Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Red Hat Enterprise Linux 9 Essentials Book now available.

Purchase a copy of Red Hat Enterprise Linux 9 (RHEL 9) Essentials

Red Hat Enterprise Linux 9 Essentials Print and eBook (PDF) editions contain 34 chapters and 298 pages

Preview Book

17.2. Remote management over TLS and SSL

You can manage virtual machines using TLS and SSL. TLS and SSL provides greater scalability but is more complicated than ssh (see Section 17.1, “Remote management with ssh”. TLS and SSL is the same technology used by web browsers for secure connections. The libvirt management connection opens a TCP port for incoming connections, which is securely encrypted and authenticated based on x509 certificates. In addition the VNC console for each guest virtual machine will be setup to use TLS with x509 certificate authentication.
This method does not require users to have shell accounts on the remote machines being managed. However, extra firewall rules are needed to access the management service or VNC console. Certificate revocation lists can be used to revoke access to users.
Steps to setup TLS/SSL access for virt-manager
The following short guide assuming you are starting from scratch and you do not have any TLS/SSL certificate knowledge. If you are lucky enough to have a certificate management server you can probably skip the first steps.
libvirt server setup
For more information on creating certificates, refer to the libvirt website,
The Red Hat Virtualization VNC Server
The Red Hat Virtualization VNC server can have TLS enabled by editing the configuration file, /etc/xen/xend-config.sxp. Remove the commenting on the (vnc-tls 1) configuration parameter in the configuration file.
The /etc/xen/vnc directory needs the following 3 files:
  • ca-cert.pem - The CA certificate
  • server-cert.pem - The Server certificate signed by the CA
  • server-key.pem - The server private key
This provides encryption of the data channel. It might be appropriate to require that clients present their own x509 certificate as a form of authentication. To enable this remove the commenting on the (vnc-x509-verify 1) parameter.
virt-manager and virsh client setup
The setup for clients is slightly inconsistent at this time. To enable the libvirt management API over TLS, the CA and client certificates must be placed in /etc/pki. For details on this consult
In the virt-manager user interface, use the ' SSL/TLS ' transport mechanism option when connecting to a host.
For virsh, the qemu://hostname.domainname/system or xen://hostname.domainname/ URIs should be used.
To enable SSL and TLS for VNC, it is necessary to put the certificate authority and client certificates into $HOME/.pki, that is the following three files:
  • CA or ca-cert.pem - The CA certificate.
  • libvirt-vnc or clientcert.pem - The client certificate signed by the CA.
  • libvirt-vnc or clientkey.pem - The client private key.

  Published under the terms of the GNU General Public License Design by Interspire