On Thu, Jul 24, 2008 at 11:13:28AM +0100, Geoff Wiener wrote: > Hi! > > > > This is my first post to either of these list, I have been lurking, > (sorry to cross post but I don't know if this is a virt-manager or > libvirt question). So first off thank you to everyone for all your > efforts. I think libvirt and virt-manager are excellent! I've built > a pair of server s in the lab with a Xen stack and have been attempting > to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and > then libvirt 0.4.4 using TLS across the network in a "client / server" > configuration unsuccessfully. All the machines are on the same subnet > (192.168.4.x/24). I can make Virt-Manager communicate with Libvirt > over TCP without authentication so now that I know the installation > works I want to further secure it using TLS. > > /usr/local/etc/libvirt/libvirtd.conf > > > > Listen_tcp = 1 > > auth_unix_ro = "none" > > auth_unix_rw="none" > > auth_tcp="none" That's all fine. > I followed the configuration notes at: http://libvirt.org/remote.html with a couple of exceptions: > > 1. I already have a linux based CA that I use with OpenVPN so I used that CA root certificate and just generated client and server cert / key pairs for my client and server (I tested with just one server) That's fine - any CA will do the job. > 2. I reverted back to the default libvirtd.conf to setup for TLS and > noticed that the default paths for the certificate locations were not in > line with the documentation on the web page but there were commented sections > as follows that matched the documentation, so I uncommented them: > > key_file = "/etc/pki/libvirt/private/serverkey.pem" > cert_file = "/etc/pki/libvirt/servercert.pem" > ca_file = "/etc/pki/CA/cacert.pem" No need to uncomment any of these - its fine to use the the default settings built-in to libvirt > > #crl_file = "/etc/pki/CA/crl.pem" > Note: I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time Ok, no problem there. > 3. On the server I execute "libvirtd -listen -verbose" (libvirtd output) attached > > 4. virt-manager 0.5.4 (as root) , File, Open Connection > Hypervisor: Xen > > Connection: Remote SSL/TLS with x509 certificate > > Hostname: vxen-01.aenigmacorp.com (I have a host entry for this machine) > > > > The virt-manager console reports "unable to open a connection to the libvirt > management daemon". Verify that the "libvirtd" daemon has been started. Then, > in details there is a lot of info (see virt-manager output) I'd recommend getting it working using virsh as a client first - this gives clearer diagnostics. Once virsh is working, then virt-manager should just work too, although it has an extra step required for VNC access. > That about sums it up. I have not read any instructions that ask me to copy > the CA root certificate to the client, is that required? And if so where would > I put it. Yes, the CA certificate needs to be on all machines - in the same location as for the server - /etc/pki/CA/cacert.pem. The client server needs to be in the loication /etc/pki/libvirt/clientcert.pem There are some additional docs on the virt-manager wiki about the VNC setup steps too http://virt-manager.org/page/RemoteTLS Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list