ODL与OVS之间设置SSL安全连接总结
ODL作为目前主流SDN控制器已被各大厂商使用,ODL与OVS之间的SSL安全连接国内外网络上鲜有较为全面的实战分享,本文以ODL与OVS间SSL安全连接(主动连接方式与被动连接方式)实践全面阐述ODL与OVS之间设置SSL安全连接。
ODL与OVS之间的安全连接,以OVS设备为连接对象,控制器连接OVS主要分为两种方式:1、主动连接;2、被动连接。此外,配置SSL connection存在两种方式:1、手动生成pem格式证书(ovs客户端使用),然后转换成ODL(JDK平台)支持的jks格式证书;2、手动生成jks证书(ODL使用),然后转换成pem格式证书(OVS使用)。以下验证根据配置SSL connection方式2进行。不论基于上述控制器连接OVS何种方式,控制器侧都需对应不同配置修改。
配置步骤主要分为证书生成(包括OVS端使用证书及控制器端使用证书),OVS设备端配置证书,ODL控制器端配置证书。
1.1 生成ODL端的自签名证书
使用Keytool工具生成一个自签名的证书库odl.jks(包含私钥与公钥证书信息),-alias与-storepass需要控制器侧配置一致。
_# keytool -genkey -keyalg RSA -alias controller -keystore odl.jks -storepass 111111 -validity 365 -keysize 2048_将odl.jks经过两步转换为odl.pem文件:odl.jks→odl.p12→odl.pem(密码为了方便建议设置成与odl.jks密码一致111111)
_# keytool -importkeystore -srckeystore odl.jks -destkeystore odl.p12 -srcstoretype jks -deststoretype pkcs12_
_# openssl pkcs12 -in odl.p12 -out odl.pem_odl.pem内容是这样的:
_# cat odl.pem_
Bag Attributes
friendlyName: controller
localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQICvDsQcvStsACAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECOcPvR2phfFzBIIEyM5QRmjjmD0I
YcuPocLrPGDJe/x3RV77fessvCEtEWsYqFmW6Xi9SdoG6y0zDgEEpY+jCM+SOruC
IGk7UIu//DBVj+JcaSEu0n8B/rGGuqmU1Ea52sqDW8xxOk0llapYi1P6VX0LgY/H
QJCM/CvArrg/EO5seV6i9iXpOpX6I7yJTfXfMYMP+zncHJ/7AesRSkEA9fBow7tq
d00onsea6HL1nVX8uzyxzHuBsittsOQ5RIyqC+Gpny2mIxkqkXga1XSs2miVspy/
QcxYYts4F8IgA9N5fgenPsCR7K0wgqkO30W6pKMdL2YDCauhJ+E4ylwVaAqwUHZV
btLQKORAps1DKrNV7xpXkJ/Q9BUTbAaqSHPn5mfdsD6cxSM8OEenVdZFmkSWtZNa
ET39e5JfhesPINq/Lx6jl58EiP7y1MgYXN9zsuimoJAVooJ5TfcgeqKZetPzPEop
i0q30dfHQNpJsNkfqnWIlifXMVcGztbpdWSNKs70B8Dr+3wFco3th5EGtSgfVgnb
WFSDdOsvaOP8ljfRlCr6Zs6p6BYoPlIQTIO9lfTz1JPyAE7orIogXXbSsZ1saDPf
nkhzhRP4FSfYbYPeWBSzFcaPOmXSilarEfa7/CROJRn1HTJrDrZZYrQr7Gj/W5Gw
yQbNHEzP0G2LKFtUCBBCrAsr7V6owh5YvrOMriO+SZcsHnbHwl9jSI0AXe97XfkT
qgULx/3zc9G6D0tUwCst5lUo3DYnx8WtbXzcMwrCmTKkpE9pISu1UJytBiz493XD
nOM+MoKZWIyOqcDe2Ac7km6Ybo2wLuA6kIxwYgun6NJl9mAgqJ/+T0itvuOB3PD/
FeqnnRq5eZlSmo3PL5ycKKja0z6z9ylaIWDRZYsPFNBt4jqCa9hizC+VioiuGECJ
Sqf2JH1X5TBhU41Naoe3vur6rpBydkPDj33qELSG2q+90i2M9PT/8akAm0TWTs/u
UwJjMVfVGp5jgbYAAjuyrtkMioFuMlJJg9f53elCttx2Zmaotu3d3I1gh1tTP9ON
bF9Ls5QnqW3Ujkr3qmLUeE2EE3M+uPuoA4GtEPeMili+NeY1WKXORATy2q/d/Aus
31i51k79cZvgL39r/G/DOHkw/xRQSonWRCadNpA12FJ+GxJ2OBHkdtrQ2RPycJ5c
9EvqiY0IGfY1cmY3tgXl925Rxc+EtvMLJqoi8M9WeuwEVo2tuU9DVdwRgLFoQnnP
xCxwRjln75mxAyxUP/dZ79Ex3+CmsZj+OSrM78tKNnsjAGrV5XSPZwnY5+I9o5lw
9dIJL49ROktjQgKZW5SIsNK2zavJuVVP0RgY6nxEMZtR1xwxytCMKNtSe7i1LQST
qbYSaBEeHnjGWYa8JUemyRsegaNkrhWOium5HsmYi8UGQ+aytGIM0PYPe8SVNwol
YKxbg81bzFmw4I/Kqgwzdq+fGp/+NOEqHmsWJi/S5UdA0UwKG68qTglVWL3+mDrT
rVwHD7F96GMkfbp2+w+RaASVcNs6itl/rEI9RkdZA+9uX7wtp0GQc879yJA+MBkS
i/fsmxvwJ24RMRA9fjuMCHt8ma5lmC0OPXLhthh7T5NSZYffHTSbLQHSQCg/raN6
cytEzo9X78+7H5ky4JDH/A==
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName: controller
localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu
issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD
TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl
cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx
NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1
YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL
EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAI+M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn+F9aTAEvL
TNh10xSJoaFtGeAMZaOU1rU+woeXz+3sZV+WdoExnJXiuB6w5kzJTfNlAFNg41T0
SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP+zmNcwGqi47ll
Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y+tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp
LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU
BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G
KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr+mgtK
wb7u+MelO+EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY
+KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB
u8qJxHRHiivhQFeusKhGd+bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz
fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf
3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw+PrH1tSMcA60RH7SyM+9aVOE5wG41K
ibLf
-----END CERTIFICATE-----接下来我们需要新建一个cacert.pem的文件用来给OVS使用,它的内容是odl.pem的证书部分,即从中间的"Bag Attributes"到最后的部分:
_# cat cacert.pem_
Bag Attributes
friendlyName: controller
localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu
issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD
TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl
cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx
NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1
YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL
EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAI+M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn+F9aTAEvL
TNh10xSJoaFtGeAMZaOU1rU+woeXz+3sZV+WdoExnJXiuB6w5kzJTfNlAFNg41T0
SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP+zmNcwGqi47ll
Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y+tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp
LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU
BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G
KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr+mgtK
wb7u+MelO+EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY
+KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB
u8qJxHRHiivhQFeusKhGd+bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz
fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf
3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw+PrH1tSMcA60RH7SyM+9aVOE5wG41K
ibLf
-----END CERTIFICATE-----请注意:两个中间文件odl.p12和odl.pem已经没有用了,安全起见应该被删除。
1.2 将odl的证书复制到OVS端
把cacert.pem复制到OVS端的/var/lib/openvswitch/pki/controllerca目录下(该目录中可能已经有了一个名为cacert.pem的文件,可先将其备份一下),此目录用来存放OVS信任的证书授权机构的证书。
注:此处如果没有pki相关目录,请执行ovs-pki init进行初始化。
root@root12-virtual-machine:/var/lib/openvswitch/pki/controllerca# cat cacert.pem
Bag Attributes
friendlyName: controller
localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu
issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD
TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl
cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx
NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1
YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL
EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAI+M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn+F9aTAEvL
TNh10xSJoaFtGeAMZaOU1rU+woeXz+3sZV+WdoExnJXiuB6w5kzJTfNlAFNg41T0
SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP+zmNcwGqi47ll
Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y+tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp
LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU
BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G
KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr+mgtK
wb7u+MelO+EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY
+KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB
u8qJxHRHiivhQFeusKhGd+bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz
fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf
3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw+PrH1tSMcA60RH7SyM+9aVOE5wG41K
ibLf
-----END CERTIFICATE-----1.3 生成OVS端的自签名证书并配置OVS端的SSL
进入OVS端的/etc/openvswitch目录,使用自己的pki请求和签署一个数字证书,生成OVS的私钥文件sc-privkey.pem和公钥证书sc-cert.pem:
root@root12-virtual-machine:/etc/openvswitch# ovs-pki --dir=/var/lib/openvswitch/pki req+sign sc switch
root@root12-virtual-machine://etc/openvswitch# ll
total 48
drwxr-xr-x 2 root root 4096 1月 14 10:25 ./
drwxr-xr-x 126 root root 12288 1月 16 06:31 ../
-rw-r--r-- 1 root root 4082 1月 14 10:25 sc-cert.pem
-rw------- 1 root root 1679 1月 14 10:25 sc-privkey.pem
-rw-r--r-- 1 root root 3617 1月 14 10:25 sc-req.pem
root@root12-virtual-machine://etc/openvswitch#开启OVS服务,使用ovs-vsctl set-ssl设置OVS端的SSL(配置OVS的私钥文件、OVS的证书文件和ODL的证书文件的位置):
控制器主动安全连接(pssl:6640),主动安全连接与被动连接方式对应的控制器侧的操作不一样,这部分会在续篇进行介绍:
_# ovs-vsctl set-manager pssl:6640_
_# ovs-vsctl set-manager ssl:10.190.23.66:6640 (控制器被动,OVS设备主动连接)_
默认设置Bootstrap: false
_# ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem_
默认设置Bootstrap: true
_# ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem_使用ovs-vsctl get-ssl查看配置信息:
_# ovs-vsctl get-ssl_
Private key: /etc/openvswitch/sc-privkey.pem
Certificate: /etc/openvswitch/sc-cert.pem
CA Certificate: /var/lib/openvswitch/pki/controllerca/cacert.pem
Bootstrap: true1.4 将OVS的证书复制到ODL端
把OVS端的sc-cert.pem复制到odl端的SSL文件夹中,然后在odl端使用keytool -importcert将sc-cert.pem导入到odl的证书库odl.jks中:
_# keytool -importcert -file sc-cert.pem -keystore odl.jks_
Enter keystore password:
Owner: CN=sc id:b7e00bac-95d2-43f7-a9f3-e2017cdc1d57, OU=Open vSwitch certifier, O=Open vSwitch, ST=CA, C=US
Issuer: CN=OVS switchca CA Certificate (2022 1� 04 17:11:15), OU=switchca, O=Open vSwitch, ST=CA, C=US
Serial number: 4
Valid from: Fri Jan 14 10:25:58 CST 2022 until: Mon Jan 12 10:25:58 CST 2032
Certificate fingerprints:
SHA1: B6:E6:5A:94:E3:37:0A:B0:EC:FE:41:CB:2F:FD:67:84:BB:8A:F1:60
SHA256: 5B:EF:35:AD:A9:AB:29:B8:7C:89:5A:CF:07:72:5B:1F:E7:85:59:1A:44:8E:39:F0:FC:11:E6:46:80:79:8A:F8
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Trust this certificate? [no]: yes
Certificate was added to keystore
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore odl.jks -destkeystore odl.jks -deststoretype pkcs12".root@root12-virtual-machine:/home/root12/dcnv1r2/opendaylight/configuration/ssl# ll
total 16
drwxr-xr-x 2 root root 4096 1月 14 14:53 ./
drwxr-xr-x 5 root root 4096 1月 14 14:49 ../
-rw-r--r-- 1 root root 2224 1月 14 09:55 odl.jks
-rw-r--r-- 1 root root 4082 1月 14 10:25 sc-cert.pem使用下面的命令查看证书库的内容,可以发现证书库已经包含有了PrivateKeyEntry和trustedCertEntry:
_# keytool -list -keystore odl.jks_
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
controller, Jan 14, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): CE:55:30:19:B6:B8:7C:D4:C8:5B:63:0D:73:26:E6:74:AD:AF:C8:F5:10:FA:6B:96:ED:B2:5F:83:B9:C7:12:C9
mykey, Jan 17, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 5B:EF:35:AD:A9:AB:29:B8:7C:89:5A:CF:07:72:5B:1F:E7:85:59:1A:44:8E:39:F0:FC:11:E6:46:80:79:8A:F8
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore odl.jks -destkeystore odl.jks -deststoretype pkcs12".
root@root12-virtual-machine:/home/root12/dcnv1r2/opendaylight/configuration/ssl#到此处已经生成OVS、与ODL端所需要证书,并且做好OVS端SSL配置,接下来需要进行控制器侧SSL配置。
1.5 控制器主动连接OVS设备ODL端配置SSL
如上所述控制器主动连接方式,在OVS侧使用下述命令行进行配置
_# ovs-vsctl set-manager pssl:6640_OVS侧设置完毕后,控制器侧需要进行以下配置。将上述所制作的odl.jks证书复制并传输到opendaylight/configuration/ssl目录下,并改名为ctl.jks与truststore.jks(目的与控制器命名一致,方便读取文件)
root@ubuntu:~/dcnv1r2/opendaylight/configuration/ssl# ll
总用量 16
drwxr-xr-x 2 root root 4096 1月 26 17:00 ./
drwxr-xr-x 5 root root 4096 1月 26 10:15 ../
-rw-r--r-- 1 root root 3575 1月 20 16:09 ctl.jks
-rw-r--r-- 1 root root 3575 1月 20 16:09 truststore.jks然后进入opendaylight/etc/opendaylight/datastore/initial/config目录修改OVSDB SSL连接配置文件
root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# ll
总用量 52
drwxr-xr-x 2 root root 4096 1月 26 16:46 ./
drwxr-xr-x 3 root root 4096 1月 26 10:04 ../
-rw-r--r-- 1 root root 14607 1月 26 10:04 aaa-app-config.xml
-rw-r--r-- 1 root root 856 1月 27 14:12 aaa-cert-config.xml
-rw-r--r-- 1 root root 182 1月 26 10:04 aaa-datastore-config.xml
-rw-r--r-- 1 root root 518 1月 26 10:04 aaa-encrypt-service-config.xml
-rw-r--r-- 1 root root 215 1月 26 10:04 aaa-password-service-config.xml
-rw-r--r-- 1 root root 953 1月 26 16:46 default-openflow-connection-config.xml
-rw-r--r-- 1 root root 941 1月 26 10:04 legacy-openflow-connection-config.xml
-rw-r--r-- 1 root root 130 1月 26 10:04 serviceutils-upgrade-config.xml
------------------------------------------------------------------------------------
root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# cat aaa-cert-config.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?><aaa-cert-service-config xmlns="urn:opendaylight:yang:aaa:cert">
<use-config>true</use-config>
<use-mdsal>false</use-mdsal>
<bundle-name>opendaylight</bundle-name>
<ctlKeystore>
<name>ctl.jks</name>
<alias>controller</alias>
<store-password>111111</store-password>
<dname>C = CN, ST = Hubei, L = Wuhan, O = sdn, OU = test, CN = JunWu</dname>
<validity>365</validity>
<key-alg>RSA</key-alg>
<sign-alg>SHA1WithRSAEncryption</sign-alg>
<keysize>1024</keysize>
<tls-protocols>TLSv1.2</tls-protocols>
<cipher-suites>
<suite-name>TLS\\_RSA\\_WITH\\_AES\\_128\\_CBC\\_SHA</suite-name>
</cipher-suites>
</ctlKeystore>
<trustKeystore>
<name>truststore.jks</name>
<store-password>111111</store-password>
</trustKeystore>然后进入opendaylight/etc找到org.opendaylight.ovsdb.library.cfg配置文件并修改use-ssl 配置设置use-ssl = true。
root@ubuntu:~/dcnv1r2/opendaylight/etc# vi org.opendaylight.ovsdb.library.cfg
[1]+ 已停止 vi org.opendaylight.ovsdb.library.cfg
root@ubuntu:~/dcnv1r2/opendaylight/etc# cat org.opendaylight.ovsdb.library.cfg
_#\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*_
_# Boot Time Configuration \\*_
_# Config knob changes will require controller restart \\*_
_#\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*_
_#Ovsdb plugin's (OVS, HwVtep) support both active and passive connections. OVSDB library by_
_#default listens on all IPs for switch initiated connections. Use following config_
_#knob for changing this default IP._
ovsdb-listener-ip = 0.0.0.0
_#Ovsdb plugin's (OVS, HwVtep) support both active and passive connections. OVSDB library by_
_#default listens on port 6640 for switch initiated connection. Please use following config_
_#knob for changing this default port._
ovsdb-listener-port = 6640
_#This flag will be enforced across all the connection's (passive and active) if set to true_
use-ssl = true
_#Set Json Rpc decoder max frame length value. If the OVSDB node contains large configurations_
_#that can cause connection related issue while reading the configuration from the OVSDB node_
_#database. Increasing the max frame lenge helps resolve the issue. Please see following bug_
_#report for more details ( https://bugs.opendaylight.org/show\\_bug.cgi?id=2732 &_
_#https://bugs.opendaylight.org/show\\_bug.cgi?id=2487). Default value set to 100000._
json-rpc-decoder-max-frame-length = 100000
_#\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*_
_# Run Time Configuration \\*_
_# Config knob changes doesn't require controller resart \\*_
_#\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*\\*_
_#Timeout value (in millisecond) after which OVSDB rpc task will be cancelled.Default value is_
_#set to 1000ms, please uncomment and override the value if requires.Changing the value don't_
_#require controller restart._
ovsdb-rpc-task-timeout = 1000最后进行使用postman,调用(put)http://控制器IP:8181/rests/data/network-topology:network-topology/topology=ovsdb%3A1,将需要连接的OVS设备信息remote-ip,remote-port导入控制器,即可实现控制器OVSDB协议主动连接ovs设备。
{
"topology": [
{
"topology-id": "ovsdb:1",
"node": [
{
"node-id": "ovsdb://HOST2",
"ovsdb:connection-info": {
"ovsdb:remote-ip": "10.190.51.111",
"ovsdb:remote-port": 6640
}
}
]
}
]
}在ovs上查看信息:
root@root12-virtual-machine:~_# ovs-vsctl show_
1db8fd94-c6ab-41f8-9993-bdc83a14c430
Manager "pssl:6640"
is\\_connected: true控制器接口查看信息:
至于此OVSDB pssl连接验证成功。
至于此OVSDB pssl连接验证成功。
1.6 OPENFLOW SSL安全连接
openflow ssl链接,在OVS侧使用下述命令行进行配置
_# ovs-vsctl set-controller br-int ssl:10.190.23.66:6653_同1.5,进入opendaylight/etc/opendaylight/datastore/initial/config目录修改openflow SSL连接配置文件,指定端口、协议、证书路径等信息。
root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# ll
总用量 52
drwxr-xr-x 2 root root 4096 1月 26 16:46 ./
drwxr-xr-x 3 root root 4096 1月 26 10:04 ../
-rw-r--r-- 1 root root 14607 1月 26 10:04 aaa-app-config.xml
-rw-r--r-- 1 root root 856 1月 27 14:12 aaa-cert-config.xml
-rw-r--r-- 1 root root 182 1月 26 10:04 aaa-datastore-config.xml
-rw-r--r-- 1 root root 518 1月 26 10:04 aaa-encrypt-service-config.xml
-rw-r--r-- 1 root root 215 1月 26 10:04 aaa-password-service-config.xml
-rw-r--r-- 1 root root 953 1月 26 16:46 default-openflow-connection-config.xml
-rw-r--r-- 1 root root 941 1月 26 10:04 legacy-openflow-connection-config.xml
-rw-r--r-- 1 root root 130 1月 26 10:04 serviceutils-upgrade-config.xml
------------------------------------------------------------------------------------
root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# cat default-openflow-connection-config.xml
<switch-connection-config xmlns="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:config">
<instance-name>openflow-switch-connection-provider-default-impl</instance-name>
<port>6653</port>
<transport-protocol>TLS</transport-protocol>
<group-add-mod-enabled>false</group-add-mod-enabled>
<channel-outbound-queue-size>1024</channel-outbound-queue-size>
<tls>
<keystore>configuration/ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>111111</keystore-password>
<truststore>configuration/ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>111111</truststore-password>
<certificate-password>111111</certificate-password>
<cipher-suites>TLS\\_RSA\\_WITH\\_AES\\_128\\_CBC\\_SHA</cipher-suites>
</tls>
</switch-connection-config>查看openflow连接信息:
在ovs上查看连接信息:
root@root12-virtual-machine:~_# ovs-vsctl show_
1db8fd94-c6ab-41f8-9993-bdc83a14c430
Manager "pssl:6640"
is\\_connected: true
Bridge br-int
Controller "ssl:10.190.23.66:6653"
is\\_connected: true
Port br-int
Interface br-int
type: internal
Port "veth2"
Interface "veth2"
Port "veth1"
Interface "veth1"
ovs\\_version: "2.9.8"控制接口查看信息:
至此openflow SSL安全连接验证成功。
THE END
0
二维码
海报
ODL与OVS之间设置SSL安全连接总结
ODL作为目前主流SDN控制器已被各大厂商使用,ODL与OVS之间的SSL安全连接国内外网络上鲜有较为全面的实战分享,本文以ODL与OVS间SSL安全连接(主动...
