work in progress
To make a SSL/TLS Openflow connection between onos and OVS switches using self-signed certificates, there are four main steps to follow:
- Generate SSL key/certificate for onos;
- Copy the onos certificate to the appropriate OVS location so that ovs can accept the certificate from onos;
- Generate SSL key/certificate for OVS;
- Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from ovs.
- Generating SSL key/certificate for onos: on the host running onos, we generate the SSL key/certificate as the following,
Use "keytool" to generate a .jks keystone
sdn@onosCell1:~/wiki$ keytool -genkey -keyalg RSA -alias onos -keystore onos.jks -storepass 222222 -validity 360 -keysize 2048 What is your first and last name? [Unknown]: sdn rocks What is the name of your organizational unit? [Unknown]: config-guide What is the name of your organization? [Unknown]: onosproject.org What is the name of your City or Locality? [Unknown]: anycity What is the name of your State or Province? [Unknown]: anystate What is the two-letter country code for this unit? [Unknown]: us Is CN=sdn rocks, OU=config-guide, O=onosproject.org, L=anycity, ST=anystate, C=us correct? [no]: yes Enter key password for <onos> (RETURN if same as keystore password): sdn@onosCell1:~/wiki$ ls onos.jks
Covert the .jks keystore (which onos uses) to PEM file (which OVS uses) in a 2-step conversions: from .jks to .p12, then to .pem
sdn@onosCell1:~/wiki$ keytool -importkeystore -srckeystore onos.jks -destkeystore onos.p12 -srcstoretype jks -deststoretype pkcs12 Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias onos successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled sdn@onosCell1:~/wiki$ ls onos.jks onos.p12
sdn@onosCell1:~/wiki$ openssl pkcs12 -in onos.p12 -out onos.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: sdn@onosCell1:~/wiki$ ls onos.jks onos.p12 onos.pem
Use the certificate portion of the "onos.pem" file to create a new file, called "cacert.pem" - this is the file to be copied over to OVS - it is from "Bag Attributes" to "END CERTIFICATE"
sdn@onosCell1:~/wiki$ cat onos.pemBag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39 subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1 czERMA8GA1UECBMIYW55c3RhdGUxEDAOBgNVBAcTB2FueWNpdHkxGDAWBgNVBAoT D29ub3Nwcm9qZWN0Lm9yZzEVMBMGA1UECxMMY29uZmlnLWd1aWRlMRIwEAYDVQQD EwlzZG4gcm9ja3MwHhcNMTYwMTE5MjIyMDI5WhcNMTcwMTEzMjIyMDI5WjB3MQsw CQYDVQQGEwJ1czERMA8GA1UECBMIYW55c3RhdGUxEDAOBgNVBAcTB2FueWNpdHkx GDAWBgNVBAoTD29ub3Nwcm9qZWN0Lm9yZzEVMBMGA1UECxMMY29uZmlnLWd1aWRl MRIwEAYDVQQDEwlzZG4gcm9ja3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCLGXBMxunrya4LMvNBh6zIO+5epIiZvPdi9tcSn5QnPSclWOcjwQ4Qtmhp xCs6FSgVtwv+9WrdZT8luBJNiWH7rJxGwb1R/TbXYQB8ybjbOkhRdSLuc8P3uRsW x4rcSTaFCxfCg0fOQd0ET+GWOlKcRXEMxIxHiQ/Mjvkl5IOTOu5Y64OrOZDKxREo ILC+8s/mYbJZOYpG0UYLoqkP99ZrOoTRVkngvnIrWPh0TH0dfRkI6k3lji5Mh+2U yq1buTM1+dA8ZV512oJI+yVN6tg7uqz2VEdhj9+mab8REo7vq1tOQ4QAxIb1Vtke oF+i32mcOHFXas0XbM+gKxZHWBd1AgMBAAGjITAfMB0GA1UdDgQWBBREXAhrkVgl 3yaqJhuMuhgp7xEqszANBgkqhkiG9w0BAQsFAAOCAQEAApRFQqh56QIZ9p4cnLpc i+I0o7l42Nwddzlmv7sdIjOPphk5iXfpy1BsKhXC0rXXcdPqqiM84GJaLgqQuAA5 E4cUPtj/jRDWP58CJ4uA2ICuJRVa5IN0TtImDlohH6a4euP1zO4hAD3leRVPylAN dW7+/JumX1sPWkl3n1GrE+TQao5riFW87kCAf6Zr8us+d0jWowWBTGLwzCLtBrPh +xOwVyyp/Gdp0kucwhHr20il/DJnsFh9m4boQp1O4/BwE2wxctyetD0rHcF5PNin ADLCPSP4kGOdMx/FiR12cBOexXluyb1+h4OEuvG+ojkzOGPkEaZsa42S1x1jzHIT eA== -----END CERTIFICATE----- sdn@onosCell1:~/wiki$ cat cacert.pem Bag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39 subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1 czERMA8GA1UECBMIYW55c3RhdGUxEDAOBgNVBAcTB2FueWNpdHkxGDAWBgNVBAoT D29ub3Nwcm9qZWN0Lm9yZzEVMBMGA1UECxMMY29uZmlnLWd1aWRlMRIwEAYDVQQD EwlzZG4gcm9ja3MwHhcNMTYwMTE5MjIyMDI5WhcNMTcwMTEzMjIyMDI5WjB3MQsw CQYDVQQGEwJ1czERMA8GA1UECBMIYW55c3RhdGUxEDAOBgNVBAcTB2FueWNpdHkx GDAWBgNVBAoTD29ub3Nwcm9qZWN0Lm9yZzEVMBMGA1UECxMMY29uZmlnLWd1aWRl MRIwEAYDVQQDEwlzZG4gcm9ja3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQCLGXBMxunrya4LMvNBh6zIO+5epIiZvPdi9tcSn5QnPSclWOcjwQ4Qtmhp xCs6FSgVtwv+9WrdZT8luBJNiWH7rJxGwb1R/TbXYQB8ybjbOkhRdSLuc8P3uRsW x4rcSTaFCxfCg0fOQd0ET+GWOlKcRXEMxIxHiQ/Mjvkl5IOTOu5Y64OrOZDKxREo ILC+8s/mYbJZOYpG0UYLoqkP99ZrOoTRVkngvnIrWPh0TH0dfRkI6k3lji5Mh+2U yq1buTM1+dA8ZV512oJI+yVN6tg7uqz2VEdhj9+mab8REo7vq1tOQ4QAxIb1Vtke oF+i32mcOHFXas0XbM+gKxZHWBd1AgMBAAGjITAfMB0GA1UdDgQWBBREXAhrkVgl 3yaqJhuMuhgp7xEqszANBgkqhkiG9w0BAQsFAAOCAQEAApRFQqh56QIZ9p4cnLpc i+I0o7l42Nwddzlmv7sdIjOPphk5iXfpy1BsKhXC0rXXcdPqqiM84GJaLgqQuAA5 E4cUPtj/jRDWP58CJ4uA2ICuJRVa5IN0TtImDlohH6a4euP1zO4hAD3leRVPylAN dW7+/JumX1sPWkl3n1GrE+TQao5riFW87kCAf6Zr8us+d0jWowWBTGLwzCLtBrPh +xOwVyyp/Gdp0kucwhHr20il/DJnsFh9m4boQp1O4/BwE2wxctyetD0rHcF5PNin ADLCPSP4kGOdMx/FiR12cBOexXluyb1+h4OEuvG+ojkzOGPkEaZsa42S1x1jzHIT eA== -----END CERTIFICATE----- sdn@onosCell1:~/wiki$ ls cacert.pem onos.jks onos.p12 onos.pem
Use "keytool" to generate a .jks keystore