To make a SSL/TLS based OVSDB connection between Onos and OVSDB using self-signed certificates, there are five main steps to follow:
- Generate SSL key/certificate for onos;
- Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos;
- Generate SSL key/certificate for OVS;
- Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS;
- Test the SSL connection.
The following is an example of the detailed configuration steps.
- Generating SSL key/certificate for onos. On the host running onos, we generate the SSL key/certificate as the following:
Use "keytool" to generate a .jks keystone:
Covert the .jks keystore (which onos uses) to PEM file (which OVS uses) in a 2-step conversions: from .jks to .p12, then to .pem:
Use the certificate portion of the "onos.pem" file to create a new file, called "cacert.pem" - this is the file to be copied over to OVS - it is from "Bag Attributes" to "END CERTIFICATE":
Note: the intermediate key/cert, "onos.p12", and onos.pem, are no longer used and should be discarded.
- Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos:
Copy cacert.pem from your working directory to your OVS installation at "/var/lib/openvswitch/pki/controllerca/cacert.pem". In this case, OVS is running on a host called, "mininet", than onosCell1:
Note: beware of where the OVS installation location is depending on how you install OVS. It could be "/var/lib/openvswitch", or "/usr/local/var/lib/openvswitch", or others.
- Generate SSL key/certificate for OVS:
On the "mininet" host:
"sc-* .pem" files were newly generated.
Make OVS to use the new keys:
- Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS:
Copy "sc-cert.pem" (the OVS public key just generated in 4a) to the "onosCell1" host, and import it to onos.jks store with trust:
Enable onos to use OVSDBTLS by configuring "$ONOS_HOME/tools/package/bin/onos-service" - in this case we use "onos-install" to start onos:
Note: if you want to configure SSL on onos service, e.g. using a tar.gz, you can configure "onos-service" under the node's "/opt/onos/bin" directory.
Testing the SSL connection:
Check onos log. You should see the following log messages:
Some helpful reference to consult when configuring: