Per-user: $HOME/.pki/vinagre/private/clientkey.pem.System wide: /etc/pki/vinagre/private/clientkey.pem.System wide: /etc/pki/vinagre/clientcert.pem.Verify things are correct by connecting to a virtualized guest using one of the VNC clients known to work. The VNC TLS setting is only recognised at guest start time, so if you have guests running from before you made these changes, you'll need to restart them for it to be effective.Ħ. If you're using Virt Manager or Virt Viewer, you also need to enable a setting in /etc/sysconfig/libvirtd on the host server.ĥ. $ sudo chmod 440 /etc/pki/libvirt/servercert.pem \ģ. If you used soft links as in the example above, one way to achieve this is: You mush ensure it can read the TLS certificate files. $ sudo ln -s /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pemīy default on RHEL 6 and Fedora 13+ (older is untested), QEMU processes are launched using qemu: qemu ownership. $ sudo ln -s /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem $ sudo ln -s /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem Soft links to the certificates and keys for the main libvirt configuration can be used: Private Key for the Server Certificate: /etc/pki/libvirt-vnc/server-key.pem.Server Certificate: /etc/pki/libvirt-vnc/server-cert.pem.Certificate Authority Certificate: /etc/pki/libvirt-vnc/ca-cert.pem.The QEMU process needs read access to a TLS Certificate Authority Certificate, a Server Certificate signed by it, and the private key for the Server Certificate. Place the TLS Server Certificate and matching private key files where your QEMU user can access them. You can give a specific IP address instead if required.Ĭ) Enable use of X509 certificates for authenticationĢ. You need to enable some settings in /etc/libvirt/nf on the host server.Ī) Instruct QEMU virtual machines to listen for incoming connectionsĠ.0.0.0 instructs QEMU to listen on all network interfaces. (please note these are Fedora 13 & RHEL 6 specific paths, other distributions may vary)ġ. Use good unix security (groups, permissions, acls, roles, etc) to manage access to the certificate + private key.Ĭhanges to be made on the virtualisation host server So, if you have permissions allowing wide read access (ie 644) to those files on a client system, any user with login access to that client system can then perform admin commands on your virtualisation servers. Any user with read access to a client certificate + private key can use it to authenticate to your (configured) virtualisation servers. Per-user location: $HOME/.pki/CA/cacrl.pemīe careful when using system wide client certificates.System wide location: /etc/pki/CA/cacrl.pem.This can be either in a system wide path, or in a per-user location: In addition, all of the working VNC clients can accept an optional Certificate Revocation List (CRL) file.
#TIGERVNC TLS INSTALL#
The paths to install the files at are listed below. The steps to follow are listed on the previously mentioned TLS Setup page The private key for this Client Certificate fileĬreating these files isn't too difficult.A "Client" Certificate file, signed with the above Certificate Authority Certificate.A Certificate Authority "Certificate" file.Once the host servers are set up for TLS (and verified), the client set up is fairly straightforward. The steps for doing this are fully documented on the TLS Setup page TLS should be set up on the servers firstīefore using TLS to connect to virtual machines, their host servers must be configured for TLS. The per-user paths will likely be the same regardless of distribution. The paths given are from Fedora 13 & RHEL 6, so any system paths may be different on other Linux distributions. This page gives the instructions for setting up VNC to communicate over TLS. 7.2.2 You receive an error about not being able to send a monitor command.7.2.1 Was the QEMU virtual machine started with TLS + X509 enabled?.7.2 Items to check if things don't work.7 VNC clients known to NOT work with TLS (yet).6.4.3 Private key for the Client Certificate.
6.2.2.3 Private key for the VNC Client Certificate.6.2.2.1 VNC Certificate Authority Certificate.6.2 Virtual Machine Manager (virt-manager).6.1.3 Private key for the Client Certificate.6.1.1 Certificate Authority Certificate.5 Changes to be made on the virtualisation host server.2 TLS should be set up on the servers first.
0 kommentar(er)
