Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Rajendran Ashok <ashok.rajendran@...>
 

Hi Michal,

I created my own keys. I used this TLS version - OpenSSL 1.0.1

rajenda3@ws-32:/var/lib/openvswitch/pki/controllerca$ openssl version
OpenSSL 1.0.1 14 Mar 2012


Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 1:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

what keys do you use ? Exemplary keys (from openflowjava) or you created your own keys ? What TLS version do you use ?

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 09:59
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am trying to enable TLS connection between opendaylight controller and the switch. I followed the steps given in below link. But when I tried to establish connection now, it is showing error saying certificate verification failed and wrong version number as shown below in ovs-vswitchd.log. I checked the certificate and it has the validity. Could you please check why I am facing this error ?


link:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support


Error:
Apr 20 12:14:46|03981|rconn|INFO|s1<->ssl:192.168.56.101:6633: continuing to retry connections in the background but suppressing further logging
Apr 20 12:14:54|03982|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 12:15:10|03983|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 15:32:04|04215|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Apr 20 15:32:12|04216|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Note:
My controller address : 192.168.56.101 which is a virtual box machine and my switch is in my local machine

Attached full ovs-vswitchd.log along this mail.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, March 31, 2015 5:07 PM
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

if you clone openflowjava repository (git clone ssh://<username>@git.opendaylight.org:29418/openflowjava or git clone https://git.opendaylight.org/gerrit/openflowjava), then you will be able to get exemplary TLS keys (located in openflowjava/openflow-protocol-impl/src/main/resources).

Regards,
Michal Polkorab
________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) <mirehak@...>
Sent: 31 March 2015 15:12
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: Re: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

fw to openflowjava-ml

________________________________________
From: Rajendran Ashok [ashok.rajendran@...]
Sent: Tuesday, March 31, 2015 00:54
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for the reply. I was following the same link for enabling TLS. In this link, it has mentioned to find the files exemplary-*.pem in this path openflowjava/openflow-protocol-impl/src/main/resources. But I am not able to find that files in that path.

Is there any steps to generate this file or am I missing any configuration ? Please help on this

EXCERPT FROM WIKI LINK:

Exemplary configuration

There is already exemplary code in configuration/initial/42-openflowplugin.xml file and also exemplary keys stored in openflowjava (src/main/resources). This exemplary code is commented, so the default is to use unsecured communication.

If you want to try TLS secured communication with your device, you need to do following steps:

* make sure that <transport-protocol> is set with TLS
* uncomment code in <tls> tags
* find exemplary-* files in openflowjava repository - under openflow-protocol-impl/src/main/resources
* copy exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem files into your device
* configure your device with provided keys (in case of openvswitch please see "Configure openvswitch SSL" part below)
* start communication

Thanks
Ashok


________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) [mirehak@...]
Sent: Monday, March 30, 2015 6:10 PM
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,
you might find this wiki useful:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Regards,
Michal

________________________________________
From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Rajendran Ashok [ashok.rajendran@...]
Sent: Monday, March 30, 2015 16:46
To: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi,

Thanks for your reply. I am able find 42-openflowplugin.xml file in the directory mentioned by you.

But now I am looking for these three files, exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem to transfer it to my mininet host. But I am not able to find it in the path mentioned in that wiki page - openflowjava/openflow-protocol-impl/src/main/resources

Where can I find these files ? Could you also mention where can I find the updated Wiki page for Helium with Karaf so that I can follow it ( As u mentioned in below mail that this wiki page is not updated for helium karaf )

Thanks
Ashok



________________________________________
From: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) [vrpolak@...]
Sent: Tuesday, March 24, 2015 5:08 PM
To: Rajendran Ashok
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok.

Helium is based on Karaf, but the wiki page
was written before that change was made.

42-openflowplugin.xml under the directory configuration/initial/
The new directory is etc/opendaylight/karaf/
but the file only appears after karaf is started
and an openflow feature is installed.

When you have your version of 42-openflowplugin.xml ready,
you can place it into etc/opendaylight/karaf/
before karaf starts, and your values will be used
instead of those from the default file.

Vratko.

-----Original Message-----
From: openflowplugin-users-bounces@... [mailto:openflowplugin-users-bounces@...] On Behalf Of Rajendran Ashok
Sent: Tuesday, March 24, 2015 3:23 PM
To: openflowplugin-users@...
Subject: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Hi All,

I am working on opendaylight controller for my assignment. I would like to enable TLS connection in my opendaylight controller and mininet switch. I followed the steps given in below link. But I am stuck at one point where I am not able to find the xml file - 42-openflowplugin.xml under the directory configuration/initial/. Is there any configuration to be done to get this file or do I need to create this file ? Could you please help me on this issue.

https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Note: I downloaded opendaylight controller code from git in stable/Helium branch and built it using maven as mentioned in Wiki.

Thanks
Ashok
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowjava-dev mailing list
openflowjava-dev@...
https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]

Join z.archive.openflowjava-dev@lists.opendaylight.org to automatically receive all group messages.