Due to a ransomware attack, the wiki was reverted to a July 2022 version. . We apologize for the lack of a more recent valid backup.
Overview
ONOS CLI, GUI and REST API are all presently secured by allowing only authenticated access.
...
To enable the secure access, a new tool onos-secure-ssh has been providerprovided. This tool will secure the ONOS CLI so it is no longer accessible using the Apache Karaf client; this client is inherently insecure as it relies on a well-known private key (yes that is an oxymoron). After running the onos-secure-ssh tool, ONOS CLI will be only accessible using direct ssh. The tool also deletes the default users and keys, and allows the user to specify their own user/password combination as follows:
...
The tool comes in two variants to support run-time deployments and dev-time usage. The dev-time variant secures the entire ONOS test cell with one invocation and will use the dev bench user’s public key to enable secure ssh CLI. The run-time variant secures just the instance on which it is invoked and uses the invoking user’s public key to enable secure ssh CLI.
Authentication
Since ONOS CLI is secured via key-based authentication, there is no explicit action required once the onos-secure-ssh tool was used.
...
The login will remain active while the browser is active or until user logs-out by clicking on the logout link in the right-hand side of the GUI mast-head. Presently there are no cookies and no mechanism to maintain authentication past browser restart. This may be added in future releases as we add token-based authentication.
HTTPS & Redirect
By default HTTPS is not enabled, but it can be easily configured and used directly, by modifying the etc/org.ops4j.pax.web.cfg file. The reason for this is that it requires a setup of keystore & truststore and unless one has a key signed by a CA, the self-signed key ends up raising issues with REST API and puts up entry barriers in the browser. For these reason, this remain a manual configuration task; see instructions in https://ops4j1.
jira.com/wiki/display/paxweb/SSL+Configuration.
For the same reasons.For now, neither REST API or nor GUI will presently insist on communicating via HTTPS via mandatory redirect to a confidential channel. , but the mandatory redirect will be highly inconvenient because it forces setup of keystone However, one can force HTTPS-only communication by disabling the HTTP channel by modifying the etc/org.ops4j.pax.web.cfg file. Default version of this file is under source-control in tools/package/etc directory and is included in the corresponding distributable tar.gz, zip, deb & rpm packages.