ONOS CLI, GUI and REST API are all presently secured by allowing only authenticated access.
The tool comes in two variants to support run-time deployments and dev-time usage. The dev-time variant secures the entire ONOS test cell with one invocation and will use the dev bench user’s public key to enable secure ssh CLI. The run-time variant secures just the instance on which it is invoked and uses the invoking user’s public key to enable secure ssh CLI.
Since ONOS CLI is secured via key-based authentication, there is no explicit action required once the
onos-secure-ssh tool was used.
The login will remain active while the browser is active or until user logs-out by clicking on the
logout link in the right-hand side of the GUI mast-head. Presently there are no cookies and no mechanism to maintain authentication past browser restart. This may be added in future releases as we add token-based authentication.
HTTPS & Redirect
By default HTTPS is not enabled, but it can be easily configured and used directly, by modifying the
etc/org.ops4j.pax.web.cfg file. The reason for this is that it requires a setup of keystore & truststore and unless one has a key signed by a CA, the self-signed key ends up raising issues with REST API and puts up entry barriers in the browser. For these reason, this remain a manual configuration task; see instructions in https://ops4j1.jira.com/wiki/display/paxweb/SSL+Configuration.