Chapter 4. Configure Encryption with Transport Layer Security (TLS/SSL)

Shut down all virtual machines

See Shutting Down a Virtual Machine in the Red Hat Virtualization documentation for details: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/virtual_machine_management_guide/chap-administrative_tasks.

Move all storage domains except the hosted engine storage domain into Maintenance mode

See Moving Storage Domains to Maintenance Mode in the Red Hat Virtualization documentation for details: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-storage_tasks.

Move the hosted engine into global maintenance mode

Run the following command on the hypervisor that hosts the hosted engine:

hosted-engine --set-maintenance --mode=global

# hosted-engine --set-maintenance --mode=global

Shut down the hosted engine virtual machine

Run the following command on the hypervisor that hosts the hosted engine:

hosted-engine --vm-shutdown

# hosted-engine --vm-shutdown

Verify that the hosted engine has shut down by running the following command:

hosted-engine --vm-status

 # hosted-engine --vm-status

Stop all high availability services

Run the following command on all hypervisors:

systemctl stop ovirt-ha-agent
systemctl stop ovirt-ha-broker

# systemctl stop ovirt-ha-agent
# systemctl stop ovirt-ha-broker

Unmount the hosted engine storage domain from all hypervisors

hosted-engine --disconnect-storage

# hosted-engine --disconnect-storage

Verify that all volumes are unmounted

On each hypervisor, verify that all gluster volumes are no longer mounted.

mount

# mount

Create a gdeploy configuration file

Use the template file in Section B.1, “Example gdeploy configuration file for setting up TLS/SSL” to create a new configuration file that will set up TLS/SSL on your deployment.

Run gdeploy using your new configuration file

On the first physical machine, run gdeploy using the configuration file you created in the previous step:

gdeploy -c set_up_encryption.conf

# gdeploy -c set_up_encryption.conf

This may take some time to complete.

Verify that no TLS/SSL errors occurred

Check the /var/log/glusterfs/glusterd.log file on each physical machine to ensure that no TLS/SSL related errors occurred, and setup completed successfully.

Start all high availability services

Run the following commands on all hypervisors:

systemctl start ovirt-ha-agent
systemctl start ovirt-ha-broker

# systemctl start ovirt-ha-agent
# systemctl start ovirt-ha-broker

Move the hosted engine out of Global Maintenance mode

hosted-engine --set-maintenance --mode=none

# hosted-engine --set-maintenance --mode=none

The hosted engine starts automatically after a short wait.

Wait for nodes to synchronize

Run the following command on the first hypervisor to check synchronization status. If engine status is listed as unknown stale-data, synchronization requires several more minutes to complete.

The following output indicates completed synchronization.

hosted-engine --vm-status | grep 'Engine status'

# hosted-engine --vm-status | grep 'Engine status'
Engine status   : {"health": "good", "vm": "up", "detail": "up"}
Engine status   : {"reason": "vm not running on this host",
  "health": "bad", "vm": "down", "detail": "unknown"}
Engine status   : {"reason": "vm not running on this host",
  "health": "bad", "vm": "down", "detail": "unknown"}

Activate all storage domains

Activate the master storage domain first, followed by all other storage domains.

For details on activating storage domains, see Activating Storage Domains from Maintenance Mode in the Red Hat Virtualization documentation: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-storage_tasks.

Start all virtual machines

See Starting a Virtual Machine in the Red Hat Virtualization documentation for details: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/virtual_machine_management_guide/sect-starting_the_virtual_machine.

Shut down all virtual machines

See Shutting Down a Virtual Machine in the Red Hat Virtualization documentation for details: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/virtual_machine_management_guide/chap-administrative_tasks.

Move all storage domains except the hosted engine storage domain into Maintenance mode

See Moving Storage Domains to Maintenance Mode in the Red Hat Virtualization documentation for details: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-storage_tasks.

Move the hosted engine into global maintenance mode

Run the following command on the hypervisor that hosts the hosted engine:

hosted-engine --set-maintenance --mode=global

# hosted-engine --set-maintenance --mode=global

Shut down the hosted engine virtual machine

Run the following command on the hypervisor that hosts the hosted engine:

hosted-engine --vm-shutdown

# hosted-engine --vm-shutdown

Verify that the hosted engine has shut down by running the following command:

hosted-engine --vm-status

 # hosted-engine --vm-status

Stop all high availability services

Run the following command on all hypervisors:

systemctl stop ovirt-ha-agent
systemctl stop ovirt-ha-broker

# systemctl stop ovirt-ha-agent
# systemctl stop ovirt-ha-broker

Unmount the hosted engine storage domain from all hypervisors

hosted-engine --disconnect-storage

# hosted-engine --disconnect-storage

Verify that all volumes are unmounted

On each hypervisor, verify that all gluster volumes are no longer mounted.

mount

# mount

Configure Certificate Authority signed encryption

Verify that no TLS/SSL errors occurred

Check the /var/log/glusterfs/glusterd.log file on each physical machine to ensure that no TLS/SSL related errors occurred, and setup completed successfully.

Start all high availability services

Run the following commands on all hypervisors:

systemctl start ovirt-ha-agent
systemctl start ovirt-ha-broker

# systemctl start ovirt-ha-agent
# systemctl start ovirt-ha-broker

Move the hosted engine out of Global Maintenance mode

hosted-engine --set-maintenance --mode=none

# hosted-engine --set-maintenance --mode=none

The hosted engine starts automatically after a short wait.

Wait for nodes to synchronize

Run the following command on the first hypervisor to check synchronization status. If engine status is listed as unknown stale-data, synchronization requires several more minutes to complete.

The following output indicates completed synchronization.

hosted-engine --vm-status | grep 'Engine status'

# hosted-engine --vm-status | grep 'Engine status'
Engine status   : {"health": "good", "vm": "up", "detail": "up"}
Engine status   : {"reason": "vm not running on this host",
  "health": "bad", "vm": "down", "detail": "unknown"}
Engine status   : {"reason": "vm not running on this host",
  "health": "bad", "vm": "down", "detail": "unknown"}

Activate all storage domains

Activate the master storage domain first, followed by all other storage domains.

For details on activating storage domains, see Activating Storage Domains from Maintenance Mode in the Red Hat Virtualization documentation: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/sect-storage_tasks.

Start all virtual machines

See Starting a Virtual Machine in the Red Hat Virtualization documentation for details: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/virtual_machine_management_guide/sect-starting_the_virtual_machine.