HP VAN SDN Controller Administrator Guide
53
Security Practices
Recommended Changes
Before entering commands that require a password in the command line, enter a space before the
command to prevent saving the command into your .bash_history.
Change the default SDN Controller’s keystore and truststore passwords.
Change the default SDN Controller’s jar-signing truststore password.
Change the default SDN Controller’s service token.
Change Keystone’s default admin token. (Remember to change the corresponding admin token
configuration for the controller as well). See the Keystone Administration Guide for more
information on Keystone configuration.
Change the default master encryption key using the sdnpass script under /opt/sdn/admin.
Set up TLS for your switch communication with the controller, unless you are on an isolated
network.
Replace the SDN Controller’s self-signed certificate with a reputable CA-signed certificate. The self-
signed certificate may be OK if you are operating the controller within an isolated environment.
Recommended Administrative Rules
Observing these rules can help to prevent unauthorized access to the controller:
Do not enable shell history on your controller
Do not allow other users besides sdn and sdnadmin to have access to your controller system
Do not store your authentication token in plain text, such as a non-encrypted cookie.
Do not use self-signed certificates in a production environment
Do not alter contents under /opt/sdn/cassandra and /opt/sdn/zookeeper
Do not delete any of the following ‘iptables’ rules as shown below:
iptables –L Chain INPUT (policy ACCEPT)
Table 5 iptables Rules
Target
prot opt source
Destination
ACCEPT
tcp – 127.0.0.0/8
anywhere tcp dpt:2181
REJECT
tcp --anywhere
tcp dpt:2181 reject-with icmp-port-unreachable
ACCEPT
tcp – 127.0.0.0/8
anywhere tcp dpt:9160
REJECT
tcp --anywhere
anywhere tcp dpt:9160 reject-with icmp-port-unreachable
ACCEPT
tcp – 127.0.0.0/8
anywhere tcp dpt:7199
REJECT
tcp --anywhere
anywhere tcp dpt:7199 reject-with icmp-port-unreachable