|
Hi All,
I am following below wiki for OVSDB-TLS communication:
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
I am seeing below error in ODL logs:
_remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library - 1.6.0.SNAPSHOT |
Probe failed to OVSDB swit
ch. Disconnecting the channel ConnectionInfo [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1, Local-port=6640, type=PASSIVE]
And I am not seeing the SSL connection on OVS :
stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
Manager "ssl:192.168.56.1:6640"
Bridge br-ex
Controller "ssl:192.168.56.1:6653"
Port br-ex
Interface br-ex
type: internal
ovs_version: "2.6.1"
stack@ubuntu:/etc/openvswitch$
stack@ubuntu:/etc/openvswitch$
Can you please help me out in fixing this issue ?
Attaching the config files changed & Please let me know if you need any info to help on this issue.
Thanks,
Vamsi
|
|
|
Jamo Luhrsen <jluhrsen@...>
Vamsi,
I've added Mohamed explicitly to this email, as he was the author of the
wiki page you are referring to.
I've personally never set up ovsdb with TLS, so not sure if it even
works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
(maybe me) can find time to add it. It's not out of the realm of possibility
that it does not work and we need a bug.
Thanks,
JamO
toggle quoted message
Show quoted text
On 01/01/2018 07:19 AM, A Vamsikrishna wrote: Hi All,
I am following below wiki for OVSDB-TLS communication:
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
I am seeing below error in ODL logs:
_remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
*ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
Local-port=6640, type=PASSIVE]
And I am not seeing the SSL connection on OVS :
stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
* Manager "ssl:192.168.56.1:6640"*
Bridge br-ex
Controller "ssl:192.168.56.1:6653"
Port br-ex
Interface br-ex
type: internal
ovs_version: "2.6.1"
stack@ubuntu:/etc/openvswitch$
stack@ubuntu:/etc/openvswitch$
Can you please help me out in fixing this issue ?
Attaching the config files changed & Please let me know if you need any info to help on this issue.
Thanks,
Vamsi
_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
|
|
|
Jamo Luhrsen <jluhrsen@...>
sending again with Mahamed's gmail address
toggle quoted message
Show quoted text
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote: Vamsi,
I've added Mohamed explicitly to this email, as he was the author of the
wiki page you are referring to.
I've personally never set up ovsdb with TLS, so not sure if it even
works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
(maybe me) can find time to add it. It's not out of the realm of possibility
that it does not work and we need a bug.
Thanks,
JamO
On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
Hi All,
I am following below wiki for OVSDB-TLS communication:
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
I am seeing below error in ODL logs:
_remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
*ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
Local-port=6640, type=PASSIVE]
And I am not seeing the SSL connection on OVS :
stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
* Manager "ssl:192.168.56.1:6640"*
Bridge br-ex
Controller "ssl:192.168.56.1:6653"
Port br-ex
Interface br-ex
type: internal
ovs_version: "2.6.1"
stack@ubuntu:/etc/openvswitch$
stack@ubuntu:/etc/openvswitch$
Can you please help me out in fixing this issue ?
Attaching the config files changed & Please let me know if you need any info to help on this issue.
Thanks,
Vamsi
_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
|
|
|
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be not confused with ur other emails). Let's do the troubleshooting:
1- in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.
2- Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
Thank
-----
Thanks Jamo
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...> wrote: sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>> https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56. 102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749- ba55a1ee912f
>>
>> * Manager "ssl: 192.168.56.1:6640"*
>>
>> Bridge br-ex
>>
>> Controller "ssl: 192.168.56.1:6653"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> ______________________________ _________________
>> ovsdb-dev mailing list
>> ovsdb-dev@....org
>> https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
|
|
|
Hi Mohamed & Jamo,
Thanks for your response
J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library - 1.6.0.SNAPSHOT |
Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640: connecting...
2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
toggle quoted message
Show quoted text
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>; ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be not confused with ur other emails).
[Vamsi] Yes
Let's do the troubleshooting:
- in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>)
that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.
[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks)
on OVS
- Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
[Vamsi] I am using master.
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...> wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>>
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@...
>>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
|
|
|
Hi Vamsikrishna,
- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in Mdsal not the jks file.
- also please confirm that you used the RPC in step 9 and you were able to see the certificate back wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign certificate OR if you will use CA authority you should sign both OVS and ODL based on certificate request.
BR
On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@...> wrote:
Hi Mohamed & Jamo,
Thanks for your response
J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library - 1.6.0.SNAPSHOT |
Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640: connecting...
2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>; ovsdb-dev@....org
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be not confused with ur other emails).
[Vamsi] Yes
Let's do the troubleshooting:
- in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>)
that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.
[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks)
on OVS
- Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
[Vamsi] I am using master.
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...> wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>>
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@....org
>>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
|
|
|
Hi Mohamed,
It worked after setting below tag to true
J
<use-mdsal>false<use-mdsal>
I have attached all the steps that I have followed for reference.
After adding cipher suite it’s working for
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but not for
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
Below are the logs:
tack@ubuntu:/var/log/openvswitch$
tail -5 ovsdb-server.log
2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640: connecting...
2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)
2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)
49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
2018-01-04 23:32:59,622 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 - R:/192.168.56.102:44828]
2018-01-04 23:33:07,645 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 - R:/192.168.56.102:44830]
2018-01-04 23:33:15,663 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 - R:/192.168.56.102:44832]
2018-01-04 23:33:23,679 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 - R:/192.168.56.102:44834]
2018-01-04 23:33:31,694 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 - R:/192.168.56.102:44836]
2018-01-04 23:33:39,712 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
Any idea about this issue ?
Thanks,
Vamsi
toggle quoted message
Show quoted text
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 10:18 PM
To: A Vamsikrishna <a.vamsikrishna@...>
Cc: Jamo Luhrsen <jluhrsen@...>; ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in Mdsal not the jks file.
- also please confirm that you used the RPC in step 9 and you were able to see the certificate back
wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign certificate OR if you will use CA authority you should
sign both OVS and ODL based on certificate request.
On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@...> wrote:
Hi Mohamed & Jamo,
Thanks for your response J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640:
connecting...
2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640:
connection attempt failed (Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>;
ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just
to be not confused with ur other emails).
[Vamsi] Yes
Let's do the troubleshooting:
-
in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree
has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.
[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks) on OVS
-
Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
[Vamsi] I am using master.
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...>
wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>>
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@...
>>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
|
|
|
Hi Mohamed,
Sorry!!! That’s a typo in previous email. It’s working after setting as
<use-mdsal>false<use-mdsal>
Any idea about the non-working cipher issue ?
Thanks,
Vamsi
toggle quoted message
Show quoted text
From: ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...]
On Behalf Of A Vamsikrishna
Sent: Thursday, January 04, 2018 11:40 PM
To: Mohamed El-Serngawy <m.elserngawy@...>
Cc: ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Mohamed,
It worked after setting below tag to true
J
<use-mdsal>false<use-mdsal>
I have attached all the steps that I have followed for reference.
After adding cipher suite it’s working for
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but not for
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
Below are the logs:
tack@ubuntu:/var/log/openvswitch$
tail -5 ovsdb-server.log
2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640: connecting...
2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)
2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)
49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
2018-01-04 23:32:59,622 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 - R:/192.168.56.102:44828]
2018-01-04 23:33:07,645 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 - R:/192.168.56.102:44830]
2018-01-04 23:33:15,663 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 - R:/192.168.56.102:44832]
2018-01-04 23:33:23,679 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 - R:/192.168.56.102:44834]
2018-01-04 23:33:31,694 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 - R:/192.168.56.102:44836]
2018-01-04 23:33:39,712 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
Any idea about this issue ?
Thanks,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 10:18 PM
To: A Vamsikrishna <a.vamsikrishna@...>
Cc: Jamo Luhrsen <jluhrsen@...>;
ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in Mdsal not the jks file.
- also please confirm that you used the RPC in step 9 and you were able to see the certificate back
wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign certificate OR if you will use CA authority you should
sign both OVS and ODL based on certificate request.
On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@...> wrote:
Hi Mohamed & Jamo,
Thanks for your response J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640:
connecting...
2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640:
connection attempt failed (Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>;
ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just
to be not confused with ur other emails).
[Vamsi] Yes
Let's do the troubleshooting:
-
in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree
has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.
[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks) on OVS
-
Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
[Vamsi] I am using master.
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...>
wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>>
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@...
>>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
|
|
|
Hi Vamsikrishna,
Glad that it works, for the cipher suite issue:
1- first you need to make sure that this cipher (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256) is supported in both sides client/server. this cipher is only supported for TLS1.2 (SSLv3) and (JDK 1.8)
2- I guess your problem in the sig-alg [0] that you use to generate the certificate. I'm not quit sure, but you may need to search for what are the supported cipher-suites for the Crypto Alg you used to generate your certificate.
BR
On Thu, Jan 4, 2018 at 1:14 PM, A Vamsikrishna <a.vamsikrishna@...> wrote:
Hi Mohamed,
Sorry!!! That’s a typo in previous email. It’s working after setting as
<use-mdsal>false<use-mdsal>
Any idea about the non-working cipher issue ?
Thanks,
Vamsi
Hi Mohamed,
It worked after setting below tag to true
J
<use-mdsal>false<use-mdsal>
I have attached all the steps that I have followed for reference.
After adding cipher suite it’s working for
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but not for
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
Below are the logs:
tack@ubuntu:/var/log/openvswitch$
tail -5 ovsdb-server.log
2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640: connecting...
2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)
2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)
49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
2018-01-04 23:32:59,622 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 - R:/192.168.56.102:44828]
2018-01-04 23:33:07,645 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 - R:/192.168.56.102:44830]
2018-01-04 23:33:15,663 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 - R:/192.168.56.102:44832]
2018-01-04 23:33:23,679 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 - R:/192.168.56.102:44834]
2018-01-04 23:33:31,694 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 - R:/192.168.56.102:44836]
2018-01-04 23:33:39,712 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final | [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
Any idea about this issue ?
Thanks,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 10:18 PM
To: A Vamsikrishna <a.vamsikrishna@...>
Cc: Jamo Luhrsen <jluhrsen@...>;
ovsdb-dev@....org
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in Mdsal not the jks file.
- also please confirm that you used the RPC in step 9 and you were able to see the certificate back
wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign certificate OR if you will use CA authority you should
sign both OVS and ODL based on certificate request.
On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@...> wrote:
Hi Mohamed & Jamo,
Thanks for your response J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640:
connecting...
2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640:
connection attempt failed (Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>;
ovsdb-dev@....org
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just
to be not confused with ur other emails).
[Vamsi] Yes
Let's do the troubleshooting:
-
in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree
has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.
[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks) on OVS
-
Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
[Vamsi] I am using master.
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...>
wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>>
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@....org
>>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
|
|
|
Jamo Luhrsen <jluhrsen@...>
Hey Vamsi,
like I noted in my other email about SSL+Restconf, if you've learned anything
that you can update the wiki with for this OVSDB+SSL, please feel free. It's
open for anyone to help keep things correct.
Thanks,
JamO
toggle quoted message
Show quoted text
On 01/04/2018 10:14 AM, A Vamsikrishna wrote: Hi Mohamed,
Sorry!!! That’s a typo in previous email. It’s working after setting as *<use-mdsal>false<use-mdsal>*
* *
Any idea about the non-working cipher issue ?
Thanks,
Vamsi
*From:*ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] *On Behalf Of *A Vamsikrishna
*Sent:* Thursday, January 04, 2018 11:40 PM
*To:* Mohamed El-Serngawy <m.elserngawy@...>
*Cc:* ovsdb-dev@...
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Mohamed,
It worked after setting below tag to true J
*<use-mdsal>false<use-mdsal>*
I have attached all the steps that I have followed for reference.
After adding cipher suite it’s working for *TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256* but not for
*TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.*
Below are the logs:
tack@ubuntu:/var/log/openvswitch$ *tail -5 ovsdb-server.log*
2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640: connecting...
*2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure*
2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)
2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)
49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
2018-01-04 23:32:59,622 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 - R:/192.168.56.102:44828]
2018-01-04 23:33:07,645 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 - R:/192.168.56.102:44830]
2018-01-04 23:33:15,663 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 - R:/192.168.56.102:44832]
2018-01-04 23:33:23,679 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 - R:/192.168.56.102:44834]
2018-01-04 23:33:31,694 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 - R:/192.168.56.102:44836]
2018-01-04 23:33:39,712 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
Any idea about this issue ?
Thanks,
Vamsi
*From:*Mohamed El-Serngawy [mailto:m.elserngawy@...]
*Sent:* Thursday, January 04, 2018 10:18 PM
*To:* A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>>
*Cc:* Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>>; ovsdb-dev@...
<mailto:ovsdb-dev@...>
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in
Mdsal not the jks file.
- also please confirm that you used the RPC in step 9 and you were able to see the certificate back
wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
curl -X POST -u admin:admin -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
"aaa-cert-rpc:input": {
"aaa-cert-rpc:node-alias": "ovs1"
}
}' "http://localhost:8181/restconf/operations/aaa-cert-rpc:getNodeCertifcate"
I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign
certificate OR if you will use CA authority you should sign both OVS and ODL based on certificate request.
BR
On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>> wrote:
Hi Mohamed & Jamo,
Thanks for your response J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640 <http://192.168.56.1:6640> - R:/192.168.56.102:41618 <http://192.168.56.102:41618>]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | *Ssl handshake fail*. channel [id: 0x78b62606, L:/192.168.56.1:6640 <http://192.168.56.1:6640> !
R:/192.168.56.102:41618 <http://192.168.56.102:41618>]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: waiting 8 seconds before
reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: connecting...
*2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed*
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: connection attempt failed
(Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: waiting 8 seconds before
reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
*From:*Mohamed El-Serngawy [mailto:m.elserngawy@... <mailto:m.elserngawy@...>]
*Sent:* Thursday, January 04, 2018 8:31 PM
*To:* Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>>
*Cc:* A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>>; ovsdb-dev@...
<mailto:ovsdb-dev@...>
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be
not confused with ur other emails).
*[Vamsi] Yes*
Let's do the troubleshooting:
1. in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ?
if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to
use the jks files for certificates data store in ODL single instance.
*[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and
truststore.jks) on OVS*
2. Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
*[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL
using system:shutdown*
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
*[Vamsi] I am using master.*
* *
* *
Thank
-----
Thanks Jamo
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>> https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640 <http://192.168.56.1:6640>"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653 <http://192.168.56.1:6653>"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@... <mailto:ovsdb-dev@...>
>> https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
|
|
|
Hi Mohamed,
Thanks for your response
J
Please find my answers inline.
Regards,
Vamsi
toggle quoted message
Show quoted text
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Friday, January 05, 2018 12:35 AM
To: A Vamsikrishna <a.vamsikrishna@...>
Cc: ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
Glad that it works, for the cipher suite issue:
- first you need to make sure that this cipher (TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
is supported in both sides client/server. this cipher is only supported for TLS1.2 (SSLv3) and (JDK 1.8)
[Vamsi]
On OVS Client:
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ openssl version -v
OpenSSL 1.0.2g 1 Mar 2016
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ openssl ciphers -v | grep
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ java -version
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-8u151-b12-0ubuntu0.16.04.2-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)
stack@ubuntu:/var/log/openvswitch$
On ODL side:
C:\Users\egjmnnq>java -version
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed
mode)
C:\Users\egjmnnq>
C:\Users\egjmnnq>
From above outputs, can we say that TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
is supported by both OVS client and ODL server ??
2- I guess your problem in the sig-alg [0] that you use to generate the certificate. I'm not quit sure, but you may need to search for what are the supported cipher-suites
for the Crypto Alg you used to generate your certificate.
[0] https://github.com/opendaylight/aaa/blob/master/aaa-cert/src/main/resources/initial/aaa-cert-config.xml#L12
[Vamsi]
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
Does below command from above wiki make use of RSA as a default algorithm ?
sudo ovs-pki req+sign sc switch
stack@ubuntu:/etc/openvswitch$
stack@ubuntu:/etc/openvswitch$ sudo ovs-pki --help | grep -i rsa
-k, --key=rsa|dsa Type of keys to use (default:
rsa)
stack@ubuntu:/etc/openvswitch$
stack@ubuntu:/etc/openvswitch$ sudo ovs-pki --help | grep -i dsa
-k, --key=rsa|dsa Type of keys to use (default: rsa)
-B, --bits=NBITS Number of bits in keys (default: 2048). For DSA keys,
-D, --dsaparam=FILE File with DSA parameters (DSA only)
(default: dsaparam.pem within PKI directory)
stack@ubuntu:/etc/openvswitch$
stack@ubuntu:/etc/openvswitch$
If yes, how to create certificates that makes use of ECDSA algorithm ?
And also what changes are required in aaa-cert-config.xml to make TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
work ?
On Thu, Jan 4, 2018 at 1:14 PM, A Vamsikrishna <a.vamsikrishna@...> wrote:
Hi Mohamed,
Sorry!!! That’s a typo in previous email. It’s working after setting as
<use-mdsal>false<use-mdsal>
Any idea about the non-working cipher issue ?
Thanks,
Vamsi
Hi Mohamed,
It worked after setting below tag to true J
<use-mdsal>false<use-mdsal>
I have attached all the steps that I have followed for reference.
After adding cipher suite it’s working for
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but not for
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
Below are the logs:
tack@ubuntu:/var/log/openvswitch$
tail -5 ovsdb-server.log
2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640:
connecting...
2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure
2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640:
connection attempt failed (Protocol error)
2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to:
Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)
49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)
2018-01-04 23:32:59,622 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final
| [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 - R:/192.168.56.102:44828]
2018-01-04 23:33:07,645 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final
| [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 - R:/192.168.56.102:44830]
2018-01-04 23:33:15,663 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final
| [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 - R:/192.168.56.102:44832]
2018-01-04 23:33:23,679 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final
| [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 - R:/192.168.56.102:44834]
2018-01-04 23:33:31,694 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final
| [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 - R:/192.168.56.102:44836]
2018-01-04 23:33:39,712 | INFO | entLoopGroup-4-1 | LoggingHandler | 96 - io.netty.common - 4.1.8.Final
| [id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
Any idea about this issue ?
Thanks,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 10:18 PM
To: A Vamsikrishna <a.vamsikrishna@...>
Cc: Jamo Luhrsen <jluhrsen@...>;
ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate
in Mdsal not the jks file.
- also please confirm that you used the RPC in step 9 and you were able to see the certificate back
wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign
certificate OR if you will use CA authority you should sign both OVS and ODL based on certificate request.
On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@...>
wrote:
Hi Mohamed & Jamo,
Thanks for your response J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640 - R:/192.168.56.102:41618]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | Ssl handshake fail. channel [id: 0x78b62606, L:/192.168.56.1:6640 ! R:/192.168.56.102:41618]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640:
connecting...
2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640:
connection attempt failed (Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
From: Mohamed El-Serngawy [mailto:m.elserngawy@...]
Sent: Thursday, January 04, 2018 8:31 PM
To: Jamo Luhrsen <jluhrsen@...>
Cc: A Vamsikrishna <a.vamsikrishna@...>;
ovsdb-dev@...
Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just
to be not confused with ur other emails).
[Vamsi] Yes
Let's do the troubleshooting:
-
in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ? if yes, so make sure that the aaa-cert data-tree
has been configured in the cluster. If not, the recommendation is to use the jks files for certificates data store in ODL single instance.
[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and truststore.jks) on OVS
-
Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL using system:shutdown
I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know
[Vamsi] I am using master.
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@...>
wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>>
https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@...
>>
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
|
|
|
Sure Jamo :)
Will do that!!
Thanks,
Vamsi
toggle quoted message
Show quoted text
-----Original Message----- From: Jamo Luhrsen [mailto:jluhrsen@...] Sent: Friday, January 05, 2018 6:32 AM To: A Vamsikrishna <a.vamsikrishna@...>; Mohamed El-Serngawy <m.elserngawy@...> Cc: ovsdb-dev@... Subject: Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch. Hey Vamsi, like I noted in my other email about SSL+Restconf, if you've learned anything that you can update the wiki with for this OVSDB+SSL, please feel free. It's open for anyone to help keep things correct. Thanks, JamO On 01/04/2018 10:14 AM, A Vamsikrishna wrote: Hi Mohamed,
Sorry!!! That’s a typo in previous email. It’s working after setting
as *<use-mdsal>false<use-mdsal>*
* *
Any idea about the non-working cipher issue ?
Thanks,
Vamsi
*From:*ovsdb-dev-bounces@...
[mailto:ovsdb-dev-bounces@...] *On Behalf Of *A
Vamsikrishna
*Sent:* Thursday, January 04, 2018 11:40 PM
*To:* Mohamed El-Serngawy <m.elserngawy@...>
*Cc:* ovsdb-dev@...
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Mohamed,
It worked after setting below tag to true J
*<use-mdsal>false<use-mdsal>*
I have attached all the steps that I have followed for reference.
After adding cipher suite it’s working for
*TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256* but not for
*TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.*
Below are the logs:
tack@ubuntu:/var/log/openvswitch$ *tail -5 ovsdb-server.log*
2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640: connecting...
*2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure*
2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640:
connection attempt failed (Protocol error)
2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640:
waiting 8 seconds before reconnect
stack@ubuntu:/var/log/openvswitch$
47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state =
Active, Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection)
(objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker
)
48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf
bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)
49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active,
Karaf bundleState = GracePeriod, due to: Blueprint
1/4/18 11:32 PM
Missing dependencies:
(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection)
(objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker
)
2018-01-04 23:32:59,622 | INFO | entLoopGroup-4-1 | LoggingHandler
| 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 -
R:/192.168.56.102:44828]
2018-01-04 23:33:07,645 | INFO | entLoopGroup-4-1 | LoggingHandler
| 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 -
R:/192.168.56.102:44830]
2018-01-04 23:33:15,663 | INFO | entLoopGroup-4-1 | LoggingHandler
| 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 -
R:/192.168.56.102:44832]
2018-01-04 23:33:23,679 | INFO | entLoopGroup-4-1 | LoggingHandler
| 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 -
R:/192.168.56.102:44834]
2018-01-04 23:33:31,694 | INFO | entLoopGroup-4-1 | LoggingHandler
| 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 -
R:/192.168.56.102:44836]
2018-01-04 23:33:39,712 | INFO | entLoopGroup-4-1 | LoggingHandler
| 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC
Any idea about this issue ?
Thanks,
Vamsi
*From:*Mohamed El-Serngawy [mailto:m.elserngawy@...]
*Sent:* Thursday, January 04, 2018 10:18 PM
*To:* A Vamsikrishna <a.vamsikrishna@...
<mailto:a.vamsikrishna@...>>
*Cc:* Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>>;
ovsdb-dev@...
<mailto:ovsdb-dev@...>
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
- As you r using jks files, you need to set
<use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in Mdsal not the jks file.
- also please confirm that you used the RPC in step 9 and you were
able to see the certificate back
wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.
curl -X POST -u admin:admin -H "Content-Type: application/json" -H
"Cache-Control: no-cache" -d '{
"aaa-cert-rpc:input": {
"aaa-cert-rpc:node-alias": "ovs1"
}
}' "http://localhost:8181/restconf/operations/aaa-cert-rpc:getNodeCertifcate"
I'm not sure why you used this way to generate the controller
certificate, ODL suppose to generate it's own self-sign certificate OR if you will use CA authority you should sign both OVS and ODL based on certificate request.
BR
On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>> wrote:
Hi Mohamed & Jamo,
Thanks for your response J
Also sometimes I see below errors in ODL and OVS logs:
D: [id: 0x78b62606, L:/192.168.56.1:6640
<http://192.168.56.1:6640> - R:/192.168.56.102:41618
<http://192.168.56.102:41618>]
-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | *Ssl handshake fail*. channel [id: 0x78b62606, L:/192.168.56.1:6640 <http://192.168.56.1:6640> !
R:/192.168.56.102:41618 <http://192.168.56.102:41618>]
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log
2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: waiting 8 seconds before
reconnect
2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: connecting...
*2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed*
2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: connection attempt failed
(Protocol error)
2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: waiting 8 seconds before
reconnect
stack@ubuntu:/var/log/openvswitch$
stack@ubuntu:/var/log/openvswitch$
Please find my answers inline.
Regards,
Vamsi
*From:*Mohamed El-Serngawy [mailto:m.elserngawy@... <mailto:m.elserngawy@...>]
*Sent:* Thursday, January 04, 2018 8:31 PM
*To:* Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>>
*Cc:* A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>>; ovsdb-dev@...
<mailto:ovsdb-dev@...>
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.
Hi Vamsikrishna,
So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be
not confused with ur other emails).
*[Vamsi] Yes*
Let's do the troubleshooting:
1. in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ?
if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to
use the jks files for certificates data store in ODL single instance.
*[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and
truststore.jks) on OVS*
2. Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.
*[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL
using system:shutdown*
I will try to go through the wiki again in order to reproduce it.
Are you using ODL Nitrogen, Master ? let me know
*[Vamsi] I am using master.*
* *
* *
Thank
-----
Thanks Jamo
On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:
sending again with Mahamed's gmail address
On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>
>>
>> https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>
>>
>> I am seeing below error in ODL logs:
>>
>>
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> * Manager "ssl:192.168.56.1:6640 <http://192.168.56.1:6640>"*
>>
>> Bridge br-ex
>>
>> Controller "ssl:192.168.56.1:6653 <http://192.168.56.1:6653>"
>>
>> Port br-ex
>>
>> Interface br-ex
>>
>> type: internal
>>
>> ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>
>>
>> Can you please help me out in fixing this issue ?
>>
>>
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@... <mailto:ovsdb-dev@...>
>> https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>
_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
|
|
|
