23.2. Remote management over TLS and SSL
You can manage virtual machines using TLS and SSL. TLS and SSL provides greater scalability but is more complicated than ssh (see Section 23.1, “Remote management with SSH”). TLS and SSL is the same technology used by web browsers for secure connections. The
libvirt management connection opens a TCP port for incoming connections, which is securely encrypted and authenticated based on x509 certificates. In addition the VNC console for each guest virtual machine will be setup to use TLS with x509 certificate authentication.
This method does not require shell accounts on the remote machines being managed. However, extra firewall rules are needed to access the management service or VNC console. Certificate revocation lists can revoke users' access.
Steps to setup TLS/SSL access for virt-manager
The following short guide assuming you are starting from scratch and you do not have any TLS/SSL certificate knowledge. If you are lucky enough to have a certificate management server you can probably skip the first steps.
-
libvirtserver setup - For more information on creating certificates, see the libvirt website, http://libvirt.org/remote.html.
- Xen VNC Server
- The Xen VNC server can have TLS enabled by editing the configuration file,
/etc/xen/xend-config.sxp. Remove the commenting on the(vnc-tls 1)configuration parameter in the configuration file.The/etc/xen/vncdirectory needs the following 3 files:This provides encryption of the data channel. It might be appropriate to require that clients present their own x509 certificate as a form of authentication. To enable this remove the commenting on theca-cert.pem- The CA certificateserver-cert.pem- The Server certificate signed by the CAserver-key.pem- The server private key
(vnc-x509-verify 1)parameter. -
virt-managerandvirshclient setup - The setup for clients is slightly inconsistent at this time. To enable the
libvirtmanagement API over TLS, the CA and client certificates must be placed in/etc/pki. For details on this consult http://libvirt.org/remote.htmlIn thevirt-manageruser interface, use the '' transport mechanism option when connecting to a host.Forvirsh, the URI has the following format:qemu://hostname.guestname/systemfor KVM.xen://hostname.guestname/for Xen.
To enable SSL and TLS for VNC, it is necessary to put the certificate authority and client certificates into
$HOME/.pki, that is the following three files:
- CA or
ca-cert.pem- The CA certificate. libvirt-vncorclientcert.pem- The client certificate signed by the CA.libvirt-vncorclientkey.pem- The client private key.
