Virtualization has revolutionized the IT industry by enabling organizations to utilize server resources more efficiently. Despite the rise of cloud technology, many companies are hesitant to migrate their workloads to the cloud due to concerns about data sensitivity and business challenges. For these organizations, virtualization remains the most cost-effective solution, offering both capital expenditure (CapEx) savings and a secure environment.

 

To host critical database workloads securely, it's crucial to ensure that virtualization platforms are fully protected. Oracle Linux Virtualization Manager (OLVM) is a key tool for managing these virtual environments, and maintaining its security certificates is essential for safeguarding the infrastructure. Regular renewal of these certificates is necessary to uphold the security and integrity of the virtualized environment.

 

In this blog, I will illustrate how we renew all KVM certificates. 

 

This is the main meta link note that can be used for the new engine and KVM certificate.  

 

 

 

 

How to validate all OLVM certificates.

 

It's important to validate all the certificates before making any changes. First, navigate to /etc/pki/ovirt-engine/certs/ and execute the below-mentioned for loop, using this can understand the certificate expiry date.

cd /etc/pki/ovirt-engine/certs/
for cert in *.cer; do echo "Certificate: $cert"; openssl x509 -in "$cert" -noout -dates; echo;  done

 

Sample output :

 

[root@olvm-engine certs]# for cert in *.cer; do echo "Certificate: $cert"; openssl x509 -in "$cert" -noout -dates; echo;  done
Certificate: apache.cer
notBefore=Aug 29 18:23:00 2023 GMT
notAfter=Oct  1 18:23:00 2024 GMT

Certificate: engine.cer
notBefore=Aug 29 18:22:59 2023 GMT
notAfter=Oct  1 18:22:59 2024 GMT

Certificate: jboss.cer
notBefore=Aug 29 18:22:59 2023 GMT
notAfter=Oct  1 18:22:59 2024 GMT

Certificate: KVM120.local.ca.cer
notBefore=Sep 11 00:27:21 2023 GMT
notAfter=Sep 12 00:27:21 2028 GMT

Certificate: KVM120.local.ca-ssh.cer
notBefore=Sep  7 20:06:34 2022 GMT
notAfter=Oct 11 20:06:34 2023 GMT

Certificate: KVM121.local.ca.cer
notBefore=Sep 11 00:02:11 2023 GMT
notAfter=Sep 12 00:02:11 2028 GMT

Certificate: KVM121.local.ca-ssh.cer
notBefore=Sep  7 20:43:08 2022 GMT
notAfter=Oct 11 20:43:08 2023 GMT

Certificate: ovirt-provider-ovn.cer
notBefore=Jul 26 13:31:27 2022 GMT
notAfter=Aug 29 13:31:27 2023 GMT

Certificate: ovn-ndb.cer
notBefore=Jul 26 13:31:26 2022 GMT
notAfter=Aug 29 13:31:26 2023 GMT

Certificate: ovn-sdb.cer
notBefore=Jul 26 13:31:27 2022 GMT
notAfter=Aug 29 13:31:27 2023 GMT

Certificate: reports.cer
notBefore=Aug 29 18:23:00 2023 GMT
notAfter=Oct  1 18:23:00 2024 GMT

Certificate: vmconsole-proxy-helper.cer
notBefore=May  8 15:40:04 2024 GMT
notAfter=Jun 11 15:40:04 2025 GMT

Certificate: vmconsole-proxy-host.cer
notBefore=May  8 15:40:04 2024 GMT
notAfter=Jun 11 15:40:04 2025 GMT

Certificate: vmconsole-proxy-user.cer
notBefore=May  8 15:40:04 2024 GMT
notAfter=Jun 11 15:40:04 2025 GMT

Certificate: websocket-proxy.cer
notBefore=Aug 29 18:23:00 2023 GMT
notAfter=Oct  1 18:23:00 2024 GMT

[root@olvm-engine certs]#

 

This is the current certificate validity period published by Oracle.

 

 

You no longer need downtime to update KVM certificates, as this process can now be performed while VMs and KVMs are online. Oracle has developed an excellent script that facilitates the validation and renewal of your KVM certificate. I received this script from Oracle support, and they will likely publish it on Oracle support soon.

First, you need to create the script above under the OLVM-engine server as OlvmKvmCerts in the KVM root home directory.

KVM server list

To test the script you can list-hosts to validate the hosts in the OLVM cluster.

[root@engine-olvm-01 ~]# ./OlvmKvmCerts list-hosts

  name  |      host       | cluster
--------+---------------- +---------
 KVM120 | KVM120.local.ca | ECLIPSYS_DB
 KVM121 | KVM121.local.ca | ECLIPSYS_DB

[root@sofe-olvm-01 ~]# ./OlvmKvmCerts check-host KVM120.local.ca

... Host: KVM120.local.ca
 Checking connection to KVM120.local.ca                                   [PASS]
 /etc/pki/vdsm/certs/vdsmcert.pem                       Sep 12 00:27:21 2028 GMT
 Validating vdsm against ca                                               [PASS]
 Checking vdsm private key                                                [PASS]
 Checking vdsm ca permissions                                             [PASS]
 Checking vdsm cert permissions                                           [PASS]
 Checking vdsm key permissions                                            [PASS]
 /etc/pki/vdsm/libvirt-migrate/server-cert.pem          Oct 11 20:05:13 2023 GMT
 Validating libvirt-migrate against ca                                    [WARN]
 Checking libvirt-migrate private key                                     [PASS]
 Checking libvirt-migrate ca permissions                                  [PASS]
 Checking libvirt-migrate cert permissions                                [PASS]
 Checking libvirt-migrate key permissions                                 [PASS]
 /etc/pki/vdsm/libvirt-spice/server-cert.pem            Sep 12 00:27:21 2028 GMT
 Validating libvirt-spice against ca                                      [PASS]
 Checking libvirt-spice private key                                       [PASS]
 Checking libvirt-spice ca permissions                                    [PASS]
 Checking libvirt-spice cert permissions                                  [PASS]
 Checking libvirt-spice key permissions                                   [PASS]
 /etc/pki/vdsm/libvirt-vnc/server-cert.pem              Sep 12 00:27:21 2028 GMT
 Validating libvirt-vnc against ca                                        [PASS]
 Checking libvirt-vnc private key                                         [WARN]
 Checking libvirt-vnc ca permissions                                      [PASS]
 Checking libvirt-vnc cert permissions                                    [PASS]
 Checking libvirt-vnc key permissions                                     [PASS]

[root@sofe-olvm-01 ~]#

How to Renew Certificates in KVM

[root@engine-olvm-01 ~]# ./OlvmKvmCerts renew-host KVM120.sofe.ca

... Host: KVM120.sofe.ca
 Checking connection to KVM120.local.ca                                    [PASS]
 Creating backup for KVM120.local.ca                                       [PASS]
 Getting private key of KVM120.local.ca                                    [PASS]
 Checking cert subject                                                     [PASS]
 Generating cert request for KVM120.local.ca                               [PASS]
 Signing the cert for KVM120.local.ca                                      [PASS]
 Copying ca cert to KVM120.local.ca                                        [PASS]
 Copying vdsm cert to KVM120.local.ca                                      [PASS]
 Copying libvirt cert to KVM120.local.ca                                   [PASS]
 Copying libvirt-spice cert to KVM120.local.ca                             [PASS]
 Copying libvirt-vnc cert to KVM120.local.ca                               [PASS]
 Checking libvirt-migrate cert subject                                     [PASS]
 Generating libvirt-migrate cert                                           [PASS]
 Copying qemu-ca cert to KVM120.local.ca                                   [PASS]
 Copying libvirt-migrate cert to KVM120.local.ca                           [PASS]
 Restarting services on KVM120.local.ca                                    [PASS]

[root@engine-olvm-01 ~]#

In conclusion, renewing the KVM certificate is essential for maintaining the security and functionality of your virtual environment. Ensuring that your certificate is up-to-date helps protect against vulnerabilities and ensures seamless communication between KVM components. Regularly renewing your KVM certificate should be a key part of your system maintenance strategy to ensure continued reliability and security.