Have questions? Stuck? Please check our FAQ for some common questions and answers.

Inter-controller communication exchanged at the East/West interface does not provide secure communication by default, allowing observation and modification of inter-controller traffic. TLS can and should be enabled for inter-controller communications to ensure communication within an ONOS cluster is secure. Hostnames, IP addresses, and directories in the following commands should be adjusted for your environment.

Generate a key on each ONOS server

On each ONOS server, generate a new key with an alias unique to that server:

sdn@server:~/onos$ keytool -genkey -keyalg RSA -alias onos-<server hostname>  -keystore apache-karaf-3.0.8/etc/keystore -storepass 222222 -validity 360 -keysize 2048
What is your first and last name?
  [Unknown]:  sdn rocks
What is the name of your organizational unit?
  [Unknown]:  config-guide
What is the name of your organization?
  [Unknown]:  onosproject.org
What is the name of your City or Locality?
  [Unknown]:  anycity
What is the name of your State or Province?
  [Unknown]:  anystate
What is the two-letter country code for this unit?
  [Unknown]:  us
Is CN=sdn rocks, OU=config-guide, O=onosproject.org, L=anycity, ST=anystate, C=us correct?
  [no]:  yes
Enter key password for <onos>
(RETURN if same as keystore password):


Get the certificates

The certificate for the newly generated key on each ONOS instance will now need to be distributed among the other ONOS instances. To do this the key should be converted to a .p12 file and then to a PEM file, as follows:

sdn@server:~/onos$ keytool -importkeystore -srckeystore apache-karaf-3.0.8/etc/keystore -destkeystore onos.p12 -srcstoretype jks -deststoretype pkcs12
sdn@server:~/onos$ openssl pkcs12 -in onos.p12 -out onos.pem
sdn@server:~/onos$ ls
onos.pem ...

The certificate can now be extracted from the PEM file using the following command. The output file for this command should be adjusted to ensure that it is unique for each ONOS server. This will make it easier to manage when transporting certificates between instances.

sdn@server:~/onos$ awk 'split_after == 1 {n++;split_after=0} /-----END ENCRYPTED PRIVATE KEY-----/ {split_after=1} {print > "cacert" n ".pem"}' < onos.pem; mv cacert1.pem cert.pemd
sdn@server:~/onos$ mv cert.pem onos-<hostname>-cert.pem


Copy certificates to each ONOS server

Each ONOS instance in the cluster will need the certificate for every other ONOS instance. The certificates can be copied using the following command. This command should be repeated for each certificate and each instance.

sdn@server:~/onos$ scp ./onos-<hostname>-cert.pem sdn@otherserver:~/onos/


Import the certificate

Each ONOS instance will need the certificates for every other instance in its keystore. The certificates can be imported using the following command:

sdn@server:~/onos$ keytool -importcert -file onos-<hostname>-cert.pem -keystore apache-karaf-3.0.8/etc/keystore
…
Trust this certificate? [no]:  yes
Certificate was added to keystore


Modify the ONOS launch script

The ONOS launch script ‘onos-service’ located in the ‘$ONOS_ROOT/bin/’ directory contains a line to enable TLS for Netty, the communication framework used for inter-controller communication. Uncomment the line and ensure the ‘keystore’ and ‘truststore’ point to the keystore used in the commands above.


export JAVA_OPTS="${JAVA_OPTS:--DenableNettyTLS=true -Djavax.net.ssl.keyStore=/home/sdn/onos/apache-karaf-3.0.8/etc/keystore -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/sdn/onos/apache-karaf-3.0.8/etc/keystore -Djavax.net.ssl.trustStorePassword=222222}"


Restart ONOS

With the above steps completed, the ONOS service should be restarted to enable secure inter-controller communication.

  • No labels