Manualshelf

HP VAN SDN Controller Administrator Guide v3

ManualsBrandsHP ManualsSoftwareHP VAN SDN Controller Software Products
71727374757677787980
To disable access to the Virgo Admin UI, either remove the following file or move it to a safe
location outside the pickup directory:
4.12 Virgo Console Access
This allows Virgo administrative access via ssh/telnet. This service is disabled by default. The
following file configures these properties and will require the controller to restart to recognize the
new settings:
/opt/sdn/virgo/pickup/org.eclipse.virgo.management.console_3.6.2.RELEASE.jar
4.13 JMX Console
The JMX Console is only enabled for local access. This is used by the controller for metering and
can also be used for debugging.
To enable JMX Console remote access, edit /opt/sdn/virgo/bin/dmk.sh. The following line
determines whether JMX allows remote access or not:
-Dcom.sun.management.jmxremote.local.only=true \
Any changes to this file require a controller restart to recognize the change.
4.14 Security Practices
4.14.1 Recommended Changes
Before entering commands that require a password in the command line, enter a space before
the command to prevent saving the command into your .bash_history.
Change the default SDN Controller’s keystore and truststore passwords.
Change the default SDN Controller’s jar-signing truststore password.
Change the default SDN Controller’s service token.
Change Keystone’s default admin token. (Remember to change the corresponding admin
token configuration for the controller as well). See the Keystone Administration Guide for more
information on Keystone configuration.
Change the default master encryption key using the sdnpass script under /opt/sdn/admin.
Set up TLS for your switch communication with the controller, unless you are on an isolated
network.
Replace the SDN Controller’s self-signed certificate with a reputable CA-signed certificate.
The self-signed certificate may be OK if you are operating the controller within an isolated
environment.
4.14.2 Recommended Administrative Rules
Observing these rules can help to prevent unauthorized access to the controller:
Do not enable shell history on your controller.
Do not allow other users besides sdn and sdnadmin to have access to your controller system.
Do not store your authentication token in plain text, such as a non-encrypted cookie.
Do not use self-signed certificates in a production environment.
Do not alter contents under /opt/sdn/cassandra and /opt/sdn/zookeeper .
Do not delete any of the following ‘iptables rules as shown below:
iptables –L Chain INPUT (policy ACCEPT)
4.12 Virgo Console Access 73