Manualshelf

HP VAN SDN Controller Administrator Guide v3

ManualsBrandsHP ManualsSoftwareHP VAN SDN Controller Software Products
61626364656667686970
4 SDN Controller Authentication
4.1 HP VAN SDN Controller Security Guidelines
The HP VAN SDN controller communicates with different components, both internal and external
to the controller, via secure channels. This section documents these channels, their defaults, and
how to configure them in a deployment environment.
4.2 SDN Controller Authentication
The SDN controller identifies itself via Public-Key Infrastructure (PKI) for its communication with
external subsystems and other controllers. It uses a Java keystore and truststore to keep its private
key and public key respectively. For REST APIs, the controller does not rely on the truststore to
establish trust. Instead, it uses token authentication to authenticate the client. The client must present
a valid token via the X-Auth-Header to authenticate itself with the controller. Token authentication
is discussed more under Openflow Controller Keystore and Truststore Locations and Passwords.
The controller ships with a self-signed certificate. Therefore, it is recommended that the self-signed
certificate be replaced by a certificate signed by a reputable Certificate Authority (CA). Also, the
default password for the keystore and truststore should be changed as well.
4.3 Creating SDN Controller Keystore and Truststore
1. Login to the system running the SDN controller and stop the controller.
2. As the SDN user (i.e. sudo - sdn), do the following:
3. Back up your default /opt/sdn/admin/keystore and /opt/sdn/admin/truststore to a safe
location.
4. Create a new keystore:
cd /opt/sdn/admin
rm keystore truststore
keytool -genkey -alias serverKey -keyalg rsa -keysize 2048
-keystore keystore
You must specify a fully qualified domain for your server for the "first and last name" question
as some CAs, such as VeriSign, expect it.
5. Generate a CSR (Certificate Signing Request) for signing:
keytool -keystore keystore -certreq -alias serverKey -keyalg
rsa -file sdn-server.csr
Send the sdn-server.csr to a CA to be signed. The CA will authenticate you and return a signed
certificate and its CA certificate chain. We assume the signed certificate from the CA is named
signed.cer and the CA's certificate is root.cer. If root.cer is from your own internal CA, then
you need to import root.cer into your browser as an authority.
6. First, import the signed root certificate into your keystores:
keytool -importcert -trustcacerts -keystore keystore -file
root.cer -alias CARoot
keytool -importcert -trustcacerts -keystore truststore -file
root.cer -alias CARoot
7. Next, replace your self-signed certificate in your serverKey entry with the signed certificate
from your CA (signed.cer).
keytool -importcert -keystore keystore -file signed.cer
-alias serverKey
66 SDN Controller Authentication