Installation guide

ManualsBrandsRed Hat ManualsComputer equipmentENTERPRISE LINUX 5 - VIRTUALIZATION GUIDE

241

242

243

244

245

246

247

248

249

250

the same technology used by web browsers for secure connections. The libvirt management

connection opens a TCP port for incoming connections, which is securely encrypted and

authenticated based on x509 certificates. In addition the VNC console for each guest virtual machine

will be setup to use TLS with x509 certificate authentication.

This method does not require shell accounts on the remote machines being managed. However, extra

firewall rules are needed to access the management service or VNC console. Certificate revocation

lists can revoke users' access.

St ep s t o set u p T LS/SSL access f o r virt - man ag er

The following short guide assuming you are starting from scratch and you do not have any TLS/SSL

certificate knowledge. If you are lucky enough to have a certificate management server you can

probably skip the first steps.

libvirt server set up

For more information on creating certificates, see the lib virt website,

http://libvirt.org/remote.html.

Xen VNC Server

The Xen VNC server can have TLS enabled by editing the configuration file,

/etc/xen/xend-config.sxp. Remove the commenting on the (vnc-tls 1)

configuration parameter in the configuration file.

The /etc/xen/vnc directory needs the following 3 files:

ca-cert.pem - The CA certificate

server-cert.pem - The Server certificate signed by the CA

server-key.pem - The server private key

This provides encryption of the data channel. It might be appropriate to require that clients

present their own x509 certificate as a form of authentication. To enable this remove the

commenting on the (vnc-x509-verify 1) parameter.

virt-manager an d virsh clien t set up

The setup for clients is slightly inconsistent at this time. To enable the libvirt

management API over TLS, the CA and client certificates must be placed in /etc/pki. For

details on this consult http://libvirt.org/remote.html

In the virt-manager user interface, use the 'SSL/TLS' transport mechanism option when

connecting to a host.

For virsh, the URI has the following format:

qemu://hostname.guestname/system for KVM.

xen://hostname.guestname/ for Xen.

To enable SSL and TLS for VNC, it is necessary to put the certificate authority and client certificates

into $HOME/.pki, that is the following three files:

CA or ca-cert.pem - The CA certificate.

libvirt-vnc or clientcert.pem - The client certificate signed by the CA.

⁠Chapt er 2 3. Remot e management of guest s

24 3