Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP VAN SDN Controller Software Products
61626364656667686970
2. Modify the /opt/sdn/virgo/bin/dmk.sh script to add the following option to the list of
JMX_OPTS:
-Dsdn.signedJar=none
For example:
cd $KERNEL_HOME; exec $JAVA_EXECUTABLE \
$JAVA_OPTS \
$DEBUG_OPTS \
$JMX_OPTS \
-XX:+HeapDumpOnOutOfMemoryError \
-XX:ErrorFile=$KERNEL_HOME/serviceability/error.log \
-XX:HeapDumpPath=$KERNEL_HOME/serviceability/heap_dump.hprof \
-Dsdn.signedJar=none \
-Djava.security.auth.login.config=$AUTH_LOGIN \
-Dorg.eclipse.virgo.kernel.authentication.file=$AUTH_FILE \
3. Start the SDN Controller:
sudo service sdnc start
To enable jar-signing validation, remove the line containing the -Dsdn.signedJar=none option
from the /opt/sdn/virgo/bin/dmk.sh script and restart the controller.
5.9 Revoking Trust
5.9.1 Revoking trust via truststore
The controller components rely on the public certificates in the respective truststore to establish trust
with a given identity. Therefore, revoking trust from a client with a given public certificate amounts
to removing its certificate from the respective truststore. To remove a given certificate from the
truststore:
List the certificates in your truststore:
keytool list v -keystore truststore [-storepass password]
Delete certificate from truststore:
keytool delete alias cert-aliastruststore
5.9.2 Revoking trust via CRL
For the controller’s REST API, a CRL (Certificate Revocation List) may also be specified to allow
blacklisting of certain clients. This is done by modifying the /opt/sdn/virgo/configuration/
tomcat-server.xml file to include the CRL file location in the SSL connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="../admin/keystore"
keystorePass="skyline"
crlFile="location_of_CRL file"/>
For the change to take effect, restart the controller.
5.10 SDN administrative REST API
The main SDN Controller daemon (SDNC) is accompanied by an ancillary daemon process (sdna),
which runs under user sdnadmin in order to grant it access to some elevated privileges.
The administrative REST API can be used to securely perform various management functions in a
privileged context. It would be undesirable for the main SDN Controller process to possess those
privileges as it may be hosting execution of third-party code.
5.9 Revoking Trust 69