work in progress
To make a SSL/TLS Openflow connection between onos and OVS switches using self-signed certificates, there are four main steps to follow:
- Generate SSL key/certificate for onos;
- Copy the onos certificate to the appropriate OVS location so that ovs can accept the certificate from onos;
- Generate SSL key/certificate for OVS;
- Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from ovs.
- Generating SSL key/certificate for onos: on the host running onos, we generate the SSL key/certificate as the following,
Use "keytool" to generate a .jks keystone
sdn@onosCell1:~/wiki$ keytool -genkey -keyalg RSA -alias onos -keystore onos.jks -storepass 222222 -validity 360 -keysize 2048 What is your first and last name? [Unknown]: sdn rocks What is the name of your organizational unit? [Unknown]: config-guide What is the name of your organization? [Unknown]: onosproject.org What is the name of your City or Locality? [Unknown]: anycity What is the name of your State or Province? [Unknown]: anystate What is the two-letter country code for this unit? [Unknown]: us Is CN=sdn rocks, OU=config-guide, O=onosproject.org, L=anycity, ST=anystate, C=us correct? [no]: yes Enter key password for <onos> (RETURN if same as keystore password): sdn@onosCell1:~/wiki$ ls onos.jks
Covert the .jks keystore (which onos uses) to PEM file (which OVS uses) in a 2-step conversions: from .jks to .p12, then to .pem
sdn@onosCell1:~/wiki$ keytool -importkeystore -srckeystore onos.jks -destkeystore onos.p12 -srcstoretype jks -deststoretype pkcs12 Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias onos successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled sdn@onosCell1:~/wiki$ ls onos.jks onos.p12
sdn@onosCell1:~/wiki$ openssl pkcs12 -in onos.p12 -out onos.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: sdn@onosCell1:~/wiki$ ls onos.jks onos.p12 onos.pem
Use the certificate portion of the "onos.pem" file to create a new file, called "cacert.pem" - this is the file to be copied over to OVS - it is from "Bag Attributes" to "END CERTIFICATE"
sdn@onosCell1:~/wiki$ cat onos.pem <Private key here> Bag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39 subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1 ..... -----END CERTIFICATE----- sdn@onosCell1:~/wiki$ cat cacert.pem Bag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39 subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks -----BEGIN CERTIFICATE----- MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1 ... -----END CERTIFICATE----- sdn@onosCell1:~/wiki$ ls cacert.pem onos.jks onos.p12 onos.pem
Use "keytool" to generate a .jks keystore