Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE

161

162

163

164

165

166

167

168

169

170

Transport modes

157

TLS/SSL access for virt-manager

The libvirt Wiki contains complete details on how to configure TLS/SSL access: http://wiki.libvirt.org/

page/TLSSetup

To enable SSL and TLS for VNC, refer to the libvirt Wiki: http://wiki.libvirt.org/page/VNCTLSSetup. It is

necessary to place the Certificate Authority Certificate, Client Certificate, and Client Certificate Private

Key, in the following locations:

• The Certificate Authority Certificate should be placed in /etc/pki/CA/cacert.pem.

• The Client Certificate, signed by the CA, should be placed in either of:

• /etc/pki/libvirt-vnc/clientcert.pem for system wide use, or

• $HOME/.pki/libvirt-vnc/clientcert.pem for an individual user.

• The Private Key for the Client Certificate should be placed in either of:

• /etc/pki/libvirt-vnc/private/clientkey.pem for system wide use, or

• $HOME/.pki/libvirt-vnc/private/clientkey.pem for an individual user.

19.3. Transport modes

For remote management, libvirt supports the following transport modes:

Transport Layer Security (TLS)

Transport Layer Security TLS 1.0 (SSL 3.1) authenticated and encrypted TCP/IP socket, usually

listening on a public port number. To use this you will need to generate client and server certificates.

The standard port is 16514.

UNIX sockets

Unix domain sockets are only accessible on the local machine. Sockets are not encrypted, and

use UNIX permissions or SELinux for authentication. The standard socket names are /var/

run/libvirt/libvirt-sock and /var/run/libvirt/libvirt-sock-ro (for read-only

connections).

SSH

Transported over a Secure Shell protocol (SSH) connection. Requires Netcat (the nc package)

installed. The libvirt daemon (libvirtd) must be running on the remote machine. Port 22 must be

open for SSH access. You should use some sort of ssh key management (for example, the ssh-

agent utility) or you will be prompted for a password.

ext

The ext parameter is used for any external program which can make a connection to the remote

machine by means outside the scope of libvirt. This parameter is unsupported.

tcp

Unencrypted TCP/IP socket. Not recommended for production use, this is normally disabled, but an

administrator can enable it for testing or use over a trusted network. The default port is 16509.

The default transport, if no other is specified, is tls.