Manualshelf

HP VAN SDN Controller Administrator Guide v3

ManualsBrandsHP ManualsSoftwareHP VAN SDN Controller Software Products
61626364656667686970
}
}
CAUTION: Please guard this token information, as it can be used as an API key to gain access
to your SDN controller REST APIs.
To gain access to the REST API, include the token in the X-Auth-Token header as in the following
curl example:
curl -sk -H "X-Auth-Token:54a6f80a9ae243db89bfa05de4ced51d"
https://<controller-ip>:8443/sdn/v2.0/systems
One can continue using the same token for different SDN controller APIs within the default 24-hour
period since token creation. If desired, one can change this default 24-hour timeout in the
/etc/keystone/keystone.conf file. (See the OpenStack Keystone Administration Guide for more
information). The CachedTokenTTL value under the configuration properties
com.hp.sdn.adm.auth.impl.AuthenticationManager needs to match the timeout set by Keystone as
well to allow efficient caching of tokens.
4.7.2 Service and Admin Tokens
The Service token is used for internal communication between controllers and is not exposed to
the user. Likewise, the Admin token is used for the communication between the controller and the
Keystone server and is not exposed to the user.
That said, the values for these tokens can be changed via the UI under the Configurations for
AuthenticationManager. Note that for the Service token, all controllers in a team must have the
same Service token to communicate successfully. Likewise, for the Admin token, both the controller
token value and the Openstack Keystone "admin_token" in /etc/keystone/keystone.conf must
match for authentication to work.
4.8 Controller Code Verification
All controller code is signed by HP. Validating the certificate via jarsigner should return an HP
X.509 certificate similar to the following:
X.509, CN=Hewlett-Packard, OU=HPGlobal, OU=Digital ID Class 3 - Java Object Signing,
O=Hewlett-Packard, L=Andover, ST=Massachusetts, C=US
[certificate is valid from 11/14/12 4:00 PM to 11/15/14 3:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at
https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/7/10 4:00 PM to 2/7/20 3:59 PM]
[CertPath not validated: null]
If a controller jar or war file is tampered with, the jar verification will fail, and the container will
not start up.
If an application is not signed by HP, or has its certificate trusted by the controller (see section
below), the application will not be allowed to run on the controller.
4.8.1 Adding Certificates to Jar-Signing Truststore
To deploy other signed applications onto the controller, use the Java keytool to import the public
certificate that was used to sign the application jars into the controller jar-signing truststore
(/opt/sdn/admin/sdnjar_trust.jks):
keytool -importcert -keystore /opt/sdn/admin/sdnjar_trust.jks
-file signed_app.cer -alias mysignedcert
The controller needs to be restarted for the new truststore to take effect.
70 SDN Controller Authentication