Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Home Messages Hashtags Subgroups

This group is locked. No changes can be made to the group while it is locked.

#483

Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller

Michal Polkorab #483 Those are great news! Now you can test whatever you want. Thank you for your patience Ashok. Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 26 April 2015 13:09 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@... Cc: openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Thanks Michal. It worked now after installing odl-l2switch-all. - Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Friday, April 24, 2015 5:09 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@... Cc: openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller It is l2switch project that installs all needed flow rules onto all connected switches. So you should start the l2switch project (for example odl-l2switch-all), wait till it starts and then connect your devices. After a short while it should install needed flows and then you can try pingall command - which should succeed now. Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 24 April 2015 15:25 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@... Cc: openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Michal, I am not able to use my device now and it is not pinging between two hosts h1 and h2 :(. My task is to establish a TLS connection between controller and switch and do ping tests between the hosts. But I am not able to do it now. Will there be any other problem ? Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Friday, April 24, 2015 4:16 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@... Cc: openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, one reason that comes to my mind might be that your device doesn't support version bitmap (which is added in OF v1.3) or it might be a problem related to the reconnect that occurs. But I guess you can use your device as you wish since you don't see more warn / error logs. Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 24 April 2015 15:11 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco); openflowplugin-users@... Cc: openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Michal, I checked now with port 8181. Now I got the response as shown below. It showed the node id's and so the device is in controller datastore. But still we are getting OFPBRC_BAD_TYPE error reply. Will there be any other reason ? Part of Response: <node> <id>openflow:1</id> <node-connector> <id>openflow:1:LOCAL</id> <flow-capable-node-connector-statistics xmlns="urn:opendaylight:port:statistics"> <transmit-errors>0</transmit-errors> <bytes> <received>648</received> <transmitted>1196</transmitted> </bytes> Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Friday, April 24, 2015 3:44 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller We need to update the wiki page: please use the http://<controller-ip>:8181/restconf/operational/opendaylight-inventory:nodes/ (just change the port from 8080 to 8181) and make sure one of the next features is installed on you karaf container: odl-restconf, odl-restconf-noauth, odl-restconf-all. But I believe that it works - otherwise you wouldn't see the device in the ODL GUI. Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 24 April 2015 14:34 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Michal, I tried checking whether the device is in controller store but through the restconf I didnt get any response as attached snapshot. But in the controller gui I am able to find that my switch (openflow:1) is connected to controller (Attached the snapshot). Additionally I am getting below exception in karaf. Could you check whether this exception is related to my error?. Will there be any other reason for these OFPBRC_BAD_TYPE error reply so that I could check that also? ERROR: opendaylight-user@root>Exception in thread "Thread-44" java.util.concurrent.RejectedExecutionException: Task org.opendaylight.openflowplugin.openflow.md.core.HandshakeStepWrapper@596c1ed3 rejected from org.opendaylight.openflowplugin.openflow.md.core.ThreadPoolLoggingExecutor@495bdc82[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 0] at java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(ThreadPoolExecutor.java:2048) at java.util.concurrent.ThreadPoolExecutor.reject(ThreadPoolExecutor.java:821) at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1372) at org.opendaylight.openflowplugin.openflow.md.core.ConnectionConductorImpl.onConnectionReady(ConnectionConductorImpl.java:419) at org.opendaylight.openflowjava.protocol.impl.connection.ConnectionAdapterImpl$3.run(ConnectionAdapterImpl.java:467) at java.lang.Thread.run(Thread.java:745) Thanks Ashok ______________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Friday, April 24, 2015 2:17 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, I must repeat myself - it looks that your setup works (although I still don't get why there is 2015-04-23T12:28:06.621Z\|00933\|connmgr\|INFO\|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message log in your virtual switch). The best idea would be to test if the device is in controller datastore. Please follow the step from this wiki page: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin::End_to_End_Inventory (using GET http method). If you see something like <node> in the reply, controller communicates with your device. Regards, Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 23 April 2015 18:16 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Thanks Michal for checking my issue. I have attached full karaf logs that is generated while trying TLS connection between switch and controller. Could you please check these logs are sufficient ? If not, could you please tell the commands for collecting karaf logs in verbose mode, so that I could collect logs using that command and send you for deeper analysis. Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Thursday, April 23, 2015 5:48 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, based on your logs - it looks like your setup works. Let me explain: 2015-04-23 15:28:06,567 \| WARN \| entLoopGroup-8-6 \| OFFrameDecoder \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Not an TLS record exception - please verify TLS configuration. - signals that you successfully managed to configure controller (openflowjava) with TLS configuration, but you connected device which doesn't support TLS (or with no TLS set). 2015-04-23 15:28:06,567 \| WARN \| entLoopGroup-8-6 \| OFFrameDecoder \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Closing connection. - device is being disconnected because it doesn't support TLS (and it must when TLS is enabled) 2015-04-23 15:28:06,572 \| INFO \| entLoopGroup-8-7 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection from (remote address): /127.0.0.1:55747 --> :6633 2015-04-23 15:28:06,573 \| INFO \| entLoopGroup-8-7 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection accepted - building pipeline - device reconnects 2015-04-23 15:28:06,620 \| INFO \| entLoopGroup-8-7 \| ConnectionAdapterImpl \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Hello received / branch - device successfully sent hello message to the controller and it was successfully decoded 2015-04-23 15:28:06,628 \| WARN \| OFRpc-0 \| StatRpcMsgManagerImpl \| 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 \| Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features 2015-04-23 15:28:06,628 \| WARN \| OFRpc-1 \| StatRpcMsgManagerImpl \| 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 \| Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features - signals further communication - it looks like you connected device in OF v1.0 mode and that's why it doesn't support meter and group features 2015-04-23T12:28:06.620Z\|00932\|rconn\|INFO\|s1<->ssl:127.0.0.1:6633: connected 2015-04-23T12:28:06.621Z\|00933\|connmgr\|INFO\|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message - looks like the device successfully connected but for some unknown reason it can't process Hello message sent from controller Do you see any other logs (in controller console) after those you sent ? Regards, Michal Polkorab ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 23 April 2015 15:22 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi All, I am getting following error while establishing a TLS connection between controller and openvswitch. Open switch throws error as "OFPBRC_BAD_TYPE error reply to OFPT_HELLO message" whereas controller throws error as "Not an TLS record exception - please verify TLS configuration" though I followed all configuration steps as mentioned in the Wiki link. https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support Could anyone help me in resolving this issue? Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch. Error at openvswitch: 2015-04-23T12:28:06.539Z\|00920\|bridge\|INFO\|bridge s1: added interface s1 on port 65534 2015-04-23T12:28:06.539Z\|00921\|bridge\|INFO\|bridge s1: using datapath ID 0000f644e1d6d148 2015-04-23T12:28:06.539Z\|00922\|connmgr\|INFO\|s1: added service controller "punix:/var/run/openvswitch/s1.mgmt" 2015-04-23T12:28:06.544Z\|00923\|bridge\|INFO\|bridge s1: using datapath ID 0000000000000001 2015-04-23T12:28:06.554Z\|00924\|bridge\|INFO\|bridge s1: added interface s1-eth1 on port 1 2015-04-23T12:28:06.559Z\|00925\|bridge\|INFO\|bridge s1: added interface s1-eth2 on port 2 2015-04-23T12:28:06.563Z\|00926\|connmgr\|INFO\|s1: added primary controller "tcp:127.0.0.1:6633" 2015-04-23T12:28:06.563Z\|00927\|rconn\|INFO\|s1<->tcp:127.0.0.1:6633: connecting... 2015-04-23T12:28:06.568Z\|00928\|rconn\|INFO\|s1<->tcp:127.0.0.1:6633: connection failed (Connection reset by peer) 2015-04-23T12:28:06.572Z\|00929\|connmgr\|INFO\|s1: added primary controller "ssl:127.0.0.1:6633" 2015-04-23T12:28:06.572Z\|00930\|rconn\|INFO\|s1<->ssl:127.0.0.1:6633: connecting... 2015-04-23T12:28:06.572Z\|00931\|connmgr\|INFO\|s1: removed primary controller "tcp:127.0.0.1:6633" 2015-04-23T12:28:06.620Z\|00932\|rconn\|INFO\|s1<->ssl:127.0.0.1:6633: connected 2015-04-23T12:28:06.621Z\|00933\|connmgr\|INFO\|s1<->ssl:127.0.0.1:6633: sending OFPBRC_BAD_TYPE error reply to OFPT_HELLO message Error at controller: 2015-04-23 15:28:06,385 \| INFO \| entLoopGroup-8-5 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection from (remote address): /127.0.0.1:55745 --> :6633 2015-04-23 15:28:06,385 \| INFO \| entLoopGroup-8-5 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection accepted - building pipeline 2015-04-23 15:28:06,388 \| WARN \| entLoopGroup-8-5 \| SessionManagerOFImpl \| 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 \| context for invalidation not found 2015-04-23 15:28:06,564 \| INFO \| entLoopGroup-8-6 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection from (remote address): /127.0.0.1:55746 --> :6633 2015-04-23 15:28:06,564 \| INFO \| entLoopGroup-8-6 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection accepted - building pipeline 2015-04-23 15:28:06,567 \| WARN \| entLoopGroup-8-6 \| OFFrameDecoder \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Not an TLS record exception - please verify TLS configuration. 2015-04-23 15:28:06,567 \| WARN \| entLoopGroup-8-6 \| OFFrameDecoder \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Closing connection. 2015-04-23 15:28:06,568 \| WARN \| entLoopGroup-8-6 \| SessionManagerOFImpl \| 243 - org.opendaylight.openflowplugin - 0.0.6.Helium-SR3 \| context for invalidation not found 2015-04-23 15:28:06,572 \| INFO \| entLoopGroup-8-7 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection from (remote address): /127.0.0.1:55747 --> :6633 2015-04-23 15:28:06,573 \| INFO \| entLoopGroup-8-7 \| TcpChannelInitializer \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Incoming connection accepted - building pipeline 2015-04-23 15:28:06,620 \| INFO \| entLoopGroup-8-7 \| ConnectionAdapterImpl \| 241 - org.opendaylight.openflowjava.openflow-protocol-impl - 0.5.3.Helium-SR3 \| Hello received / branch 2015-04-23 15:28:06,628 \| WARN \| OFRpc-0 \| StatRpcMsgManagerImpl \| 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 \| Node [Uri [_value=openflow:1]] does not support statistics request type : Group Features 2015-04-23 15:28:06,628 \| WARN \| OFRpc-1 \| StatRpcMsgManagerImpl \| 235 - org.opendaylight.controller.md.statistics-manager - 1.1.3.Helium-SR3 \| Node [Uri [_value=openflow:1]] does not support statistics request type : Meter Features Thanks Ashok ________________________________________ From: Rajendran Ashok Sent: Wednesday, April 22, 2015 8:27 PM To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Michal, I tried the same by updating java.security file but still I am getting below SSL error while connecting to controller through TLS. Could you send me your config file so that I could check mine ? Log with error: 2015-04-21T21:55:54.703Z\|00231\|rconn\|INFO\|s1<->ssl:127.0.0.1:6633: waiting 4 seconds before reconnect 2015-04-21T21:55:58.700Z\|00232\|rconn\|INFO\|s1<->ssl:127.0.0.1:6633: connecting... 2015-04-21T21:55:58.704Z\|00233\|stream_ssl\|WARN\|SSL_connect: unexpected SSL connection close Note: I have openvswitch and opendaylight controller in same machine and so I am trying to connect ssl:127.0.0.1:6633 from switch. Steps followed by me: Step 1: I commented this line in java.security file in controller host. "security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg" Step 2: In my mininet host, that is openvswitch , I executed below commands. Then I got following six files, ctl-cert.pem, ctl-privkey.pem, ctl-req.pem, sc-cert.pem, sc-privkey.pem, sc-req.pem sudo ovs-pki req+sign sc switch sudo ovs-pki req+sign ctl controller step 3: Then I prepared the keystore with below commands sudo openssl pkcs12 -export -in ctl-cert.pem -inkey ctl-privkey.pem \ -out ctl.p12 -name odlserver \ -CAfile /var/lib/openvswitch/pki/controllerca/cacert.pem -caname root -chain step 4: Then using these 2 files, created ctl.jks and truststore.jks with below commands respectively keytool -importkeystore \ -deststorepass opendaylight -destkeypass opendaylight -destkeystore ctl.jks \ -srckeystore ctl.p12 -srcstoretype PKCS12 -srcstorepass opendaylight \ -alias odlserver keytool -importcert -file sc-cert.pem -keystore truststore.jks -storepass opendaylight step 5: Then copied these 2 files - ctl.jks and truststore.jks in the below path and modified config file - 42-openflowplugin.xml as below etc/opendaylight/karaf/ssl 42-openflowplugin.xml: <name>openflow-switch-connection-provider-default-impl</name> <port>6633</port> <!-- Possible transport-protocol options: TCP, TLS, UDP --> <transport-protocol>TLS</transport-protocol> <switch-idle-timeout>15000</switch-idle-timeout> <tls> <keystore>ssl/ctl.jks</keystore> <keystore-type>JKS</keystore-type> <keystore-path-type>PATH</keystore-path-type> <keystore-password>opendaylight</keystore-password> <truststore>ssl/truststore.jks</truststore> <truststore-type>JKS</truststore-type> <truststore-path-type>PATH</truststore-path-type> <truststore-password>opendaylight</truststore-password> <certificate-password>opendaylight</certificate-password> </tls> <!-- Exemplary thread model configuration. Uncomment <threads> tag below to adjust default thread model --> <!-- <threads> <boss-threads>2</boss-threads> <worker-threads>8</worker-threads> </threads> --> </module> <!-- default OF-switch-connection-provider (port 6653) --> <module> <type xmlns:prefix="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:provider:impl">prefix:openflow-switch-connection-provider-impl</type> <name>openflow-switch-connection-provider-legacy-impl</name> <port>6653</port> <!-- Possible transport-protocol options: TCP, TLS, UDP --> <transport-protocol>TLS</transport-protocol> <switch-idle-timeout>15000</switch-idle-timeout> <tls> <keystore>ssl/ctl.jks</keystore> <keystore-type>JKS</keystore-type> <keystore-path-type>PATH</keystore-path-type> <keystore-password>opendaylight</keystore-password> <truststore>ssl/truststore.jks</truststore> <truststore-type>JKS</truststore-type> <truststore-path-type>PATH</truststore-path-type> <truststore-password>opendaylight</truststore-password> <certificate-password>opendaylight</certificate-password> </tls> step 6: Executed below command to configure openvswitch sudo ovs-vsctl set-ssl \ /etc/openvswitch/sc-privkey.pem \ /etc/openvswitch/sc-cert.pem \ /var/lib/openvswitch/pki/controllerca/cacert.pem step 7: started mininet by executing the file ssl_switch_tests.py. I wrote below contents inside the file. 'ovs-vsctl set-controller s1 ssl:127.0.0.1:6633 After following all these steps, I got the mentioned SSL error. I have attached ovs-vswitchd.log also. Could you please help me if I am missing any steps or using wrong config file. It would be helpful for me as I am stuck in this step for long time. Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Tuesday, April 21, 2015 5:27 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, I went through the tutorial and it works fine (for me). But I hit the CKR_DOMAIN_PARAMS_INVALID exception as mentioned here: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support#CKR_DOMAIN_PARAMS_INVALID_exception So I updated the java.security according to comments and all works fine. If you don't see the CKR_DOMAIN_PARAMS_INVALID exception please try using "log:set DEBUG org.opendaylight.openflowjava" and report back what you found. Regards, Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 21 April 2015 13:19 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Michal, I created my own keys. I used this TLS version - OpenSSL 1.0.1 rajenda3@ws-32:/var/lib/openvswitch/pki/controllerca$ openssl version OpenSSL 1.0.1 14 Mar 2012 Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Tuesday, April 21, 2015 1:27 PM To: Rajendran Ashok; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, what keys do you use ? Exemplary keys (from openflowjava) or you created your own keys ? What TLS version do you use ? Michal ________________________________________ From: Rajendran Ashok <ashok.rajendran@...> Sent: 21 April 2015 09:59 To: Michal Polkoráb; Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi All, I am trying to enable TLS connection between opendaylight controller and the switch. I followed the steps given in below link. But when I tried to establish connection now, it is showing error saying certificate verification failed and wrong version number as shown below in ovs-vswitchd.log. I checked the certificate and it has the validity. Could you please check why I am facing this error ? link: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support Error: Apr 20 12:14:46\|03981\|rconn\|INFO\|s1<->ssl:192.168.56.101:6633: continuing to retry connections in the background but suppressing further logging Apr 20 12:14:54\|03982\|stream_ssl\|WARN\|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Apr 20 12:15:10\|03983\|stream_ssl\|WARN\|SSL_connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Apr 20 15:32:04\|04215\|stream_ssl\|WARN\|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Apr 20 15:32:12\|04216\|stream_ssl\|WARN\|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Note: My controller address : 192.168.56.101 which is a virtual box machine and my switch is in my local machine Attached full ovs-vswitchd.log along this mail. Thanks Ashok ________________________________________ From: Michal Polkoráb [michal.polkorab@...] Sent: Tuesday, March 31, 2015 5:07 PM To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: RE: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, if you clone openflowjava repository (git clone ssh://<username>@git.opendaylight.org:29418/openflowjava or git clone https://git.opendaylight.org/gerrit/openflowjava), then you will be able to get exemplary TLS keys (located in openflowjava/openflow-protocol-impl/src/main/resources). Regards, Michal Polkorab ________________________________________ From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) <mirehak@...> Sent: 31 March 2015 15:12 To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@...; openflowjava-dev Subject: Re: [openflowjava-dev] [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller fw to openflowjava-ml ________________________________________ From: Rajendran Ashok [ashok.rajendran@...] Sent: Tuesday, March 31, 2015 00:54 To: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco); Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@... Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Thanks Michal for the reply. I was following the same link for enabling TLS. In this link, it has mentioned to find the files exemplary-.pem in this path openflowjava/openflow-protocol-impl/src/main/resources. But I am not able to find that files in that path. Is there any steps to generate this file or am I missing any configuration ? Please help on this EXCERPT FROM WIKI LINK: Exemplary configuration There is already exemplary code in configuration/initial/42-openflowplugin.xml file and also exemplary keys stored in openflowjava (src/main/resources). This exemplary code is commented, so the default is to use unsecured communication. If you want to try TLS secured communication with your device, you need to do following steps: make sure that <transport-protocol> is set with TLS * uncomment code in <tls> tags * find exemplary-* files in openflowjava repository - under openflow-protocol-impl/src/main/resources * copy exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem files into your device * configure your device with provided keys (in case of openvswitch please see "Configure openvswitch SSL" part below) * start communication Thanks Ashok ________________________________________ From: Michal Rehak -X (mirehak - Pantheon Technologies SRO at Cisco) [mirehak@...] Sent: Monday, March 30, 2015 6:10 PM To: Rajendran Ashok; Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@... Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok, you might find this wiki useful: https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support Regards, Michal ________________________________________ From: openflowplugin-users-bounces@... [openflowplugin-users-bounces@...] on behalf of Rajendran Ashok [ashok.rajendran@...] Sent: Monday, March 30, 2015 16:46 To: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) Cc: openflowplugin-users@... Subject: Re: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi, Thanks for your reply. I am able find 42-openflowplugin.xml file in the directory mentioned by you. But now I am looking for these three files, exemplary-switch-privkey.pem, exemplary-switch-cert.pem and exemplary-cacert.pem to transfer it to my mininet host. But I am not able to find it in the path mentioned in that wiki page - openflowjava/openflow-protocol-impl/src/main/resources Where can I find these files ? Could you also mention where can I find the updated Wiki page for Helium with Karaf so that I can follow it ( As u mentioned in below mail that this wiki page is not updated for helium karaf ) Thanks Ashok ________________________________________ From: Vratko Polak -X (vrpolak - Pantheon Technologies SRO at Cisco) [vrpolak@...] Sent: Tuesday, March 24, 2015 5:08 PM To: Rajendran Ashok Cc: openflowplugin-users@... Subject: RE: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi Ashok. Helium is based on Karaf, but the wiki page was written before that change was made. 42-openflowplugin.xml under the directory configuration/initial/ The new directory is etc/opendaylight/karaf/ but the file only appears after karaf is started and an openflow feature is installed. When you have your version of 42-openflowplugin.xml ready, you can place it into etc/opendaylight/karaf/ before karaf starts, and your values will be used instead of those from the default file. Vratko. -----Original Message----- From: openflowplugin-users-bounces@... [mailto:openflowplugin-users-bounces@...] On Behalf Of Rajendran Ashok Sent: Tuesday, March 24, 2015 3:23 PM To: openflowplugin-users@... Subject: [openflowplugin-users] Facing problem in enabling TLS connection in opendaylight controller Hi All, I am working on opendaylight controller for my assignment. I would like to enable TLS connection in my opendaylight controller and mininet switch. I followed the steps given in below link. But I am stuck at one point where I am not able to find the xml file - 42-openflowplugin.xml under the directory configuration/initial/. Is there any configuration to be done to get this file or do I need to create this file ? Could you please help me on this issue. https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support Note: I downloaded opendaylight controller code from git in stable/Helium branch and built it using maven as mentioned in Wiki. Thanks Ashok _______________________________________________ openflowplugin-users mailing list openflowplugin-users@... https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users _______________________________________________ openflowplugin-users mailing list openflowplugin-users@... https://lists.opendaylight.org/mailman/listinfo/openflowplugin-users _______________________________________________ openflowjava-dev mailing list openflowjava-dev@... https://lists.opendaylight.org/mailman/listinfo/openflowjava-dev MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo] MichalPolkoráb Software Developer Mlynské Nivy 56 / 821 05 Bratislava / Slovakia +421 918 378 907 / michal.polkorab@... reception: +421 2 206 65 111 / www.pantheon.sk [logo]

View All 19 Messages In Topic

#483

Join z.archive.openflowjava-dev@lists.opendaylight.org to automatically receive all group messages.

Home Hashtags Subgroups Terms