spice_tls.rst 4.28 KB
Newer Older
fv3rdugo's avatar
fv3rdugo committed
1
2
3
4
5
Hardening Spice security with TLS
=================================

TLS support allows to encrypt all/some of the channels Spice uses for its communication. A separate port is used for the encrypted channels.

Fernando Verdugo's avatar
Fernando Verdugo committed
6
7
8
9
10
Change libvirtd configuration
-----------------------------

The certificate must be specified in libvirtd configuration file in /etc/libvirt/qemu.conf 

Fernando Verdugo's avatar
Fernando Verdugo committed
11
Uncomment the lines: *spice_listen="0.0.0.0"*, *spice_tls=1*  and *spice_tls_x509_cert_dir="/etc/pki/libvirt-spice"*
Fernando Verdugo's avatar
Fernando Verdugo committed
12
13

::
Fernando Verdugo's avatar
Fernando Verdugo committed
14

Fernando Verdugo's avatar
Fernando Verdugo committed
15
16
17
18
19
20
21
22
    # SPICE is configured to listen on 127.0.0.1 by default.
    # To make it listen on all public interfaces, uncomment
    # this next option.
    #
    # NB, strong recommendation to enable TLS + x509 certificate
    # verification when allowing public access
    #
    spice_listen = "0.0.0.0"
Fernando Verdugo's avatar
Fernando Verdugo committed
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
    # Enable use of TLS encryption on the SPICE server.
    #
    # It is necessary to setup CA and issue a server certificate
    # before enabling this.
    #
    spice_tls = 1
    # Use of TLS requires that x509 certificates be issued. The
    # default it to keep them in /etc/pki/libvirt-spice. This directory
    # must contain
    #
    #  ca-cert.pem - the CA master certificate
    #  server-cert.pem - the server certificate signed with ca-cert.pem
    #  server-key.pem  - the server private key
    #
    # This option allows the certificate directory to be changed.
    #
    spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"

Add path in Apparmor 
--------------------

Fernando Verdugo's avatar
Fernando Verdugo committed
44
Add ``/etc/pki/libvirt-spice/** r,`` in ``/etc/apparmor.d/abstractions/libvirt-qemu`` 
Fernando Verdugo's avatar
Fernando Verdugo committed
45
46

::
Fernando Verdugo's avatar
Fernando Verdugo committed
47

Fernando Verdugo's avatar
Fernando Verdugo committed
48
49
50
51
52
53
    # access PKI infrastructure
    /etc/pki/libvirt-vnc/** r,
    /etc/pki/libvirt-spice/** r,

.. note:: Remmember restart the services: ``systemctl restart apparmor.service`` & ``systemctl restart libvirtd.service``

54
55
Create self signed certificate
------------------------------
Fernando Verdugo's avatar
Fernando Verdugo committed
56

Fernando Verdugo's avatar
Fernando Verdugo committed
57
Perform the following script, to generate the cert files for ssl , and then copy ``*.pem`` file into ``/etc/pkil/libvirt-spice`` directory: (`source <http://fedoraproject.org/w/index.php?title=QA:Testcase_Virtualization_Manually_set_spice_listening_port_with_TLS_port_set>`_)
Fernando Verdugo's avatar
Fernando Verdugo committed
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

::
    
    #!/bin/bash

    SERVER_KEY=server-key.pem
    
    # creating a key for our ca
    if [ ! -e ca-key.pem ]; then
        openssl genrsa -des3 -out ca-key.pem 1024
    fi
    # creating a ca
    if [ ! -e ca-cert.pem ]; then
        openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
    fi
    # create server key
    if [ ! -e $SERVER_KEY ]; then
        openssl genrsa -out $SERVER_KEY 1024
    fi
    # create a certificate signing request (csr)
    if [ ! -e server-key.csr ]; then
        openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
    fi
    # signing our server certificate with this ca
    if [ ! -e server-cert.pem ]; then
        openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
    fi
    
    # now create a key that doesn't require a passphrase
    openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
    mv $SERVER_KEY $SERVER_KEY.secure
    mv $SERVER_KEY.insecure $SERVER_KEY
    
    # show the results (no other effect)
    openssl rsa -noout -text -in $SERVER_KEY
    openssl rsa -noout -text -in ca-key.pem
    openssl req -noout -text -in server-key.csr
    openssl x509 -noout -text -in server-cert.pem
    openssl x509 -noout -text -in ca-cert.pem

    # copy *.pem file to /etc/pki/libvirt-spice
    if [[ -d "/etc/pki/libvirt-spice" ]] 
    then    
        cp ./*.pem /etc/pki/libvirt-spice
    else
        mkdir /etc/pki/libvirt-spice
        cp ./*.pem /etc/pki/libvirt-spice
    fi

    # echo --host-subject
    echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
 
Fernando Verdugo's avatar
Fernando Verdugo committed
110
111
112
.. warning::
    Whatever method you use to generate the certificate and key files, the Common Name value used for the server and client certificates/keys must each differ from the Common Name value used for the CA certificate. Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.

113
114
115
Disable Spice Password
----------------------
	 Removing SPICE password for all the networks, link to https://ravada.readthedocs.io/en/latest/docs/Disable_spice_password.html