Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Rajendran Ashok <ashok.rajendran@...>
 

Thanks Michal. It worked now after installing odl-l2switch-all.

-
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 5:09 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

It is l2switch project that installs all needed flow rules onto all connected switches. So you should start the l2switch project (for example odl-l2switch-all), wait till it starts and then connect your devices. After a short while it should install needed flows and then you can try pingall command - which should succeed now.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 15:25
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I am not able to use my device now and it is not pinging between two hosts h1 and h2 :(. My task is to establish a TLS connection between controller and switch and do ping tests between the hosts. But I am not able to do it now. Will there be any other problem ?

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 4:16 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

one reason that comes to my mind might be that your device doesn't support version bitmap (which is added in OF v1.3) or it might be a problem related to the reconnect that occurs. But I guess you can use your device as you wish since you don't see more warn / error logs.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 15:11
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@...
Cc: openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I checked now with port 8181. Now I got the response as shown below. It showed the node id's and so the device is in controller datastore. But still we are getting OFPBRC_BAD_TYPE error reply. Will there be any other reason ?


Part of Response:

<node>
<id>openflow:1</id>
<node-connector>
<id>openflow:1:LOCAL</id>
<flow-capable-node-connector-statistics
xmlns="urn:opendaylight:port:statistics">
<transmit-errors>0</transmit-errors>
<bytes>
<received>648</received>
<transmitted>1196</transmitted>
</bytes>


Thanks
Ashok
________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 3:44 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

We need to update the wiki page: please use the http://<controller-ip>:8181/restconf/operational/opendaylight-inventory:nodes/ (just change the port from 8080 to 8181) and make sure one of the next features is installed on you karaf container: odl-restconf, odl-restconf-noauth, odl-restconf-all.

But I believe that it works - otherwise you wouldn't see the device in the ODL GUI.

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 24 April 2015 14:34
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I tried checking whether the device is in controller store but through the restconf I didnt get any response as attached snapshot. But in the controller gui I am able to find that my switch (openflow:1) is connected to controller (Attached the snapshot).


Additionally I am getting below exception in karaf. Could you check whether this exception is related to my error?. Will there be any other reason for these OFPBRC_BAD_TYPE error reply so that I could check that also?


ERROR:

opendaylight-user@root>Exception in thread "Thread-44" java.util.concurrent.RejectedExecutionException: Task org.opendaylight.openflowplugin.openflow.md.core.HandshakeStepWrapper@596c1ed3 rejected from org.opendaylight.openflowplugin.openflow.md.core.ThreadPoolLoggingExecutor@495bdc82[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0]
at java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2048)
at java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:821)
at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1372)
at org.opendaylight.openflowplugin.openflow.md.core.ConnectionConductorImpl.onConnectionReady(ConnectionConductorImpl.java:419)
at org.opendaylight.openflowjava.protocol.impl.connection.ConnectionAdapterImpl$3.run(ConnectionAdapterImpl.java:467)
at java.lang.Thread.run(Thread.java:745)


Thanks
Ashok

______________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Friday, April 24, 2015 2:17 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

I must repeat myself - it looks that your setup works (although I still don't get why there is 2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message log in your virtual switch).

The best idea would be to test if the device is in controller datastore. Please follow the step from this wiki page: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin::End_to_End_Inventory (using GET http method).
If you see something like <node> in the reply, controller communicates with your device.

Regards,
Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 23 April 2015 18:16
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for checking my issue. I have attached full karaf logs that is generated while trying TLS connection between switch and controller.

Could you please check these logs are sufficient ?

If not, could you please tell the commands for collecting karaf logs in verbose mode, so that I could collect logs using that command and send you for deeper analysis.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Thursday, April 23, 2015 5:48 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

based on your logs - it looks like your setup works. Let me explain:

2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Not an TLS record exception - please verify TLS configuration.
- signals that you successfully managed to configure controller (openflowjava) with TLS configuration, but you connected device which doesn't support TLS (or with no TLS set).

2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Closing connection.
- device is being disconnected because it doesn't support TLS (and it must when TLS is enabled)

2015-04-23 15:28:06,572 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55747 --> :6633
2015-04-23 15:28:06,573 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
- device reconnects

2015-04-23 15:28:06,620 | INFO | entLoopGroup-8-7 | ConnectionAdapterImpl | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Hello received / branch
- device successfully sent hello message to the controller and it was successfully decoded

2015-04-23 15:28:06,628 | WARN | OFRpc-0 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features
2015-04-23 15:28:06,628 | WARN | OFRpc-1 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features
- signals further communication - it looks like you connected device in OF v1.0 mode and that's why it doesn't support meter and group features

2015-04-23T12:28:06.620Z|00932|rconn|INFO|s1<->ssl:127.0.0.1:6633: connected
2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message
- looks like the device successfully connected but for some unknown reason it can't process Hello message sent from controller


Do you see any other logs (in controller console) after those you sent ?

Regards,
Michal Polkorab
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 23 April 2015 15:22
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am getting following error while establishing a TLS connection between controller and openvswitch. Open switch throws error as "OFPBRC_BAD_TYPE error reply to OFPT_HELLO message" whereas controller throws error as "Not an TLS record exception - please verify TLS configuration" though I followed all configuration steps as mentioned in the Wiki link. https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Could anyone help me in resolving this issue?

Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch.


Error at openvswitch:

2015-04-23T12:28:06.539Z|00920|bridge|INFO|bridge s1: added interface s1 on port 65534
2015-04-23T12:28:06.539Z|00921|bridge|INFO|bridge s1: using datapath ID 0000f644e1d6d148
2015-04-23T12:28:06.539Z|00922|connmgr|INFO|s1: added service controller "punix:/var/run/openvswitch/s1.mgmt"
2015-04-23T12:28:06.544Z|00923|bridge|INFO|bridge s1: using datapath ID 0000000000000001
2015-04-23T12:28:06.554Z|00924|bridge|INFO|bridge s1: added interface s1-eth1 on port 1
2015-04-23T12:28:06.559Z|00925|bridge|INFO|bridge s1: added interface s1-eth2 on port 2
2015-04-23T12:28:06.563Z|00926|connmgr|INFO|s1: added primary controller "tcp:127.0.0.1:6633"
2015-04-23T12:28:06.563Z|00927|rconn|INFO|s1<->tcp:127.0.0.1:6633: connecting...
2015-04-23T12:28:06.568Z|00928|rconn|INFO|s1<->tcp:127.0.0.1:6633: connection failed (Connection reset by peer)
2015-04-23T12:28:06.572Z|00929|connmgr|INFO|s1: added primary controller "ssl:127.0.0.1:6633"
2015-04-23T12:28:06.572Z|00930|rconn|INFO|s1<->ssl:127.0.0.1:6633: connecting...
2015-04-23T12:28:06.572Z|00931|connmgr|INFO|s1: removed primary controller "tcp:127.0.0.1:6633"
2015-04-23T12:28:06.620Z|00932|rconn|INFO|s1<->ssl:127.0.0.1:6633: connected
2015-04-23T12:28:06.621Z|00933|connmgr|INFO|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message


Error at controller:


2015-04-23 15:28:06,385 | INFO | entLoopGroup-8-5 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55745 --> :6633
2015-04-23 15:28:06,385 | INFO | entLoopGroup-8-5 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,388 | WARN | entLoopGroup-8-5 | SessionManagerOFImpl | 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 | context for invalidation not found
2015-04-23 15:28:06,564 | INFO | entLoopGroup-8-6 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55746 --> :6633
2015-04-23 15:28:06,564 | INFO | entLoopGroup-8-6 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Not an TLS record exception - please verify TLS configuration.
2015-04-23 15:28:06,567 | WARN | entLoopGroup-8-6 | OFFrameDecoder | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Closing connection.
2015-04-23 15:28:06,568 | WARN | entLoopGroup-8-6 | SessionManagerOFImpl | 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 | context for invalidation not found
2015-04-23 15:28:06,572 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection from (remote address): /127.0.0.1:55747 --> :6633
2015-04-23 15:28:06,573 | INFO | entLoopGroup-8-7 | TcpChannelInitializer | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Incoming connection accepted - building pipeline
2015-04-23 15:28:06,620 | INFO | entLoopGroup-8-7 | ConnectionAdapterImpl | 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 | Hello received / branch
2015-04-23 15:28:06,628 | WARN | OFRpc-0 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features
2015-04-23 15:28:06,628 | WARN | OFRpc-1 | StatRpcMsgManagerImpl | 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 | Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features


Thanks
Ashok
________________________________________
From: Rajendran Ashok
Sent: Wednesday, April 22, 2015 8:27 PM
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I tried the same by updating java.security file but still I am getting below SSL error while connecting to controller through TLS. Could you send me your config file so that I could check mine ?


Log with error:

2015-04-21T21:55:54.703Z|00231|rconn|INFO|s1<->ssl:127.0.0.1:6633: waiting 4 seconds before reconnect
2015-04-21T21:55:58.700Z|00232|rconn|INFO|s1<->ssl:127.0.0.1:6633: connecting...
2015-04-21T21:55:58.704Z|00233|stream_ssl|WARN|SSL_connect: unexpected SSL connection close


Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch.


Steps followed by me:


Step 1:

I commented this line in java.security file in controller host.

"security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg"

Step 2:

In my mininet host, that is openvswitch , I executed below commands. Then I got following six files, ctl-cert.pem, ctl-privkey.pem, ctl-req.pem, sc-cert.pem, sc-privkey.pem, sc-req.pem

sudo ovs-pki req+sign sc switch
sudo ovs-pki req+sign ctl controller

step 3:

Then I prepared the keystore with below commands

sudo openssl pkcs12 -export -in ctl-cert.pem -inkey ctl-privkey.pem \
-out ctl.p12 -name odlserver \
-CAfile /var/lib/openvswitch/pki/controllerca/cacert.pem -caname root -chain

step 4:

Then using these 2 files, created ctl.jks and truststore.jks with below commands respectively

keytool -importkeystore \
-deststorepass opendaylight -destkeypass opendaylight -destkeystore ctl.jks \
-srckeystore ctl.p12 -srcstoretype PKCS12 -srcstorepass opendaylight \
-alias odlserver

keytool -importcert -file sc-cert.pem -keystore truststore.jks -storepass opendaylight


step 5:

Then copied these 2 files - ctl.jks and truststore.jks in the below path and modified config file - 42-openflowplugin.xml as below

etc/opendaylight/karaf/ssl


42-openflowplugin.xml:


<name>openflow-switch-connection-provider-default-impl</name>
<port>6633</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>
<!-- Exemplary thread model configuration. Uncomment <threads> tag below to adjust default thread model -->
<!-- <threads>
<boss-threads>2</boss-threads>
<worker-threads>8</worker-threads>
</threads> -->
</module>
<!-- default OF-switch-connection-provider (port 6653) -->
<module>
<type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:provider:impl">prefix:openflow-switch-connection-provider-impl</type>
<name>openflow-switch-connection-provider-legacy-impl</name>
<port>6653</port>
<!-- Possible transport-protocol options: TCP, TLS, UDP -->
<transport-protocol>TLS</transport-protocol>
<switch-idle-timeout>15000</switch-idle-timeout>
<tls>
<keystore>ssl/ctl.jks</keystore>
<keystore-type>JKS</keystore-type>
<keystore-path-type>PATH</keystore-path-type>
<keystore-password>opendaylight</keystore-password>
<truststore>ssl/truststore.jks</truststore>
<truststore-type>JKS</truststore-type>
<truststore-path-type>PATH</truststore-path-type>
<truststore-password>opendaylight</truststore-password>
<certificate-password>opendaylight</certificate-password>
</tls>


step 6:

Executed below command to configure openvswitch

sudo ovs-vsctl set-ssl \
/etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem \
/var/lib/openvswitch/pki/controllerca/cacert.pem

step 7:

started mininet by executing the file ssl_switch_tests.py. I wrote below contents inside the file.

'ovs-vsctl set-controller s1 ssl:127.0.0.1:6633


After following all these steps, I got the mentioned SSL error. I have attached ovs-vswitchd.log also. Could you please help me if I am missing any steps or using wrong config file. It would be helpful for me as I am stuck in this step for long time.


Thanks
Ashok



________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 5:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

I went through the tutorial and it works fine (for me). But I hit the CKR_DOMAIN_PARAMS_INVALID exception as mentioned here: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support#CKR_DOMAIN_PARAMS_INVALID_exception

So I updated the java.security according to comments and all works fine.
If you don't see the CKR_DOMAIN_PARAMS_INVALID exception please try using "log:set DEBUG org.opendaylight.openflowjava" and report back what you found.

Regards,
Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 13:19
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Michal,

I created my own keys. I used this TLS version - OpenSSL 1.0.1

rajenda3@ws-32:/var/lib/openvswitch/pki/controllerca$ openssl version
OpenSSL 1.0.1 14 Mar 2012


Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, April 21, 2015 1:27 PM
To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

what keys do you use ? Exemplary keys (from openflowjava) or you created your own keys ? What TLS version do you use ?

Michal
________________________________________
From: Rajendran Ashok <ashok.rajendran@...>
Sent: 21 April 2015 09:59
To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi All,

I am trying to enable TLS connection between opendaylight controller and the switch. I followed the steps given in below link. But when I tried to establish connection now, it is showing error saying certificate verification failed and wrong version number as shown below in ovs-vswitchd.log. I checked the certificate and it has the validity. Could you please check why I am facing this error ?


link:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support


Error:
Apr 20 12:14:46|03981|rconn|INFO|s1<->ssl:192.168.56.101:6633: continuing to retry connections in the background but suppressing further logging
Apr 20 12:14:54|03982|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 12:15:10|03983|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Apr 20 15:32:04|04215|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
Apr 20 15:32:12|04216|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Note:
My controller address : 192.168.56.101 which is a virtual box machine and my switch is in my local machine

Attached full ovs-vswitchd.log along this mail.

Thanks
Ashok

________________________________________
From: Michal Polkoráb [michal.polkorab@...]
Sent: Tuesday, March 31, 2015 5:07 PM
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,

if you clone openflowjava repository (git clone ssh://<username>@git.opendaylight.org:29418/openflowjava or git clone https://git.opendaylight.org/gerrit/openflowjava), then you will be able to get exemplary TLS keys (located in openflowjava/openflow-protocol-impl/src/main/resources).

Regards,
Michal Polkorab
________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) <mirehak@...>
Sent: 31 March 2015 15:12
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...; openflowjava-dev
Subject: Re: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

fw to openflowjava-ml

________________________________________
From: Rajendran Ashok [ashok.rajendran@...]
Sent: Tuesday, March 31, 2015 00:54
To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Thanks Michal for the reply. I was following the same link for enabling TLS. In this link, it has mentioned to find the files exemplary-*.pem in this path openflowjava/openflow-protocol-impl/src/main/resources. But I am not able to find that files in that path.

Is there any steps to generate this file or am I missing any configuration ? Please help on this

EXCERPT FROM WIKI LINK:

Exemplary configuration

There is already exemplary code in configuration/initial/42-openflowplugin.xml file and also exemplary keys stored in openflowjava (src/main/resources). This exemplary code is commented, so the default is to use unsecured communication.

If you want to try TLS secured communication with your device, you need to do following steps:

* make sure that <transport-protocol> is set with TLS
* uncomment code in <tls> tags
* find exemplary-* files in openflowjava repository - under openflow-protocol-impl/src/main/resources
* copy exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem files into your device
* configure your device with provided keys (in case of openvswitch please see "Configure openvswitch SSL" part below)
* start communication

Thanks
Ashok


________________________________________
From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) [mirehak@...]
Sent: Monday, March 30, 2015 6:10 PM
To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok,
you might find this wiki useful:
https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Regards,
Michal

________________________________________
From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Rajendran Ashok [ashok.rajendran@...]
Sent: Monday, March 30, 2015 16:46
To: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco)
Cc: openflowplugin-users@...
Subject: Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi,

Thanks for your reply. I am able find 42-openflowplugin.xml file in the directory mentioned by you.

But now I am looking for these three files, exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem to transfer it to my mininet host. But I am not able to find it in the path mentioned in that wiki page - openflowjava/openflow-protocol-impl/src/main/resources

Where can I find these files ? Could you also mention where can I find the updated Wiki page for Helium with Karaf so that I can follow it ( As u mentioned in below mail that this wiki page is not updated for helium karaf )

Thanks
Ashok



________________________________________
From: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) [vrpolak@...]
Sent: Tuesday, March 24, 2015 5:08 PM
To: Rajendran Ashok
Cc: openflowplugin-users@...
Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Hi Ashok.

Helium is based on Karaf, but the wiki page
was written before that change was made.

42-openflowplugin.xml under the directory configuration/initial/
The new directory is etc/opendaylight/karaf/
but the file only appears after karaf is started
and an openflow feature is installed.

When you have your version of 42-openflowplugin.xml ready,
you can place it into etc/opendaylight/karaf/
before karaf starts, and your values will be used
instead of those from the default file.

Vratko.

-----Original Message-----
From: openflowplugin-users-bounces@... [mailto:openflowplugin-users-bounces@...] On Behalf Of Rajendran Ashok
Sent: Tuesday, March 24, 2015 3:23 PM
To: openflowplugin-users@...
Subject: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller


Hi All,

I am working on opendaylight controller for my assignment. I would like to enable TLS connection in my opendaylight controller and mininet switch. I followed the steps given in below link. But I am stuck at one point where I am not able to find the xml file - 42-openflowplugin.xml under the directory configuration/initial/. Is there any configuration to be done to get this file or do I need to create this file ? Could you please help me on this issue.

https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

Note: I downloaded opendaylight controller code from git in stable/Helium branch and built it using maven as mentioned in Wiki.

Thanks
Ashok
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowplugin-users mailing list
openflowplugin-users@...
https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users
_______________________________________________
openflowjava-dev mailing list
openflowjava-dev@...
https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]
MichalPolkoráb
Software Developer

Mlynské Nivy 56 / 821 05 Bratislava / Slovakia
+421 918 378 907 / michal.polkorab@...
reception: +421 2 206 65 111 / www.pantheon.sk
[logo]

Join z.archive.openflowjava-dev@lists.opendaylight.org to automatically receive all group messages.