Configure OVS Connection Using SSL with Self-signed Certificates
- Tracy Yang
Owned by Tracy Yang
Nov 13, 2023
5 min read
Loading data...
To make a SSL/TLS Openflow connection between onos and OVS switches using self-signed certificates, there are five main steps to follow:
- Generate SSL key/certificate for onos;
- Test the SSL connection.
- Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos;
- Generate SSL key/certificate for OVS;
- Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS;
The following is an example of the detailed configuration steps.
Step 1. Generating SSL key/certificate for onos. On the host running onos, we generate the SSL key/certificate as the following:
a). Create a folder named “ssl”, in this folder we use "keytool" to generate a .jks keystone:
root@devel:/opt/onos# cd ssl root@devel:/opt/onos/ssl# keytool -genkey -keyalg RSA -alias onos -keystore onos.jks -storepass 111111 -validity 365 -keysize 2048 What is your first and last name? [Unknown]: Ai Haoyu What is the name of your organizational unit? [Unknown]: FNLab-BUPT What is the name of your organization? [Unknown]: BUPT What is the name of your City or Locality? [Unknown]: Beijing What is the name of your State or Province? [Unknown]: Beijing What is the two-letter country code for this unit? [Unknown]: CN Is CN=Ai Haoyu, OU=FNLab-BUPT, O=BUPT, L=Beijing, ST=Beijing, C=CN correct? [no]: yes Enter key password for <onos> (RETURN if same as keystore password): Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore onos.jks -destkeystore onos.jks -deststoretype pkcs12". root@devel:/opt/onos/ssl# ls onos.jks
b). Covert the .jks keystore (which onos uses) to PEM file (which OVS uses) in a 2-step conversions: from .jks to .p12, then to .pem:
root@devel:/opt/onos/ssl# keytool -importkeystore -srckeystore onos.jks -destkeystore onos.p12 -srcstoretype jks -deststoretype pkcs12 Importing keystore onos.jks to onos.p12... Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias onos successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled root@devel:/opt/onos/ssl# ls onos.jks onos.p12 root@devel:/opt/onos/ssl# openssl pkcs12 -in onos.p12 -out onos.pem Enter Import Password: Enter PEM pass phrase: Verifying - Enter PEM pass phrase: root@devel:/opt/onos/ssl# ls onos.jks onos.p12 onos.pem
c). Use the certificate portion of the "onos.pem" file to create a new file, called "cacert.pem" - this is the file to be copied over to OVS - it is from "Bag Attributes" to "END CERTIFICATE":
root@devel:/opt/onos/ssl# cat onos.pem <Private key here> Bag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 35 33 39 33 32 37 38 34 32 31 39 39 subject=/C=CN/ST=Beijing/L=Beijing/O=BUPT/OU=FNLab-BUPT/CN=Ai Haoyu issuer=/C=CN/ST=Beijing/L=Beijing/O=BUPT/OU=FNLab-BUPT/CN=Ai Haoyu -----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIEOtHFEDANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJD TjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChME ...... -----END CERTIFICATE----- root@devel:/opt/onos/ssl# sudo vi ./cacert.pem Bag Attributes friendlyName: onos localKeyID: 54 69 6D 65 20 31 35 33 39 33 32 37 38 34 32 31 39 39 subject=/C=CN/ST=Beijing/L=Beijing/O=BUPT/OU=FNLab-BUPT/CN=Ai Haoyu issuer=/C=CN/ST=Beijing/L=Beijing/O=BUPT/OU=FNLab-BUPT/CN=Ai Haoyu -----BEGIN CERTIFICATE----- MIIDbzCCAlegAwIBAgIEOtHFEDANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJD TjEQMA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChME ....... -----END CERTIFICATE-----
Note:
The intermediate key/cert, "onos.p12", and onos.pem, are no longer used and should be discarded.
Step 2. Copy the onos certificate to the appropriate OVS location so that OVS can accept the certificate from onos:
a). In the case of PicaOS, firstly we need to install openssl module, then create controllerca directory and switchca directory, and generate key and certificate for the OVS switch in switchca directory:
admin@PICOS-OVS:~$ sudo apt-get install openssl Reading package lists... Done Building dependency tree Reading state information... Done openssl is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 60 not upgraded. admin@PICOS-OVS:~$ sudo su root@PICOS-OVS:/home/admin# ovs-pki init --force Creating controllerca... Creating switchca... root@PICOS-OVS:~$ cd /ovs/var/lib/openvswitch/pki/switchca root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/switchca# ovs-pki req+sign sc switch sc-req.pem Mon Oct 15 16:01:11 UTC 2018 fingerprint 0d336057404dab9bc7dc158b7f4a7007ced6efd4 root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/switchca# ls -lat total 76 drwxr-xr-x 6 root root 4096 Oct 15 16:01 . ..... -rw-r--r-- 1 root root 4002 Oct 15 16:01 sc-cert.pem -rw-r--r-- 1 root root 3565 Oct 15 16:01 sc-req.pem -rw------- 1 root root 1675 Oct 15 16:01 sc-privkey.pem -rw-r--r-- 1 root root 4028 Oct 15 15:56 cacert.pem .... drwxr-xr-x 4 root root 4096 Oct 15 15:56 ..
a). Copy cacert.pem from your ONOS working directory(/opt/ssl) to this directory your OVS machine: "/ovs/var/lib/openvswitch/pki/controllerca/cacert.pem", you can replace or backup the original cacert.pem file.
root@PICOS-OVS:/etc# mkdir ovsbackup root@PICOS-OVS:/etc# cd ovsbackup/ root@PICOS-OVS:/etc/ovsbackup# cd /ovs/var/lib/openvswitch/pki/controllerca root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/controllerca# ls ca.cnf cacert.pem careq.pem certs crl crlnumber index.txt index.txt.attr index.txt.old newcerts private serial serial.old root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/controllerca# mv cacert.pem /etc/ovsbackup/ root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/controllerca# ls ca.cnf careq.pem certs crl crlnumber index.txt index.txt.attr index.txt.old newcerts private serial serial.old root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/controllerca# scp pica8@10.10.50.243:/opt/ssl/cacert.pem . The authenticity of host '10.10.50.243 (10.10.50.243)' can't be established. ECDSA key fingerprint is a3:a4:a2:ab:a9:bd:81:02:16:7a:9b:8d:f9:07:e3:90. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.50.243' (ECDSA) to the list of known hosts. pica8@10.10.50.243's password: cacert.pem 100% 1499 1.5KB/s 00:00 root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/controllerca# ls ca.cnf cacert.pem careq.pem certs crl crlnumber index.txt index.txt.attr index.txt.old newcerts private serial serial.old
c). Make OVS to use the new keys:
root@PICOS-OVS:/ovs/var/lib/openvswitch/pki/switchca# ovs-vsctl set-ssl /ovs/var/lib/openvswitch/pki/switchca/sc-privkey.pem /ovs/var/lib/openvswitch/pki/switchca/sc-cert.pem /ovs/var/lib/openvswitch/pki/controllerca/cacert.pem
Step 3. Copy the OVS certificate to the appropriate onos location so that onos can accept the certificate from OVS:
a). Copy "sc-cert.pem" (the OVS public key just generated in 2.1) to the ONOS host, and import it to onos.jks store with trust:
root@pica8:/opt/ssl# scp admin@10.10.51.140:/ovs/var/lib/openvswitch/pki/switchca/sc-cert.pem . The authenticity of host '10.10.51.140 (10.10.51.140)' can't be established. ECDSA key fingerprint is SHA256:3hI1TnyjNj2k7QgjCRS5xR/2wh5yxKijgwMHIuCsm0s. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.51.140' (ECDSA) to the list of known hosts. admin@10.10.51.140's password: sc-cert.pem 100% 4002 3.9KB/s 00:00 root@pica8:/opt/ssl# ls cacert.pem onos.jks onos.p12 onos.pem sc-cert.pem root@pica8:/opt/ssl# keytool -importcert -file sc-cert.pem -keystore onos.jks Enter keystore password: Owner: CN=sc id:2018 Oct 15 16:01:09, OU=Open vSwitch certifier, O=Open vSwitch, ST=CA, C=US Issuer: CN=OVS switchca CA Certificate (2018 Oct 15 15:56:46), OU=switchca, O=Open vSwitch, ST=CA, C=US Serial number: 2 Valid from: Tue Oct 16 00:01:11 CST 2018 until: Fri Oct 13 00:01:11 CST 2028 Certificate fingerprints: MD5: AA:53:F9:43:D4:77:07:38:87:25:DC:3D:8A:0A:19:A6 SHA1: 45:19:64:D8:E1:A7:2A:18:CC:15:25:10:9A:C8:AE:BC:FD:53:AB:CC SHA256: 75:BE:13:3D:DB:8E:DC:39:D1:73:01:A8:A3:04:00:9B:D1:7B:98:84:49:85:2A:B9:5C:E9:1D:B6:F6:45:C5:E0 Signature algorithm name: MD5withRSA (weak) Subject Public Key Algorithm: 2048-bit RSA key Version: 1 Warning: The input uses the MD5withRSA signature algorithm which is considered a security risk. Trust this certificate? [no]: yes Certificate was added to keystore Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore onos.jks -destkeystore onos.jks -deststoretype pkcs12". root@pica8:/opt/ssl# keytool -list -keystore onos.jks Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries onos, Oct 15, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): F9:D6:36:06:B8:5A:AE:0C:50:CE:B8:E3:DF:16:0F:9B:5C:8B:2E:7C mykey, Oct 15, 2018, trustedCertEntry, Certificate fingerprint (SHA1): 45:19:64:D8:E1:A7:2A:18:CC:15:25:10:9A:C8:AE:BC:FD:53:AB:CC
b). In the ONOS host, make sure these applications are activated:
onos> apps -s ...... * 21 org.onosproject.hostprovider 1.13.3 Host Location Provider * 22 org.onosproject.lldpprovider 1.13.3 LLDP Link Provider * 23 org.onosproject.optical-model 1.13.3 Optical Network Model * 24 org.onosproject.openflow-base 1.13.3 OpenFlow Base Provider * 25 org.onosproject.openflow 1.13.3 OpenFlow Provider Suite ...... * 37 org.onosproject.drivers 1.13.3 Default Drivers ......
c). Enable ONOS to use OFTLS by configuring "$ONOS_HOME/bin/onos-service":
root@pica8:/opt/onos/bin# vi onos-service
#!/bin/bash
# -----------------------------------------------------------------------------
# Starts ONOS Apache Karaf container
# -----------------------------------------------------------------------------
# uncomment the following line for performance testing
# export JAVA_OPTS="${JAVA_OPTS:--Xms16G -Xmx16G -XX:+UseConcMarkSweepGC -XX:+CMSIncrementalMode -XX:+PrintGCDetails -XX:+PrintGCTimeStamps}"
# uncomment the following line for Netty TLS encryption
# Do modify the keystore location/password and truststore location/password accordingly
#export JAVA_OPTS="${JAVA_OPTS:--DenableNettyTLS=true -Djavax.net.ssl.keyStore=/home/ubuntu/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/ubuntu/onos.jks -Djavax.net.ssl.trustStorePassword=222222}"
export JAVA_OPTS="${JAVA_OPTS:--DenableOFTLS=true -Djavax.net.ssl.keyStore=/opt/ssl/onos.jks -Djavax.net.ssl.keyStorePassword=111111 -Djavax.net.ssl.trustStore=/opt/ssl/onos.jks -Djavax.net.ssl.trustStorePassword=111111}"
export JAVA_OPTS="${JAVA_OPTS:--Dds.lock.timeout.milliseconds=10000}"
set -e # exit on error
set -u # exit on undefined variable
................
"onos-service" 57L, 2308C written
c). Restart the ONOS controller.
Step 4. Testing the SSL connection:
a). On the OVS machine, we create a new bridge named br0, and set it connect to the controller by ssl:
admin@PICOS-OVS:/$ ovs-vsctl add-br br0 - set bridge br0 datapath_type=pica8 admin@PICOS-OVS:/$ ovs-vsctl show 5187ffd7-d781-48dc-82a6-37692344a877 Bridge "br0" Port "br0" Interface "br0" type: internal admin@PICOS-OVS:/$ ovs-vsctl set-controller br0 ssl:10.10.50.243:6653
b). Check the OVS machine log, You should see the following log messages:
admin@PICOS-OVS:~$ tail -f /tmp/log/messages Oct 15 2018 17:39:54 Xorplus daemon.notice : 17:39:54.742|ovs|00879|rconn|INFO|br0<->ssl:10.10.50.243:6653: connected Oct 15 2018 17:40:06 Xorplus daemon.notice : 17:40:06.390|ovs|00880|connmgr|INFO|br0<->ssl:10.10.50.243:6653: 3 flow_mods 10 s ago (3 adds)
c). Check the device on ONOS host, you can see the OVS machine in the list:
onos> devices id=of:1c480030ab283b4f, available=true, local-status=connected 25m15s ago, role=MASTER, type=SWITCH, mfr=Pica8, Inc, hw=ag5648, sw=PicOS, serial=A566F6DG17AB00011, chassis=1c480030ab283b4f, driver=default, channelId=10.10.51.140:36024, managementAddress=10.10.51.140, protocol=OF_14
We can see the SSL connection is successful.
Copyright © 2024 Pica8 Inc. All Rights Reserved.