Inter-controller communication exchanged at the East/West interface does not provide secure communication by default, allowing observation and modification of inter-controller traffic. TLS can and should be enabled for inter-controller communications to ensure communication within an ONOS cluster is secure. Hostnames, IP addresses, and directories in the following commands should be adjusted for your environment.
Generate a key on each ONOS server
On each ONOS server, generate a new key with an alias unique to that server:
Get the certificates
The certificate for the newly generated key on each ONOS instance will now need to be distributed among the other ONOS instances. To do this the key should be converted to a .p12 file and then to a PEM file, as follows:
The certificate can now be extracted from the PEM file using the following command. The output file for this command should be adjusted to ensure that it is unique for each ONOS server. This will make it easier to manage when transporting certificates between instances.
Copy certificates to each ONOS server
Each ONOS instance in the cluster will need the certificate for every other ONOS instance. The certificates can be copied using the following command. This command should be repeated for each certificate and each instance.
Import the certificate
Each ONOS instance will need the certificates for every other instance in its keystore. The certificates can be imported using the following command:
Modify the ONOS launch script
The ONOS launch script ‘onos-service’ located in the ‘$ONOS_ROOT/bin/’ directory contains a line to enable TLS for Netty, the communication framework used for inter-controller communication. Uncomment the line and ensure the ‘keystore’ and ‘truststore’ point to the keystore used in the commands above.
With the above steps completed, the ONOS service should be restarted to enable secure inter-controller communication.