Have questions? Stuck? Please check our FAQ for some common questions and answers.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Current »

To make a SSL/TLS based OVSDB connection between Onos and OVSDB using self-signed certificates, there are five main steps to follow: 

  1. Generate SSL key/certificate for onos;
  2. Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos;
  3. Generate SSL key/certificate for OVS;
  4. Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS;
  5. Test the SSL connection.

The following is an example of the detailed configuration steps.

  1. Generating SSL key/certificate for onos. On the host running onos, we generate the SSL key/certificate as the following:

    1. Use "keytool" to generate a .jks keystone:

      sdn@onosCell1:~/wiki$ keytool -genkey -keyalg RSA -alias onos -keystore onos.jks -storepass 222222 -validity 360 -keysize 2048
What is your first and last name?
  [Unknown]:  sdn rocks
What is the name of your organizational unit?
  [Unknown]:  config-guide
What is the name of your organization?
  [Unknown]:  onosproject.org
What is the name of your City or Locality?
  [Unknown]:  anycity
What is the name of your State or Province?
  [Unknown]:  anystate
What is the two-letter country code for this unit?
  [Unknown]:  us
Is CN=sdn rocks, OU=config-guide, O=onosproject.org, L=anycity, ST=anystate, C=us correct?
  [no]:  yes
Enter key password for <onos>
	(RETURN if same as keystore password):
sdn@onosCell1:~/wiki$ ls
onos.jks

    2. Covert the .jks keystore (which onos uses) to PEM file (which OVS uses) in a 2-step conversions: from .jks to .p12, then to .pem:

      sdn@onosCell1:~/wiki$ keytool -importkeystore -srckeystore onos.jks -destkeystore onos.p12 -srcstoretype jks -deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias onos successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
sdn@onosCell1:~/wiki$ ls
onos.jks  onos.p12
      sdn@onosCell1:~/wiki$ openssl pkcs12 -in onos.p12 -out onos.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
sdn@onosCell1:~/wiki$ ls
onos.jks  onos.p12  onos.pem

    3. Use the certificate portion of the "onos.pem" file to create a new file, called "cacert.pem" - this is the file to be copied over to OVS - it is from "Bag Attributes" to "END CERTIFICATE":

      sdn@onosCell1:~/wiki$ cat onos.pem
<Private key here>
Bag Attributes
    friendlyName: onos
    localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39
subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1
.....
-----END CERTIFICATE-----
 
sdn@onosCell1:~/wiki$ cat cacert.pem
Bag Attributes
    friendlyName: onos
    localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39
subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1
...
-----END CERTIFICATE-----
 
sdn@onosCell1:~/wiki$ ls
cacert.pem  onos.jks  onos.p12  onos.pem

      Note: the intermediate key/cert, "onos.p12", and onos.pem, are no longer used and should be discarded.

  2. Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos:

    1. Copy cacert.pem from your working directory to your OVS installation at "/var/lib/openvswitch/pki/controllerca/cacert.pem". In this case, OVS is running on a host called, "mininet",  than onosCell1:

      root@mininet:/var/lib/openvswitch/pki/controllerca# ls -al
total 68
drwxr-xr-x 6 root root 4096 Jan 19 15:39 .
drwxr-xr-x 4 root root 4096 Oct  8  2014 ..
-rw-r--r-- 1 root root 1567 Jan 19 15:39 cacert.pem
........

      Note: beware of where the OVS installation location is depending on how you install OVS. It could be "/var/lib/openvswitch", or "/usr/local/var/lib/openvswitch", or others.

  3. Generate SSL key/certificate for OVS:

    1. On the "mininet" host:

      admin@mininet:~$ cd /etc/openvswitch
admin@mininet:/etc/openvswitch$ sudo ovs-pki req+sign sc switch
sc-req.pem	Wed Jan 20 13:06:16 PST 2016
	fingerprint 719b77cb8a485f4b86f8fab6da6057298a504131
 
admin@mininet:/etc/openvswitch$ ls -al
total 56
drwxr-xr-x   2 root root  4096 Jan 20 13:06 .
drwxr-xr-x 124 root root 12288 Jan 20 13:05 ..
...
-rw-r--r--   1 root root  4044 Jan 20 13:06 sc-cert.pem
-rw-------   1 root root  1679 Jan 20 13:06 sc-privkey.pem
-rw-r--r--   1 root root  3601 Jan 20 13:06 sc-req.pem
...

      "sc-* .pem" files were newly generated.

    2. Make OVS to use the new keys:

      admin@onos-dev:/etc/openvswitch$ sudo ovs-vsctl --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem
  4. Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS:

    1. Copy "sc-cert.pem" (the OVS public key just generated in 4a) to the "onosCell1" host, and import it to onos.jks store with trust:

      sdn@onosCell1:~/wiki$ ls
cacert.pem  onos.jks  onos.p12  onos.pem  sc-cert.pem
 
dn@onosCell1:~/wiki$ keytool -importcert -file sc-cert.pem -keystore onos.jks
Enter keystore password:
Owner: CN=sc id:5a3a05bf-9221-46bf-8b71-b526da64772f, OU=Open vSwitch certifier, O=Open vSwitch, ST=CA, C=US
Issuer: CN=OVS switchca CA Certificate (2015 Nov 24 13:43:42), OU=switchca, O=Open vSwitch, ST=CA, C=US
Serial number: 8
Valid from: Wed Jan 20 13:06:16 PST 2016 until: Sat Jan 17 13:06:16 PST 2026
Certificate fingerprints:
	 MD5:  70:CF:BC:62:33:EB:C7:FD:16:49:87:04:9E:07:98:9C
	 SHA1: 66:C3:AB:12:CA:88:F5:A9:47:62:24:9F:50:60:87:F7:A9:D7:CF:97
	 SHA256: E0:1C:07:45:2F:48:B6:D8:E1:A3:FA:65:7A:8D:9F:82:56:5A:04:4C:97:D4:0C:BC:43:7E:4C:13:80:9B:36:E3
	 Signature algorithm name: SHA1withRSA
	 Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystone

sdn@onosCell1:~/wiki$ keytool -list -keystore onos.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
onos, Jan 19, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): CB:77:5D:23:AB:84:A0:39:22:B2:E0:AB:B8:91:1D:3B:10:8C:70:1F
mykey, Jan 20, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 66:C3:AB:12:CA:88:F5:A9:47:62:24:9F:50:60:87:F7:A9:D7:CF:97

    2. Enable onos to use OVSDBTLS by configuring "$ONOS_HOME/tools/package/bin/onos-service" - in this case we use "onos-install" to start onos:

      #!/bin/bash
# -----------------------------------------------------------------------------
# Starts ONOS Apache Karaf container
# -----------------------------------------------------------------------------
# uncomment the following line for performance testing
#export JAVA_OPTS="${JAVA_OPTS:--Xms8G -Xmx8G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:+PrintGCDetails -XX:+PrintGCTimeStamps}"
# uncomment the following line for Netty TLS encryption
# Do modify the keystore location/password and truststore location/password accordingly
#export JAVA_OPTS="${JAVA_OPTS:--DenableNettyTLS=true -Djavax.net.ssl.keyStore=/home/ubuntu/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/ubuntu/onos.jks -Djavax.net.ssl.trustStorePassword=222222}"

export JAVA_OPTS="${JAVA_OPTS:--DenableOVSDBTLS=true -Djavax.net.ssl.keyStore=/home/sdn/wiki/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/sdn/wiki/onos.jks -Djavax.net.ssl.trustStorePassword=222222}"
.....

      Note: if you want to configure SSL on onos service, e.g. using a tar.gz, you can configure "onos-service" under the node's "/opt/onos/bin" directory.

  5. Testing the SSL connection:

    1. Start Mininet/OVS switches, configure switches using ssl connections:

      admin@mininet:$ sudo mn --topo linear,3 --controller remote
*** Creating network
*** Adding controller
*** Adding hosts:
h1 h2 h3
*** Adding switches:
s1 s2 s3
*** Adding links:
(h1, s1) (h2, s2) (h3, s3) (s2, s1) (s3, s2)
*** Configuring hosts
h1 h2 h3
*** Starting controller
c0
*** Starting 3 switches
s1 s2 s3 ...
*** Starting CLI:
mininet> sh ovs-vsctl set-controller s1 ssl:192.168.57.101:6653
mininet> sh ovs-vsctl set-controller s2 ssl:192.168.57.101:6653
mininet> sh ovs-vsctl set-controller s3 ssl:192.168.57.101:6653

    2. Check onos log. You should see the following log messages:

      2018-05-11 19:38:43,918 | INFO  | p-app-activation | OvsdbHostProvider                | 189 - org.onosproject.onos-providers-ovsdb-host - 1.14.0.SNAPSHOT | Started
2018-05-11 19:38:43,920 | INFO  | p-app-activation | ApplicationManager               | 130 - org.onosproject.onos-core-net - 1.14.0.SNAPSHOT | Application org.onosproject.ovsdbhostprovider has been activated
2018-05-11 19:38:44,144 | INFO  | bControllerImpl) | OvsdbControllerImpl              | 186 - org.onosproject.onos-protocols-ovsdb-ctl - 1.14.0.SNAPSHOT | Configured. OVSDB server mode was enabled
2018-05-11 19:38:44,147 | INFO  | bControllerImpl) | Controller                       | 186 - org.onosproject.onos-protocols-ovsdb-ctl - 1.14.0.SNAPSHOT | OVSDB TLS is enabled



Some helpful reference to consult when configuring:



  • No labels