OLVM : KVM Certificate Renewal
Chanaka Yapa
Jun 14, 2024 7:34:00 PM
OLVM : KVM Certificate Renewal
8:28
Contents
Intro
Virtualization has revolutionized the IT industry by enabling organizations to utilize server resources more efficiently. Despite the rise of cloud technology, many companies are hesitant to migrate their workloads to the cloud due to concerns about data sensitivity and business challenges. For these organizations, virtualization remains the most cost-effective solution, offering both capital expenditure (CapEx) savings and a secure environment.
To host critical database workloads securely, it's crucial to ensure that virtualization platforms are fully protected. Oracle Linux Virtualization Manager (OLVM) is a key tool for managing these virtual environments, and maintaining its security certificates is essential for safeguarding the infrastructure. Regular renewal of these certificates is necessary to uphold the security and integrity of the virtualized environment.
In this blog, I will illustrate how we renew all KVM certificates.
This is the main meta link note that can be used for the new engine and KVM certificate.
OLVM: How to Renew SSL Certificates that are Expired or Nearing Expiration (Doc ID 3006292.1)
How to validate all OLVM certificates.
It's important to validate all the certificates before making any changes. First, navigate to /etc/pki/ovirt-engine/certs/ and execute the below-mentioned for loop, using this can understand the certificate expiry date.
cd /etc/pki/ovirt-engine/certs/
for cert in *.cer; do echo "Certificate: $cert"; openssl x509 -in "$cert" -noout -dates; echo; done
Sample output :
[root@olvm-engine certs]# for cert in *.cer; do echo "Certificate: $cert"; openssl x509 -in "$cert" -noout -dates; echo; done
Certificate: apache.cer
notBefore=Aug 29 18:23:00 2023 GMT
notAfter=Oct 1 18:23:00 2024 GMT
Certificate: engine.cer
notBefore=Aug 29 18:22:59 2023 GMT
notAfter=Oct 1 18:22:59 2024 GMT
Certificate: jboss.cer
notBefore=Aug 29 18:22:59 2023 GMT
notAfter=Oct 1 18:22:59 2024 GMT
Certificate: KVM120.local.ca.cer
notBefore=Sep 11 00:27:21 2023 GMT
notAfter=Sep 12 00:27:21 2028 GMT
Certificate: KVM120.local.ca-ssh.cer
notBefore=Sep 7 20:06:34 2022 GMT
notAfter=Oct 11 20:06:34 2023 GMT
Certificate: KVM121.local.ca.cer
notBefore=Sep 11 00:02:11 2023 GMT
notAfter=Sep 12 00:02:11 2028 GMT
Certificate: KVM121.local.ca-ssh.cer
notBefore=Sep 7 20:43:08 2022 GMT
notAfter=Oct 11 20:43:08 2023 GMT
Certificate: ovirt-provider-ovn.cer
notBefore=Jul 26 13:31:27 2022 GMT
notAfter=Aug 29 13:31:27 2023 GMT
Certificate: ovn-ndb.cer
notBefore=Jul 26 13:31:26 2022 GMT
notAfter=Aug 29 13:31:26 2023 GMT
Certificate: ovn-sdb.cer
notBefore=Jul 26 13:31:27 2022 GMT
notAfter=Aug 29 13:31:27 2023 GMT
Certificate: reports.cer
notBefore=Aug 29 18:23:00 2023 GMT
notAfter=Oct 1 18:23:00 2024 GMT
Certificate: vmconsole-proxy-helper.cer
notBefore=May 8 15:40:04 2024 GMT
notAfter=Jun 11 15:40:04 2025 GMT
Certificate: vmconsole-proxy-host.cer
notBefore=May 8 15:40:04 2024 GMT
notAfter=Jun 11 15:40:04 2025 GMT
Certificate: vmconsole-proxy-user.cer
notBefore=May 8 15:40:04 2024 GMT
notAfter=Jun 11 15:40:04 2025 GMT
Certificate: websocket-proxy.cer
notBefore=Aug 29 18:23:00 2023 GMT
notAfter=Oct 1 18:23:00 2024 GMT
[root@olvm-engine certs]#
This is the current certificate validity period published by Oracle.
You no longer need downtime to update KVM certificates, as this process can now be performed while VMs and KVMs are online. Oracle has developed an excellent script that facilitates the validation and renewal of your KVM certificate. I received this script from Oracle support, and they will likely publish it on Oracle support soon.
First, you need to create the script above under the OLVM-engine server as OlvmKvmCerts in the KVM root home directory.
KVM server list
To test the script you can list-hosts to validate the hosts in the OLVM cluster.
[root@engine-olvm-01 ~]# ./OlvmKvmCerts list-hosts
name | host | cluster
--------+---------------- +---------
KVM120 | KVM120.local.ca | ECLIPSYS_DB
KVM121 | KVM121.local.ca | ECLIPSYS_DB
To validate certificates, you can execute OlvmKvmCerts check-host.
As per this example, two certificates' statuses show as warnings.
[root@sofe-olvm-01 ~]# ./OlvmKvmCerts check-host KVM120.local.ca
... Host: KVM120.local.ca
Checking connection to KVM120.local.ca [PASS]
/etc/pki/vdsm/certs/vdsmcert.pem Sep 12 00:27:21 2028 GMT
Validating vdsm against ca [PASS]
Checking vdsm private key [PASS]
Checking vdsm ca permissions [PASS]
Checking vdsm cert permissions [PASS]
Checking vdsm key permissions [PASS]
/etc/pki/vdsm/libvirt-migrate/server-cert.pem Oct 11 20:05:13 2023 GMT
Validating libvirt-migrate against ca [WARN]
Checking libvirt-migrate private key [PASS]
Checking libvirt-migrate ca permissions [PASS]
Checking libvirt-migrate cert permissions [PASS]
Checking libvirt-migrate key permissions [PASS]
/etc/pki/vdsm/libvirt-spice/server-cert.pem Sep 12 00:27:21 2028 GMT
Validating libvirt-spice against ca [PASS]
Checking libvirt-spice private key [PASS]
Checking libvirt-spice ca permissions [PASS]
Checking libvirt-spice cert permissions [PASS]
Checking libvirt-spice key permissions [PASS]
/etc/pki/vdsm/libvirt-vnc/server-cert.pem Sep 12 00:27:21 2028 GMT
Validating libvirt-vnc against ca [PASS]
Checking libvirt-vnc private key [WARN]
Checking libvirt-vnc ca permissions [PASS]
Checking libvirt-vnc cert permissions [PASS]
Checking libvirt-vnc key permissions [PASS]
[root@sofe-olvm-01 ~]#
How to Renew Certificates in KVM
This OlvmKvmCerts script helps you to renew all the certificates, Once you complete the certificate new run check-host to validate all the certificates.
[root@engine-olvm-01 ~]# ./OlvmKvmCerts renew-host KVM120.sofe.ca
... Host: KVM120.sofe.ca
Checking connection to KVM120.local.ca [PASS]
Creating backup for KVM120.local.ca [PASS]
Getting private key of KVM120.local.ca [PASS]
Checking cert subject [PASS]
Generating cert request for KVM120.local.ca [PASS]
Signing the cert for KVM120.local.ca [PASS]
Copying ca cert to KVM120.local.ca [PASS]
Copying vdsm cert to KVM120.local.ca [PASS]
Copying libvirt cert to KVM120.local.ca [PASS]
Copying libvirt-spice cert to KVM120.local.ca [PASS]
Copying libvirt-vnc cert to KVM120.local.ca [PASS]
Checking libvirt-migrate cert subject [PASS]
Generating libvirt-migrate cert [PASS]
Copying qemu-ca cert to KVM120.local.ca [PASS]
Copying libvirt-migrate cert to KVM120.local.ca [PASS]
Restarting services on KVM120.local.ca [PASS]
[root@engine-olvm-01 ~]#
Conclusion
In conclusion, renewing the KVM certificate is essential for maintaining the security and functionality of your virtual environment. Ensuring that your certificate is up-to-date helps protect against vulnerabilities and ensures seamless communication between KVM components. Regularly renewing your KVM certificate should be a key part of your system maintenance strategy to ensure continued reliability and security.