To make a SSL/TLS based OVSDB connection between Onos and OVSDB using self-signed certificates, there are five main steps to follow:
- Generate SSL key/certificate for onos;
- Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos;
- Generate SSL key/certificate for OVS;
- Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS;
- Test the SSL connection.
The following is an example of the detailed configuration steps.
- Generating SSL key/certificate for onos. On the host running onos, we generate the SSL key/certificate as the following:
Use "keytool" to generate a .jks keystone:
Code Block sdn@onosCell1:~/wiki$ keytool -genkey -keyalg RSA -alias onos -keystore onos.jks -storepass 222222 -validity 360 -keysize 2048 What is your first and last name? [Unknown]: sdn rocks What is the name of your organizational unit? [Unknown]: config-guide What is the name of your organization? [Unknown]: onosproject.org What is the name of your City or Locality? [Unknown]: anycity What is the name of your State or Province? [Unknown]: anystate What is the two-letter country code for this unit? [Unknown]: us Is CN=sdn rocks, OU=config-guide, O=onosproject.org, L=anycity, ST=anystate, C=us correct? [no]: yes Enter key password for <onos> (RETURN if same as keystore password): sdn@onosCell1:~/wiki$ ls onos.jks
Covert the .jks keystore (which onos uses) to PEM file (which OVS uses) in a 2-step conversions: from .jks to .p12, then to .pem:
Code Block sdn@onosCell1:~/wiki$ keytool -importkeystore -srckeystore onos.jks -destkeystore onos.p12 -srcstoretype jks -deststoretype pkcs12 Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias onos successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled sdn@onosCell1:~/wiki$ ls onos.jks onos.p12
Code Block sdn@onosCell1:~/wiki$ openssl pkcs12 -in onos.p12 -out onos.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: sdn@onosCell1:~/wiki$ ls onos.jks onos.p12 onos.pem
Use the certificate portion of the "onos.pem" file to create a new file, called "cacert.pem" - this is the file to be copied over to OVS - it is from "Bag Attributes" to "END CERTIFICATE":
Code Block sdn@onosCell1:~/wiki$ cat onos.pem <Private key here> Bag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39 subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1 ..... -----END CERTIFICATE----- sdn@onosCell1:~/wiki$ cat cacert.pem Bag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39 subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1 ... -----END CERTIFICATE----- sdn@onosCell1:~/wiki$ ls cacert.pem onos.jks onos.p12 onos.pem
Note: the intermediate key/cert, "onos.p12", and onos.pem, are no longer used and should be discarded.
- Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos:
Copy cacert.pem from your working directory to your OVS installation at "/var/lib/openvswitch/pki/controllerca/cacert.pem". In this case, OVS is running on a host called, "mininet", than onosCell1:
Code Block root@mininet:/var/lib/openvswitch/pki/controllerca# ls -al total 68 drwxr-xr-x 6 root root 4096 Jan 19 15:39 . drwxr-xr-x 4 root root 4096 Oct 8 2014 .. -rw-r--r-- 1 root root 1567 Jan 19 15:39 cacert.pem ........
Note: beware of where the OVS installation location is depending on how you install OVS. It could be "/var/lib/openvswitch", or "/usr/local/var/lib/openvswitch", or others.
- Generate SSL key/certificate for OVS:
On the "mininet" host:
Code Block admin@mininet:~$ cd /etc/openvswitch admin@mininet:/etc/openvswitch$ sudo ovs-pki req+sign sc switch sc-req.pem Wed Jan 20 13:06:16 PST 2016 fingerprint 719b77cb8a485f4b86f8fab6da6057298a504131 admin@mininet:/etc/openvswitch$ ls -al total 56 drwxr-xr-x 2 root root 4096 Jan 20 13:06 . drwxr-xr-x 124 root root 12288 Jan 20 13:05 .. ... -rw-r--r-- 1 root root 4044 Jan 20 13:06 sc-cert.pem -rw------- 1 root root 1679 Jan 20 13:06 sc-privkey.pem -rw-r--r-- 1 root root 3601 Jan 20 13:06 sc-req.pem ...
"sc-* .pem" files were newly generated.
Make OVS to use the new keys:
Code Block admin@onos-dev:/etc/openvswitch$ sudo ovs-vsctl --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
- Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS:
Copy "sc-cert.pem" (the OVS public key just generated in 4a) to the "onosCell1" host, and import it to onos.jks store with trust:
Code Block sdn@onosCell1:~/wiki$ ls cacert.pem onos.jks onos.p12 onos.pem sc-cert.pem dn@onosCell1:~/wiki$ keytool -importcert -file sc-cert.pem -keystore onos.jks Enter keystore password: Owner: CN=sc id:5a3a05bf-9221-46bf-8b71-b526da64772f, OU=Open vSwitch certifier, O=Open vSwitch, ST=CA, C=US Issuer: CN=OVS switchca CA Certificate (2015 Nov 24 13:43:42), OU=switchca, O=Open vSwitch, ST=CA, C=US Serial number: 8 Valid from: Wed Jan 20 13:06:16 PST 2016 until: Sat Jan 17 13:06:16 PST 2026 Certificate fingerprints: MD5: 70:CF:BC:62:33:EB:C7:FD:16:49:87:04:9E:07:98:9C SHA1: 66:C3:AB:12:CA:88:F5:A9:47:62:24:9F:50:60:87:F7:A9:D7:CF:97 SHA256: E0:1C:07:45:2F:48:B6:D8:E1:A3:FA:65:7A:8D:9F:82:56:5A:04:4C:97:D4:0C:BC:43:7E:4C:13:80:9B:36:E3 Signature algorithm name: SHA1withRSA Version: 1 Trust this certificate? [no]: yes Certificate was added to keystone sdn@onosCell1:~/wiki$ keytool -list -keystore onos.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries onos, Jan 19, 2016, PrivateKeyEntry, Certificate fingerprint (SHA1): CB:77:5D:23:AB:84:A0:39:22:B2:E0:AB:B8:91:1D:3B:10:8C:70:1F mykey, Jan 20, 2016, trustedCertEntry, Certificate fingerprint (SHA1): 66:C3:AB:12:CA:88:F5:A9:47:62:24:9F:50:60:87:F7:A9:D7:CF:97
Enable onos to use OVSDBTLS by configuring "$ONOS_HOME/tools/package/bin/onos-service" - in this case we use "onos-install" to start onos:
Code Block #!/bin/bash # ----------------------------------------------------------------------------- # Starts ONOS Apache Karaf container # ----------------------------------------------------------------------------- # uncomment the following line for performance testing #export JAVA_OPTS="${JAVA_OPTS:--Xms8G -Xmx8G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:+PrintGCDetails -XX:+PrintGCTimeStamps}" # uncomment the following line for Netty TLS encryption # Do modify the keystore location/password and truststore location/password accordingly #export JAVA_OPTS="${JAVA_OPTS:--DenableNettyTLS=true -Djavax.net.ssl.keyStore=/home/ubuntu/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/ubuntu/onos.jks -Djavax.net.ssl.trustStorePassword=222222}" export JAVA_OPTS="${JAVA_OPTS:--DenableOVSDBTLS=true -Djavax.net.ssl.keyStore=/home/sdn/wiki/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/sdn/wiki/onos.jks -Djavax.net.ssl.trustStorePassword=222222}" .....
Note: if you want to configure SSL on onos service, e.g. using a tar.gz, you can configure "onos-service" under the node's "/opt/onos/bin" directory.
- Testing the SSL connection:
Start Mininet/OVS switches, configure switches using ssl connections:
Code Block admin@mininet:$ sudo mn --topo linear,3 --controller remote *** Creating network *** Adding controller *** Adding hosts: h1 h2 h3 *** Adding switches: s1 s2 s3 *** Adding links: (h1, s1) (h2, s2) (h3, s3) (s2, s1) (s3, s2) *** Configuring hosts h1 h2 h3 *** Starting controller c0 *** Starting 3 switches s1 s2 s3 ... *** Starting CLI: mininet> sh ovs-vsctl set-controller s1 ssl:192.168.57.101:6653 mininet> sh ovs-vsctl set-controller s2 ssl:192.168.57.101:6653 mininet> sh ovs-vsctl set-controller s3 ssl:192.168.57.101:6653
Check onos log. You should see the following log messages:
Code Block 2018-05-11 19:38:43,918 | INFO | p-app-activation | OvsdbHostProvider | 189 - org.onosproject.onos-providers-ovsdb-host - 1.14.0.SNAPSHOT | Started 2018-05-11 19:38:43,920 | INFO | p-app-activation | ApplicationManager | 130 - org.onosproject.onos-core-net - 1.14.0.SNAPSHOT | Application org.onosproject.ovsdbhostprovider has been activated 2018-05-11 19:38:44,144 | INFO | bControllerImpl) | OvsdbControllerImpl | 186 - org.onosproject.onos-protocols-ovsdb-ctl - 1.14.0.SNAPSHOT | Configured. OVSDB server mode was enabled 2018-05-11 19:38:44,147 | INFO | bControllerImpl) | Controller | 186 - org.onosproject.onos-protocols-ovsdb-ctl - 1.14.0.SNAPSHOT | OVSDB TLS is enabled
Some helpful reference to consult when configuring:
- https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
- https://floodlight.atlassian.net/wiki/pages/viewpage.action?pageId=5636122