Ugo Vasi <ugo.vasi@procne.it>
>> *Sent:* Wednesday, January 30, 2019 6:43:00 PM
>> *To:* Rohit Yadav; users@cloudstack.apache.org
>> *Subject:* Re: secure hosts communications
>> Hi Rohit,
>> what I do not understand is if in this ACS version (4.11.2.0) you have
>> to start the procedure manually or it is done during the installation.
>> Did I skip some steps during the installation?
>>
>> Thanks
>>
>> Il 30/01/19 13:37, Rohit Yadav ha scritto:
>> >
>> > Hi Ugo,
>> >
>> >
>> > This will be a one-time procedure, and the KVM host and the VMs do not
>> > need a reboot but the provisionCertificate API will restart the
>> > libvirtd process (just check if that can have any side effects for
>> > your VMs/distro, on most modern distros restarting libvirtd does not
>> > have any side-effects on existing running VMs).
>> >
>> >
>> > - Rohit
>> >
>> >
>> >
>> > rohit.yadav@shapeblue.com
>> > www.shapeblue.com<http://www.shapeblue.com> <http://www.shapeblue.com>
>> > @shapeblue
>> >
>> >
>> ------------------------------------------------------------------------
>> > *From:* Ugo Vasi <ugo.vasi@procne.it>
>> > *Sent:* Wednesday, January 30, 2019 4:47:09 PM
>> > *To:* users@cloudstack.apache.org; Rohit Yadav
>> > *Subject:* Re: secure hosts communications
>> > Hi Rohit,
>> > I have a 4.11.2.0 ACS infrastructure (Ubuntu 16.04 with KVM
>> hypervisor)
>> > I see that all the hosts are in unsecure state from the UI and so the
>> > live migration don't works (we had trubles with mgmt server).
>> >
>> > I read in the documentation that launching the provisionCertificate
>> API
>> > (by pressing the appropriate button in the UI) the certificates
>> will be
>> > renewed/regenerated for already connected agents/hosts.
>> >
>> > I do not understand if provisioning should be done manually on each
>> host
>> > or if the procedure should be done only once.
>> >
>> > Do this procedure reboot the host or the instances that it contains?
>> >
>> >
>> > Thanks
>> >
>> >
>> >
>> > Il 27/11/18 09:49, Rohit Yadav ha scritto:
>> > > Hi Richard,
>> > >
>> > >
>> > > Please read:
>> >
>> http://docs.cloudstack.apache.org/en/4.11.2.0/adminguide/hosts.html#security
>> > >
>> > >
>> > > 4.11.2 is out, please consider using it instead of 4.11.1 as it has
>> > several bugfixes etc.
>> > >
>> > > In short, with all of your KVM hosts up and connected to mgmt
>> > server, first change the auth strictness global setting to true, then
>> > using API secure the hosts using the provisionCertificate API. In the
>> > UI, go to your hosts that don't show up as secure and click on the key
>> > button (a new button) to secure the host which calls the
>> > provisionCertificate API as well.
>> > >
>> > >
>> > > - Rohit
>> > >
>> > > <https://cloudstack.apache.org>
>> > >
>> > >
>> > >
>> > > ________________________________
>> > > From: Richard Persaud <richard.persaud@macys.com>
>> > > Sent: Monday, November 26, 2018 8:19:56 PM
>> > > To: users@cloudstack.apache.org
>> > > Subject: RE: secure hosts communications
>> > >
>> > > Thank you, Rohit.
>> > >
>> > > I am using 4.11.1 with a full KVM environment. They are showing
>> > unsecure with strictness set to true.
>> > >
>> > > What configuration needs to be adjusted to have the KVM hosts show
>> > secure?
>> > >
>> > > Regards,
>> > >
>> > > Richard Persaud
>> > >
>> > > From: Rohit Yadav <rohit.yadav@shapeblue.com>
>> > > Sent: Saturday, November 24, 2018 2:02 PM
>> > > To: users@cloudstack.apache.org
>> > > Subject: Re: secure hosts communications
>> > >
>> > > ⚠ EXT MSG:
>> > >
>> > > Richard,
>> > >
>> > >
>> > > Starting 4.11, agent and management servers will use an in-built CA
>> > framework to secured hosts. Only in case of KVM hosts you may see an
>> > insecure state, otherwise all KVM hosts (agents) and SSVM/CPVM agents
>> > will by default in Up state will be secured. There is an auth
>> > strictness setting that should be true.
>> > >
>> > >
>> > >
>> > > - Rohit
>> > >
>> > > <https://cloudstack.apache.org>
>> > >
>> > >
>> > >
>> > > ________________________________
>> > > From: Richard Persaud
>> > <richard.persaud@macys.com<mailto:richard.persaud@macys.com>>
>> > > Sent: Saturday, November 24, 2018 4:21:24 AM
>> > > To: users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>
>> > > Subject: secure hosts communications
>> > >
>> > > Hello,
>> > >
>> > > Is there straight-forward to enable secure communications between
>> > the management and the hosts?
>> > >
>> > > I have looked at many documentations but am still unable to get the
>> > hosts to show a "secure" state.
>> > >
>> > > Regards,
>> > >
>> > > Richard Persaud
>> > >
>> > >
>> > > rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
>> > >
>> >
>> www.shapeblue.com<https://isolate.menlosecurity.com/0/eJyrViotylGyUsooKSmw0tcvLy_XK85ILEhNyilN1UvOz1XSUSrKV7Iy1FEqyUwBqjM0MFaqBQDf4BCe>
>> > > Amadeus House, Floral Street, London  WC2E 9DPUK
>> > > @shapeblue
>> > >
>> > >
>> > >
>> > >
>> > > * This is an EXTERNAL EMAIL. Stop and think before clicking a link
>> > or opening attachments.
>> > >
>> > > rohit.yadav@shapeblue.com
>> > > www.shapeblue.com<http://www.shapeblue.com> <http://www.shapeblue.com>
>> <http://www.shapeblue.com>
>> > > Amadeus House, Floral Street, London  WC2E 9DPUK
>> > > @shapeblue
>> > >
>> > >
>> > >
>> > >
>> > >
>> > >
>> >
>> >
>> > --
>> >
>> > *Ugo Vasi* / System Administrator
>> > ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>
>> >
>> >
>> >
>> >
>> > *Procne S.r.l.*
>> > +39 0432 486 523
>> > via Cotonificio, 45
>> > 33010 Tavagnacco (UD)
>> > www.procne.it<http://www.procne.it> <http://www.procne.it> <http://www.procne.it>
>> <http://www.procne.it/>
>> >
>> >
>> > Le informazioni contenute nella presente comunicazione ed i relativi
>> > allegati possono essere riservate e sono, comunque, destinate
>> > esclusivamente alle persone od alla Società sopraindicati. La
>> > diffusione, distribuzione e/o copiatura del documento trasmesso da
>> parte
>> > di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
>> > dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
>> > "Codice in materia di protezione dei dati personali". Se avete
>> ricevuto
>> > questo messaggio per errore, vi preghiamo di distruggerlo e di
>> informare
>> > immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
>> > info@procne.it <mailto:info@procne.it>.
>> >
>>
>>
>> --
>>
>> *Ugo Vasi* / System Administrator
>> ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>
>>
>>
>>
>>
>> *Procne S.r.l.*
>> +39 0432 486 523
>> via Cotonificio, 45
>> 33010 Tavagnacco (UD)
>> www.procne.it<http://www.procne.it> <http://www.procne.it> <http://www.procne.it/>
>>
>>
>> Le informazioni contenute nella presente comunicazione ed i relativi
>> allegati possono essere riservate e sono, comunque, destinate
>> esclusivamente alle persone od alla Società sopraindicati. La
>> diffusione, distribuzione e/o copiatura del documento trasmesso da parte
>> di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
>> dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
>> "Codice in materia di protezione dei dati personali". Se avete ricevuto
>> questo messaggio per errore, vi preghiamo di distruggerlo e di informare
>> immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
>> info@procne.it <mailto:info@procne.it>.
>>
>
>


--

*Ugo Vasi* / System Administrator
ugo.vasi@procne.it <mailto:ugo.vasi@procne.it>




*Procne S.r.l.*
+39 0432 486 523
via Cotonificio, 45
33010 Tavagnacco (UD)
www.procne.it<http://www.procne.it> <http://www.procne.it/>


Le informazioni contenute nella presente comunicazione ed i relativi
allegati possono essere riservate e sono, comunque, destinate
esclusivamente alle persone od alla Società sopraindicati. La
diffusione, distribuzione e/o copiatura del documento trasmesso da parte
di qualsiasi soggetto diverso dal destinatario è proibita sia ai sensi
dell'art. 616 c.p., che ai sensi del Decreto Legislativo n. 196/2003
"Codice in materia di protezione dei dati personali". Se avete ricevuto
questo messaggio per errore, vi preghiamo di distruggerlo e di informare
immediatamente Procne S.r.l. scrivendo all' indirizzo e-mail
info@procne.it <mailto:info@procne.it>.


rohit.yadav@shapeblue.com 
www.shapeblue.com
Amadeus House, Floral Street, London  WC2E 9DPUK
@shapeblue
  
 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message