Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Rajendran Ashok <ashok.rajendran@...>
 

Hi Michal,

I tried the same by updating java.security file but still I am getting below SSL error while connecting to controller through TLS. Could you send me your config file so that I could check mine ?


Log with error:

2015-04-21T21:55:54.703Z|00231|rconn|INFO|s1<->ssl:127.0.0.1:6633: waiting 4 seconds before reconnect
2015-04-21T21:55:58.700Z|00232|rconn|INFO|s1<->ssl:127.0.0.1:6633: connecting...
2015-04-21T21:55:58.704Z|00233|stream_ssl|WARN|SSL_connect: unexpected SSL connection close


Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch.


Steps followed by me:


Step 1:

I commented this line in java.security file in controller host.

"security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

Step 2:

In my mininet host, that is openvswitch , I executed below commands. Then I got following six files, ctl-cert.pem, ctl-privkey.pem, ctl-req.pem, sc-cert.pem, sc-privkey.pem, sc-req.pem

sudo ovs-pki req+sign sc switch
sudo ovs-pki req+sign ctl controller

step 3:

Then I prepared the keystore with below commands

sudo openssl pkcs12 -export -in ctl-cert.pem -inkey ctl-privkey.pem \
-out ctl.p12 -name odlserver \
-CAfile /var/lib/openvswitch/pki/controllerca/cacert.pem -caname root -chain

step 4:

Then using these 2 files, created ctl.jks and truststore.jks with below commands respectively

keytool -importkeystore \
-deststorepass opendaylight -destkeypass opendaylight -destkeystore ctl.jks \
-srckeystore ctl.p12 -srcstoretype PKCS12 -srcstorepass opendaylight \
-alias odlserver

keytool -importcert -file sc-cert.pem -keystore truststore.jks -storepass opendaylight


step 5:

Then copied these 2 files - ctl.jks and truststore.jks in the below path and modified config file - 42-openflowplugin.xml as below

etc/opendaylight/karaf/ssl


42-openflowplugin.xml:


<name>openflow-switch-connection-provider-default-impl</name>
<port>6633</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>
<!-- Exemplary thread model configuration. Uncomment <threads> tag below to adjust default thread model -->
<!-- <threads>
<boss-threads>2</boss-threads>
<worker-threads>8</worker-threads>
</threads> -->
</module>
<!-- default OF-switch-connection-provider (port 6653) -->
<module>
<type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:provider:impl">prefix:openflow-switch-connection-provider-impl</type>
<name>openflow-switch-connection-provider-legacy-impl</name>
<port>6653</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>


step 6:

Executed below command to configure openvswitch

sudo ovs-vsctl set-ssl \
/etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem \
/var/lib/openvswitch/pki/controllerca/cacert.pem

step 7:

started mininet by executing the file ssl_switch_tests.py. I wrote below contents inside the file.

'ovs-vsctl set-controller s1 ssl:127.0.0.1:6633


After following all these steps, I got the mentioned SSL error. I have attached ovs-vswitchd.log also. Could you please help me if I am missing any steps or using wrong config file. It would be helpful for me as I am stuck in this step for long time.


Thanks
Ashok



________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 5:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

I went through the tutorial and it works fine (for me). But I hit the CKR_DOMAIN_PARAMS_INVALID exception as mentioned here: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support#CKR_DOMAIN_PARAMS_INVALID_exception

So I updated the java.security according to comments and all works fine.
If you don't see the CKR_DOMAIN_PARAMS_INVALID exception please try using "log:set DEBUG org.opendaylight.openflowjava" and report back what you found.

Regards,
Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 13:19
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I created my own keys. I used this TLS version - OpenSSL 1.0.1

rajenda3@ws-32:/var/lib/openvswitch/pki/controllerca$ openssl version
OpenSSL 1.0.1 14 Mar 2012


Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 1:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

what keys do you use ? Exemplary keys (from openflowjava) or you created your own keys ? What TLS version do you use ?

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 09:59
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am trying to enable TLS connection between opendaylight controller and the switch. I followed the steps given in below link. But when I tried to establish connection now, it is showing error saying certificate verification failed and wrong version number as shown below in ovs-vswitchd.log. I checked the certificate and it has the validity. Could you please check why I am facing this error ?


link:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support


Error:
Apr 20 12:14:46|03981|rconn|INFO|s1<->ssl:192.168.56.101:6633: continuing to retry connections in the background but suppressing further logging
Apr 20 12:14:54|03982|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 12:15:10|03983|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 15:32:04|04215|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Apr 20 15:32:12|04216|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Note:
My controller address : 192.168.56.101 which is a virtual box machine and my switch is in my local machine

Attached full ovs-vswitchd.log along this mail.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, March 31, 2015 5:07 PM
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

if you clone openflowjava repository (git clone ssh://<username>@git.opendaylight.org:29418/openflowjava or git clone https://git.opendaylight.org/gerrit/openflowjava), then you will be able to get exemplary TLS keys (located in openflowjava/openflow-protocol-impl/src/main/resources).

Regards,
Michal Polkorab
________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) <mirehak@...>
Sent: 31 March 2015 15:12
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: Re: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

fw to openflowjava-ml

________________________________________
From: Rajendran Ashok [ashok.rajendran@...]
Sent: Tuesday, March 31, 2015 00:54
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for the reply. I was following the same link for enabling TLS. In this link, it has mentioned to find the files exemplary-*.pem in this path openflowjava/openflow-protocol-impl/src/main/resources. But I am not able to find that files in that path.

Is there any steps to generate this file or am I missing any configuration ? Please help on this

EXCERPT FROM WIKI LINK:

Exemplary configuration

There is already exemplary code in configuration/initial/42-openflowplugin.xml file and also exemplary keys stored in openflowjava (src/main/resources). This exemplary code is commented, so the default is to use unsecured communication.

If you want to try TLS secured communication with your device, you need to do following steps:

* make sure that <transport-protocol> is set with TLS
* uncomment code in <tls> tags
* find exemplary-* files in openflowjava repository - under openflow-protocol-impl/src/main/resources
* copy exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem files into your device
* configure your device with provided keys (in case of openvswitch please see "Configure openvswitch SSL" part below)
* start communication

Thanks
Ashok


________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) [mirehak@...]
Sent: Monday, March 30, 2015 6:10 PM
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,
you might find this wiki useful:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Regards,
Michal

________________________________________
From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Rajendran Ashok [ashok.rajendran@...]
Sent: Monday, March 30, 2015 16:46
To: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi,

Thanks for your reply. I am able find 42-openflowplugin.xml file in the directory mentioned by you.

But now I am looking for these three files, exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem to transfer it to my mininet host. But I am not able to find it in the path mentioned in that wiki page - openflowjava/openflow-protocol-impl/src/main/resources

Where can I find these files ? Could you also mention where can I find the updated Wiki page for Helium with Karaf so that I can follow it ( As u mentioned in below mail that this wiki page is not updated for helium karaf )

Thanks
Ashok



________________________________________
From: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) [vrpolak@...]
Sent: Tuesday, March 24, 2015 5:08 PM
To: Rajendran Ashok
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok.

Helium is based on Karaf, but the wiki page
was written before that change was made.

42-openflowplugin.xml under the directory configuration/initial/
The new directory is etc/opendaylight/karaf/
but the file only appears after karaf is started
and an openflow feature is installed.

When you have your version of 42-openflowplugin.xml ready,
you can place it into etc/opendaylight/karaf/
before karaf starts, and your values will be used
instead of those from the default file.

Vratko.

-----Original Message-----
From: openflowplugin-users-bounces@... [mailto:openflowplugin-users-bounces@...] On Behalf Of Rajendran Ashok
Sent: Tuesday, March 24, 2015 3:23 PM
To: openflowplugin-users@...
Subject: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Hi All,

I am working on opendaylight controller for my assignment. I would like to enable TLS connection in my opendaylight controller and mininet switch. I followed the steps given in below link. But I am stuck at one point where I am not able to find the xml file - 42-openflowplugin.xml under the directory configuration/initial/. Is there any configuration to be done to get this file or do I need to create this file ? Could you please help me on this issue.

https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Note: I downloaded opendaylight controller code from git in stable/Helium branch and built it using maven as mentioned in Wiki.

Thanks
Ashok
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowjava-dev mailing list
openflowjava-dev@...
https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]

Join z.archive.openflowjava-dev@lists.opendaylight.org to automatically receive all group messages.