Have questions? Stuck? Please check our FAQ for some common questions and answers.

  • Created by Unknown User (suibin), last modified on Jan 19, 2016

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

work in progress

 

To make a SSL/TLS Openflow connection between onos and OVS switches using self-signed certificates, there are four main steps to follow: 

  1. Generate SSL key/certificate for onos;
  2. Copy the onos certificate to the appropriate OVS location so that ovs can accept the certificate from onos;
  3. Generate SSL key/certificate for OVS;
  4. Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from ovs.

 

  1. Generating SSL key/certificate for onos: on the host running onos, we generate the SSL key/certificate as the following,

    1. Use "keytool" to generate a .jks keystone

      sdn@onosCell1:~/wiki$ keytool -genkey -keyalg RSA -alias onos -keystore onos.jks -storepass 222222 -validity 360 -keysize 2048
What is your first and last name?
  [Unknown]:  sdn rocks
What is the name of your organizational unit?
  [Unknown]:  config-guide
What is the name of your organization?
  [Unknown]:  onosproject.org
What is the name of your City or Locality?
  [Unknown]:  anycity
What is the name of your State or Province?
  [Unknown]:  anystate
What is the two-letter country code for this unit?
  [Unknown]:  us
Is CN=sdn rocks, OU=config-guide, O=onosproject.org, L=anycity, ST=anystate, C=us correct?
  [no]:  yes
Enter key password for <onos>
	(RETURN if same as keystore password):
sdn@onosCell1:~/wiki$ ls
onos.jks

    2. Covert the .jks keystore (which onos uses) to PEM file (which OVS uses) in a 2-step conversions: from .jks to .p12, then to .pem

      sdn@onosCell1:~/wiki$ keytool -importkeystore -srckeystore onos.jks -destkeystore onos.p12 -srcstoretype jks -deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias onos successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
sdn@onosCell1:~/wiki$ ls
onos.jks  onos.p12
      sdn@onosCell1:~/wiki$ openssl pkcs12 -in onos.p12 -out onos.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
sdn@onosCell1:~/wiki$ ls
onos.jks  onos.p12  onos.pem

    3. Use the certificate portion of the "onos.pem" file to create a new file, called "cacert.pem" - this is the file to be copied over to OVS - it is from "Bag Attributes" to "END CERTIFICATE"

      sdn@onosCell1:~/wiki$ cat onos.pem
<Private key here>
Bag Attributes
    friendlyName: onos
    localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39
subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1
.....
-----END CERTIFICATE-----
 
sdn@onosCell1:~/wiki$ cat cacert.pem
Bag Attributes
    friendlyName: onos
    localKeyID: 54 69 6D 65 20 31 34 35 33 32 34 33 35 32 33 34 31 39
subject=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
issuer=/C=us/ST=anystate/L=anycity/O=onosproject.org/OU=config-guide/CN=sdn rocks
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIEbbwHKjANBgkqhkiG9w0BAQsFADB3MQswCQYDVQQGEwJ1
...
-----END CERTIFICATE-----
 
sdn@onosCell1:~/wiki$ ls
cacert.pem  onos.jks  onos.p12  onos.pem

Use "keytool" to generate a .jks keystore

 

 

  • No labels