Contents

Setting up libvirt for TLS (Encryption & Authentication)

Setting up your virtualisation infrastructure for Transport Layer Security (TLS) isn't very difficult. However, it can be a bit involved for someone not already familiar with the details.

These next pages take you through the four main steps involved with setting up TLS for libvirt, from the high level concepts, through to the exact steps with examples.

You should be able to follow through, adapting the examples directly for your own virtualisation infrastructure.


Full list of steps

  1. TLS Concepts in libvirt - this page
  2. Create the Certificate Authority Certificate
  3. Create the Server Certificates
  4. Create the Client Certificates
  5. Configure the libvirt daemon
  6. Further References


The central concept

At its heart, Transport Layer Security is a way of encrypting communication between two computers. The encryption is done using an approach called PKI, which stands for Public Key Infrastructure.
核心内容是,传输层安全是计算机之间加密通讯的一种方式。被叫做PKI的基于公共密钥设施被用做加密的方法。

It is fairly simple in concept, always involving one computer, "the client", establishing a connection with a receiving computer, "the server".
这在概念上相当简单,总是涉及到计算机"the client"与接收机"the server"建立连接。

Client to Server communication


TLS uses files called Certificates for this communication, with the client computer starting the connection always having a Client Certificate, and the receiving computer always having a Server Certificate.
TLS将证书文件应用于通信过程,发起连接的客户端“始终”拥有“客户端证书”,接收端,“始终”拥有“服务端证书”。

The initiator has a Client Certificate, the receiver has a Server Certificate


If you have the situation where two computers need to communicate with each other using TLS, then they both need a Client Certificate and a Server Certificate.
如果两台计算机之间互相使用TLS,那么两台机器上都需要有“服务端证书”和“客户端证书”。

If they both need to communicate with each other, they both need both certificates


This is also the example scenario we'll be using in these pages.

Our example scenario

In our example scenario, we have two virtualisation host servers. The first, Host System 1, is named host1. The second, Host System 2, is named host2.
在我们的示例方案中,有两台虚拟主机服务器。第一个主机Host System 1简称host1,第二个主机Host System 2简称host2

host1 and host2


In our example environment, these host servers will occasionally need to communicate with each other. For example, when moving a virtualised guest from host1 to host2, or vice versa. For this to work, they both need their own Client Certificate, and Server Certificate.
在我们的示例环境中,这些服务器偶尔需要互相通信。例如,从host1移动虚拟guest主机到host2,反之亦然。在这种情况,它们都需要客户端证书和服务端证书。

host1 and host2 with both Client and Server certificates


In our example scenario, we also have an administrative desktop used to manage the virtualisation hosts. With it we can connect to either of the virtualisation hosts and perform administrative functions like creating new guests, moving guests between the hosts, and reconfiguring or deleting guests.
在我们的示例方案中,也有用于管理虚拟化主机的管理桌面。我们可以连接任意一个虚拟化主机并在两个主机间执行创建、移动guest的管理操作,也能重新配置或删除guest。

This administrative desktop is named admindesktop. It will exclusively connect to the virtualisation hosts, never receiving new connections from them. This means it only needs a Client Certificate, and does not need it's own Server Certificate.
管理桌面叫做admindesktop。它跟虚拟化主机建立独占的连接,不再接受其他主机发起的新的连接。这意味着仅需要客户端证书,不需要服务端证书。

administration workstation establishes communication to both servers

Private Key files

Part of the PKI approach used in TLS, means that for every Certificate file a computer wants to use fully, it must also have a matching Private Key file.

Image:Tls_concepts_host1_with_both_certs_and_keys.png

Private Key files are critically important, and must be kept very secure. They allow any computer with a matching certificate to represent itself as what is in the certificate.
私钥文件极其重要,必须保证非常安全。

For example, Host System 1 has both Client and Server Certificates. These certificates contain information stating they are for the system host1.
比如,Host System 1拥有客户端证书和服务端证书。这些证书包含了它们是用于host1的信息说明。

Because only Host System 1 has the private key files for these certificates, it is the only one that can say "I am host1".
因为只有Host System 1拥有这些证书的私钥文件,表明"I am host1"。

If an unauthorised person was to obtain one of these key files, they could make their own certificates claiming one of their systems is host1 instead. This could potentially give them access to your virtualisation servers, which is not what you want.
如果有人未经授权拿到了密钥文件,就能用他们自己的证书声明他们的系统替代了 host1

Signing other Certificates

Possessing both a Certificate and its Private Key also gives an additional benefit, being able to sign other Certificates. This adds a small, cryptographically secure piece of information to the certificate file being signed, indicating it is authentic.

This is important, because it allows us to establish a web of trust, where we have all of our certificates signed either by each other, or by a central certificate we know to be good.


Certificate Authority

This approach, of having a central certificate to sign many others is regarded as good security practice. It also allows for reasonably simple certificate management when compared to other alternatives, and is the approach used in libvirt.

This central Certificate is referred to as a Certificate Authority Certificate. We create one in the very first step of our TLS set up on the next page, then use it for signing every Client and Server Certificate we create.

Image:Tls_concepts_ca_cert_signs_other_certs.png

Full list of steps

  1. TLS Concepts in libvirt - this page
  2. Create the Certificate Authority Certificate
  3. Create the Server Certificates
  4. Create the Client Certificates
  5. Configure the libvirt daemon
  6. Further References