File: tls.rst

package info (click to toggle)
python-os-ken 3.0.1-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 21,280 kB
  • sloc: python: 100,620; erlang: 14,517; ansic: 594; sh: 338; makefile: 136
file content (86 lines) | stat: -rw-r--r-- 2,677 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
********************
Setup TLS Connection
********************

If you want to use secure channel to connect OpenFlow switches, you
need to use TLS connection. This document describes how to setup OS-Ken
to connect to the Open vSwitch over TLS.


Configuring a Public Key Infrastructure
========================================

If you don't have a PKI, the ovs-pki script included with Open vSwitch
can help you. This section is based on the INSTALL.SSL in the Open
vSwitch source code.

NOTE: How to install Open vSwitch isn't described in this
document. Please refer to the Open vSwitch documents.


Create a PKI by using ovs-pki script::

    % ovs-pki init
    (Default directory is /usr/local/var/lib/openvswitch/pki)

The pki directory consists of controllerca and switchca
subdirectories. Each directory contains CA files.


Create a controller private key and certificate::

    % ovs-pki req+sign ctl controller

ctl-privkey.pem and ctl-cert.pem are generated in the current
directory.


Create a switch private key and certificate::

    % ovs-pki req+sign sc switch

sc-privkey.pem and sc-cert.pem are generated in the current directory.


Testing TLS Connection
======================

Configuring ovs-vswitchd to use CA files using the ovs-vsctl "set-ssl"
command, e.g.::

    % ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem \
      /etc/openvswitch/sc-cert.pem \
      /usr/local/var/lib/openvswitch/pki/controllerca/cacert.pem
    % ovs-vsctl add-br br0
    % ovs-vsctl set-controller br0 ssl:127.0.0.1:6633

Substitute the correct file names, if they differ from the ones used
above. You should use absolute file names.


Run OS-Ken with CA files::

    % osken-manager --ctl-privkey ctl-privkey.pem \
                  --ctl-cert ctl-cert.pem \
                  --ca-certs /usr/local/var/lib/openvswitch/pki/switchca/cacert.pem \
                  --verbose

You can see something like::

    loading app os_ken.controller.ofp_handler
    instantiating app os_ken.controller.ofp_handler
    BRICK ofp_event
      CONSUMES EventOFPSwitchFeatures
      CONSUMES EventOFPErrorMsg
      CONSUMES EventOFPHello
      CONSUMES EventOFPEchoRequest
    connected socket:<SSLSocket fileno=4 sock=127.0.0.1:6633 peer=127.0.0.1:61302> a
    ddress:('127.0.0.1', 61302)
    hello ev <os_ken.controller.ofp_event.EventOFPHello object at 0x1047806d0>
    move onto config mode
    switch features ev version: 0x1 msg_type 0x6 xid 0xb0bb34e5 port OFPPhyPort(port
    _no=65534, hw_addr='\x16\xdc\xa2\xe2}K', name='br0\x00\x00\x00\x00\x00\x00\x00\x
    00\x00\x00\x00\x00\x00', config=0, state=0, curr=0, advertised=0, supported=0, p
    eer=0)
    move onto main mode