Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Home Messages Hashtags Subgroups

This group is locked. No changes can be made to the group while it is locked.

#472

Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Rajendran Ashok <ashok.rajendran@...> #472 Hi Michal, I tried the same by updating java.security file but still I am getting below SSL error while connecting to controller through TLS. Could you send me your config file so that I could check mine ? Log with error: 2015-04-21T21:55:54.703Z\|00231\|rconn\|INFO\|s1<->ssl:127.0.0.1:6633: waiting 4 seconds before reconnect 2015-04-21T21:55:58.700Z\|00232\|rconn\|INFO\|s1<->ssl:127.0.0.1:6633: connecting... 2015-04-21T21:55:58.704Z\|00233\|stream_ssl\|WARN\|SSL_connect: unexpected SSL connection close Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch. Steps followed by me: Step 1: I commented this line in java.security file in controller host. "security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg" Step 2: In my mininet host, that is openvswitch , I executed below commands. Then I got following six files, ctl-cert.pem, ctl-privkey.pem, ctl-req.pem, sc-cert.pem, sc-privkey.pem, sc-req.pem sudo ovs-pki req+sign sc switch sudo ovs-pki req+sign ctl controller step 3: Then I prepared the keystore with below commands sudo openssl pkcs12 -export -in ctl-cert.pem -inkey ctl-privkey.pem \ -out ctl.p12 -name odlserver \ -CAfile /var/lib/openvswitch/pki/controllerca/cacert.pem -caname root -chain step 4: Then using these 2 files, created ctl.jks and truststore.jks with below commands respectively keytool -importkeystore \ -deststorepass opendaylight -destkeypass opendaylight -destkeystore ctl.jks \ -srckeystore ctl.p12 -srcstoretype PKCS12 -srcstorepass opendaylight \ -alias odlserver keytool -importcert -file sc-cert.pem -keystore truststore.jks -storepass opendaylight step 5: Then copied these 2 files - ctl.jks and truststore.jks in the below path and modified config file - 42-openflowplugin.xml as below etc/opendaylight/karaf/ssl 42-openflowplugin.xml: <name>openflow-switch-connection-provider-default-impl</name> <port>6633</port> <!-- Possible transport-protocol options: TCP, TLS, UDP --> <transport-protocol>TLS</transport-protocol> <switch-idle-timeout>15000</switch-idle-timeout> <tls> <keystore>ssl/ctl.jks</keystore> <keystore-type>JKS</keystore-type> <keystore-path-type>PATH</keystore-path-type> <keystore-password>opendaylight</keystore-password> <truststore>ssl/truststore.jks</truststore> <truststore-type>JKS</truststore-type> <truststore-path-type>PATH</truststore-path-type> <truststore-password>opendaylight</truststore-password> <certificate-password>opendaylight</certificate-password> </tls> <!-- Exemplary thread model configuration. Uncomment <threads> tag below to adjust default thread model --> <!-- <threads> <boss-threads>2</boss-threads> <worker-threads>8</worker-threads> </threads> --> </module> <!-- default OF-switch-connection-provider (port 6653) --> <module> <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:provider:impl">prefix:openflow-switch-connection-provider-impl</type> <name>openflow-switch-connection-provider-legacy-impl</name> <port>6653</port> <!-- Possible transport-protocol options: TCP, TLS, UDP --> <transport-protocol>TLS</transport-protocol> <switch-idle-timeout>15000</switch-idle-timeout> <tls> <keystore>ssl/ctl.jks</keystore> <keystore-type>JKS</keystore-type> <keystore-path-type>PATH</keystore-path-type> <keystore-password>opendaylight</keystore-password> <truststore>ssl/truststore.jks</truststore> <truststore-type>JKS</truststore-type> <truststore-path-type>PATH</truststore-path-type> <truststore-password>opendaylight</truststore-password> <certificate-password>opendaylight</certificate-password> </tls> step 6: Executed below command to configure openvswitch sudo ovs-vsctl set-ssl \ /etc/openvswitch/sc-privkey.pem \ /etc/openvswitch/sc-cert.pem \ /var/lib/openvswitch/pki/controllerca/cacert.pem step 7: started mininet by executing the file ssl_switch_tests.py. I wrote below contents inside the file. 'ovs-vsctl set-controller s1 ssl:127.0.0.1:6633 After following all these steps, I got the mentioned SSL error. I have attached ovs-vswitchd.log also. Could you please help me if I am missing any steps or using wrong config file. It would be helpful for me as I am stuck in this step for long time. Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Tuesday, April 21, 2015 5:27 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, I went through the tutorial and it works fine (for me). But I hit the CKR_DOMAIN_PARAMS_INVALID exception as mentioned here: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support#CKR_DOMAIN_PARAMS_INVALID_exception So I updated the java.security according to comments and all works fine. If you don't see the CKR_DOMAIN_PARAMS_INVALID exception please try using "log:set DEBUG org.opendaylight.openflowjava" and report back what you found. Regards, Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 21 April 2015 13:19 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Michal, I created my own keys. I used this TLS version - OpenSSL 1.0.1 rajenda3@ws-32:/var/lib/openvswitch/pki/controllerca$ openssl version OpenSSL 1.0.1 14 Mar 2012 Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Tuesday, April 21, 2015 1:27 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, what keys do you use ? Exemplary keys (from openflowjava) or you created your own keys ? What TLS version do you use ? Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 21 April 2015 09:59 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi All, I am trying to enable TLS connection between opendaylight controller and the switch. I followed the steps given in below link. But when I tried to establish connection now, it is showing error saying certificate verification failed and wrong version number as shown below in ovs-vswitchd.log. I checked the certificate and it has the validity. Could you please check why I am facing this error ? link: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support Error: Apr 20 12:14:46\|03981\|rconn\|INFO\|s1<->ssl:192.168.56.101:6633: continuing to retry connections in the background but suppressing further logging Apr 20 12:14:54\|03982\|stream_ssl\|WARN\|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Apr 20 12:15:10\|03983\|stream_ssl\|WARN\|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Apr 20 15:32:04\|04215\|stream_ssl\|WARN\|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Apr 20 15:32:12\|04216\|stream_ssl\|WARN\|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Note: My controller address : 192.168.56.101 which is a virtual box machine and my switch is in my local machine Attached full ovs-vswitchd.log along this mail. Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Tuesday, March 31, 2015 5:07 PM To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, if you clone openflowjava repository (git clone ssh://<username>@git.opendaylight.org:29418/openflowjava or git clone https://git.opendaylight.org/gerrit/openflowjava), then you will be able to get exemplary TLS keys (located in openflowjava/openflow-protocol-impl/src/main/resources). Regards, Michal Polkorab ________________________________________ From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) <mirehak@...> Sent: 31 March 2015 15:12 To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: Re: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller fw to openflowjava-ml ________________________________________ From: Rajendran Ashok [ashok.rajendran@...] Sent: Tuesday, March 31, 2015 00:54 To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@... Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Thanks Michal for the reply. I was following the same link for enabling TLS. In this link, it has mentioned to find the files exemplary-.pem in this path openflowjava/openflow-protocol-impl/src/main/resources. But I am not able to find that files in that path. Is there any steps to generate this file or am I missing any configuration ? Please help on this EXCERPT FROM WIKI LINK: Exemplary configuration There is already exemplary code in configuration/initial/42-openflowplugin.xml file and also exemplary keys stored in openflowjava (src/main/resources). This exemplary code is commented, so the default is to use unsecured communication. If you want to try TLS secured communication with your device, you need to do following steps: make sure that <transport-protocol> is set with TLS * uncomment code in <tls> tags * find exemplary-* files in openflowjava repository - under openflow-protocol-impl/src/main/resources * copy exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem files into your device * configure your device with provided keys (in case of openvswitch please see "Configure openvswitch SSL" part below) * start communication Thanks Ashok ________________________________________ From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) [mirehak@...] Sent: Monday, March 30, 2015 6:10 PM To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@... Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, you might find this wiki useful: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support Regards, Michal ________________________________________ From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Rajendran Ashok [ashok.rajendran@...] Sent: Monday, March 30, 2015 16:46 To: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@... Subject: Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi, Thanks for your reply. I am able find 42-openflowplugin.xml file in the directory mentioned by you. But now I am looking for these three files, exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem to transfer it to my mininet host. But I am not able to find it in the path mentioned in that wiki page - openflowjava/openflow-protocol-impl/src/main/resources Where can I find these files ? Could you also mention where can I find the updated Wiki page for Helium with Karaf so that I can follow it ( As u mentioned in below mail that this wiki page is not updated for helium karaf ) Thanks Ashok ________________________________________ From: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) [vrpolak@...] Sent: Tuesday, March 24, 2015 5:08 PM To: Rajendran Ashok Cc: openflowplugin-users@... Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok. Helium is based on Karaf, but the wiki page was written before that change was made. 42-openflowplugin.xml under the directory configuration/initial/ The new directory is etc/opendaylight/karaf/ but the file only appears after karaf is started and an openflow feature is installed. When you have your version of 42-openflowplugin.xml ready, you can place it into etc/opendaylight/karaf/ before karaf starts, and your values will be used instead of those from the default file. Vratko. -----Original Message----- From: openflowplugin-users-bounces@... [mailto:openflowplugin-users-bounces@...] On Behalf Of Rajendran Ashok Sent: Tuesday, March 24, 2015 3:23 PM To: openflowplugin-users@... Subject: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi All, I am working on opendaylight controller for my assignment. I would like to enable TLS connection in my opendaylight controller and mininet switch. I followed the steps given in below link. But I am stuck at one point where I am not able to find the xml file - 42-openflowplugin.xml under the directory configuration/initial/. Is there any configuration to be done to get this file or do I need to create this file ? Could you please help me on this issue. https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support Note: I downloaded opendaylight controller code from git in stable/Helium branch and built it using maven as mentioned in Wiki. Thanks Ashok _______________________________________________ openflowplugin-users mailing list openflowplugin-users@... https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users _______________________________________________ openflowplugin-users mailing list openflowplugin-users@... https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users _______________________________________________ openflowjava-dev mailing list openflowjava-dev@... https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] ovs-vswitchd.log

View All 19 Messages In Topic

#472

Join z.archive.openflowjava-dev@lists.opendaylight.org to automatically receive all group messages.

Home Hashtags Subgroups Terms