ODL与OVS之间设置SSL安全连接总结

2022-03-02 18:01:53 浏览数 (1)

ODL作为目前主流SDN控制器已被各大厂商使用,ODL与OVS之间的SSL安全连接国内外网络上鲜有较为全面的实战分享,本文以ODL与OVS间SSL安全连接(主动连接方式与被动连接方式)实践全面阐述ODL与OVS之间设置SSL安全连接。

ODL与OVS之间的安全连接,以OVS设备为连接对象,控制器连接OVS主要分为两种方式:1、主动连接;2、被动连接。此外,配置SSL connection存在两种方式:1、手动生成pem格式证书(ovs客户端使用),然后转换成ODL(JDK平台)支持的jks格式证书;2、手动生成jks证书(ODL使用),然后转换成pem格式证书(OVS使用)。以下验证根据配置SSL connection方式2进行。不论基于上述控制器连接OVS何种方式,控制器侧都需对应不同配置修改。

配置步骤主要分为证书生成(包括OVS端使用证书及控制器端使用证书),OVS设备端配置证书,ODL控制器端配置证书。

1.1 生成ODL端的自签名证书

使用Keytool工具生成一个自签名的证书库odl.jks(包含私钥与公钥证书信息),-alias与-storepass需要控制器侧配置一致。

代码语言:shell复制
_# keytool -genkey -keyalg RSA -alias controller -keystore odl.jks -storepass 111111 -validity 365 -keysize 2048_

将odl.jks经过两步转换为odl.pem文件:odl.jks→odl.p12→odl.pem(密码为了方便建议设置成与odl.jks密码一致111111)

代码语言:shell复制
_# keytool -importkeystore -srckeystore odl.jks -destkeystore odl.p12 -srcstoretype jks -deststoretype pkcs12_

_# openssl pkcs12 -in odl.p12 -out odl.pem_

odl.pem内容是这样的:

代码语言:shell复制
_# cat odl.pem_

Bag Attributes

    friendlyName: controller

    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33

Key Attributes: <No Attributes>

-----BEGIN ENCRYPTED PRIVATE KEY-----

MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQICvDsQcvStsACAggA

MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECOcPvR2phfFzBIIEyM5QRmjjmD0I

YcuPocLrPGDJe/x3RV77fessvCEtEWsYqFmW6Xi9SdoG6y0zDgEEpY jCM SOruC

IGk7UIu//DBVj JcaSEu0n8B/rGGuqmU1Ea52sqDW8xxOk0llapYi1P6VX0LgY/H

QJCM/CvArrg/EO5seV6i9iXpOpX6I7yJTfXfMYMP zncHJ/7AesRSkEA9fBow7tq

d00onsea6HL1nVX8uzyxzHuBsittsOQ5RIyqC Gpny2mIxkqkXga1XSs2miVspy/

QcxYYts4F8IgA9N5fgenPsCR7K0wgqkO30W6pKMdL2YDCauhJ E4ylwVaAqwUHZV

btLQKORAps1DKrNV7xpXkJ/Q9BUTbAaqSHPn5mfdsD6cxSM8OEenVdZFmkSWtZNa

ET39e5JfhesPINq/Lx6jl58EiP7y1MgYXN9zsuimoJAVooJ5TfcgeqKZetPzPEop

i0q30dfHQNpJsNkfqnWIlifXMVcGztbpdWSNKs70B8Dr 3wFco3th5EGtSgfVgnb

WFSDdOsvaOP8ljfRlCr6Zs6p6BYoPlIQTIO9lfTz1JPyAE7orIogXXbSsZ1saDPf

nkhzhRP4FSfYbYPeWBSzFcaPOmXSilarEfa7/CROJRn1HTJrDrZZYrQr7Gj/W5Gw

yQbNHEzP0G2LKFtUCBBCrAsr7V6owh5YvrOMriO SZcsHnbHwl9jSI0AXe97XfkT

qgULx/3zc9G6D0tUwCst5lUo3DYnx8WtbXzcMwrCmTKkpE9pISu1UJytBiz493XD

nOM MoKZWIyOqcDe2Ac7km6Ybo2wLuA6kIxwYgun6NJl9mAgqJ/ T0itvuOB3PD/

FeqnnRq5eZlSmo3PL5ycKKja0z6z9ylaIWDRZYsPFNBt4jqCa9hizC VioiuGECJ

Sqf2JH1X5TBhU41Naoe3vur6rpBydkPDj33qELSG2q 90i2M9PT/8akAm0TWTs/u

UwJjMVfVGp5jgbYAAjuyrtkMioFuMlJJg9f53elCttx2Zmaotu3d3I1gh1tTP9ON

bF9Ls5QnqW3Ujkr3qmLUeE2EE3M uPuoA4GtEPeMili NeY1WKXORATy2q/d/Aus

31i51k79cZvgL39r/G/DOHkw/xRQSonWRCadNpA12FJ GxJ2OBHkdtrQ2RPycJ5c

9EvqiY0IGfY1cmY3tgXl925Rxc EtvMLJqoi8M9WeuwEVo2tuU9DVdwRgLFoQnnP

xCxwRjln75mxAyxUP/dZ79Ex3 CmsZj OSrM78tKNnsjAGrV5XSPZwnY5 I9o5lw

9dIJL49ROktjQgKZW5SIsNK2zavJuVVP0RgY6nxEMZtR1xwxytCMKNtSe7i1LQST

qbYSaBEeHnjGWYa8JUemyRsegaNkrhWOium5HsmYi8UGQ aytGIM0PYPe8SVNwol

YKxbg81bzFmw4I/Kqgwzdq fGp/ NOEqHmsWJi/S5UdA0UwKG68qTglVWL3 mDrT

rVwHD7F96GMkfbp2 w RaASVcNs6itl/rEI9RkdZA 9uX7wtp0GQc879yJA MBkS

i/fsmxvwJ24RMRA9fjuMCHt8ma5lmC0OPXLhthh7T5NSZYffHTSbLQHSQCg/raN6

cytEzo9X78 7H5ky4JDH/A==

-----END ENCRYPTED PRIVATE KEY-----

Bag Attributes

    friendlyName: controller

    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33

subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

-----BEGIN CERTIFICATE-----

MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD

TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl

cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx

NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1

YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL

EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

AQoCggEBAI M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn F9aTAEvL

TNh10xSJoaFtGeAMZaOU1rU woeXz 3sZV WdoExnJXiuB6w5kzJTfNlAFNg41T0

SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP zmNcwGqi47ll

Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp

LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU

BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G

KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr mgtK

wb7u MelO EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY

 KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB

u8qJxHRHiivhQFeusKhGd bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz

fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf

3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw PrH1tSMcA60RH7SyM 9aVOE5wG41K

ibLf

-----END CERTIFICATE-----

接下来我们需要新建一个cacert.pem的文件用来给OVS使用,它的内容是odl.pem的证书部分,即从中间的"Bag Attributes"到最后的部分:

代码语言:shell复制
_# cat cacert.pem_

Bag Attributes

    friendlyName: controller

    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33

subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

-----BEGIN CERTIFICATE-----

MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD

TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl

cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx

NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1

YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL

EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

AQoCggEBAI M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn F9aTAEvL

TNh10xSJoaFtGeAMZaOU1rU woeXz 3sZV WdoExnJXiuB6w5kzJTfNlAFNg41T0

SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP zmNcwGqi47ll

Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp

LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU

BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G

KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr mgtK

wb7u MelO EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY

 KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB

u8qJxHRHiivhQFeusKhGd bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz

fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf

3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw PrH1tSMcA60RH7SyM 9aVOE5wG41K

ibLf

-----END CERTIFICATE-----

请注意:两个中间文件odl.p12和odl.pem已经没有用了,安全起见应该被删除。

1.2 将odl的证书复制到OVS端

把cacert.pem复制到OVS端的/var/lib/openvswitch/pki/controllerca目录下(该目录中可能已经有了一个名为cacert.pem的文件,可先将其备份一下),此目录用来存放OVS信任的证书授权机构的证书。

注:此处如果没有pki相关目录,请执行ovs-pki init进行初始化。

代码语言:shell复制
root@root12-virtual-machine:/var/lib/openvswitch/pki/controllerca# cat cacert.pem

Bag Attributes

    friendlyName: controller

    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33

subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

-----BEGIN CERTIFICATE-----

MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD

TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl

cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx

NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1

YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL

EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC

AQoCggEBAI M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn F9aTAEvL

TNh10xSJoaFtGeAMZaOU1rU woeXz 3sZV WdoExnJXiuB6w5kzJTfNlAFNg41T0

SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP zmNcwGqi47ll

Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp

LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU

BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G

KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr mgtK

wb7u MelO EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY

 KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB

u8qJxHRHiivhQFeusKhGd bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz

fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf

3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw PrH1tSMcA60RH7SyM 9aVOE5wG41K

ibLf

-----END CERTIFICATE-----

1.3 生成OVS端的自签名证书并配置OVS端的SSL

进入OVS端的/etc/openvswitch目录,使用自己的pki请求和签署一个数字证书,生成OVS的私钥文件sc-privkey.pem和公钥证书sc-cert.pem:

代码语言:shell复制
root@root12-virtual-machine:/etc/openvswitch# ovs-pki --dir=/var/lib/openvswitch/pki req sign sc switch

root@root12-virtual-machine://etc/openvswitch# ll

total 48

drwxr-xr-x   2 root root  4096 1月  14 10:25 ./

drwxr-xr-x 126 root root 12288 1月  16 06:31 ../

-rw-r--r--   1 root root  4082 1月  14 10:25 sc-cert.pem

-rw-------   1 root root  1679 1月  14 10:25 sc-privkey.pem

-rw-r--r--   1 root root  3617 1月  14 10:25 sc-req.pem

root@root12-virtual-machine://etc/openvswitch#

开启OVS服务,使用ovs-vsctl set-ssl设置OVS端的SSL(配置OVS的私钥文件、OVS的证书文件和ODL的证书文件的位置):

代码语言:shell复制
控制器主动安全连接(pssl:6640),主动安全连接与被动连接方式对应的控制器侧的操作不一样,这部分会在续篇进行介绍:

_# ovs-vsctl set-manager pssl:6640_

_# ovs-vsctl set-manager ssl:10.190.23.66:6640 (控制器被动,OVS设备主动连接)_

默认设置Bootstrap: false

_# ovs-vsctl set-ssl  /etc/openvswitch/sc-privkey.pem  /etc/openvswitch/sc-cert.pem  /var/lib/openvswitch/pki/controllerca/cacert.pem_

默认设置Bootstrap: true

_# ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem_

使用ovs-vsctl get-ssl查看配置信息:

代码语言:shell复制
_# ovs-vsctl get-ssl_

Private key: /etc/openvswitch/sc-privkey.pem

Certificate: /etc/openvswitch/sc-cert.pem

CA Certificate: /var/lib/openvswitch/pki/controllerca/cacert.pem

Bootstrap: true

1.4 将OVS的证书复制到ODL端

把OVS端的sc-cert.pem复制到odl端的SSL文件夹中,然后在odl端使用keytool -importcert将sc-cert.pem导入到odl的证书库odl.jks中:

代码语言:shell复制
_# keytool -importcert -file sc-cert.pem -keystore odl.jks_

Enter keystore password:

Owner: CN=sc id:b7e00bac-95d2-43f7-a9f3-e2017cdc1d57, OU=Open vSwitch certifier, O=Open vSwitch, ST=CA, C=US

Issuer: CN=OVS switchca CA Certificate (2022 1� 04 17:11:15), OU=switchca, O=Open vSwitch, ST=CA, C=US

Serial number: 4

Valid from: Fri Jan 14 10:25:58 CST 2022 until: Mon Jan 12 10:25:58 CST 2032

Certificate fingerprints:

         SHA1: B6:E6:5A:94:E3:37:0A:B0:EC:FE:41:CB:2F:FD:67:84:BB:8A:F1:60

         SHA256: 5B:EF:35:AD:A9:AB:29:B8:7C:89:5A:CF:07:72:5B:1F:E7:85:59:1A:44:8E:39:F0:FC:11:E6:46:80:79:8A:F8

Signature algorithm name: SHA512withRSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 1

Trust this certificate? [no]:  yes

Certificate was added to keystore

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore odl.jks -destkeystore odl.jks -deststoretype pkcs12".
代码语言:shell复制
root@root12-virtual-machine:/home/root12/dcnv1r2/opendaylight/configuration/ssl# ll

total 16

drwxr-xr-x 2 root root 4096 1月  14 14:53 ./

drwxr-xr-x 5 root root 4096 1月  14 14:49 ../

-rw-r--r-- 1 root root 2224 1月  14 09:55 odl.jks

-rw-r--r-- 1 root root 4082 1月  14 10:25 sc-cert.pem

使用下面的命令查看证书库的内容,可以发现证书库已经包含有了PrivateKeyEntry和trustedCertEntry:

代码语言:shell复制
_# keytool -list -keystore odl.jks_

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 2 entries

controller, Jan 14, 2022, PrivateKeyEntry,

Certificate fingerprint (SHA-256): CE:55:30:19:B6:B8:7C:D4:C8:5B:63:0D:73:26:E6:74:AD:AF:C8:F5:10:FA:6B:96:ED:B2:5F:83:B9:C7:12:C9

mykey, Jan 17, 2022, trustedCertEntry,

Certificate fingerprint (SHA-256): 5B:EF:35:AD:A9:AB:29:B8:7C:89:5A:CF:07:72:5B:1F:E7:85:59:1A:44:8E:39:F0:FC:11:E6:46:80:79:8A:F8

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore odl.jks -destkeystore odl.jks -deststoretype pkcs12".

root@root12-virtual-machine:/home/root12/dcnv1r2/opendaylight/configuration/ssl#

到此处已经生成OVS、与ODL端所需要证书,并且做好OVS端SSL配置,接下来需要进行控制器侧SSL配置。

1.5 控制器主动连接OVS设备ODL端配置SSL

如上所述控制器主动连接方式,在OVS侧使用下述命令行进行配置

代码语言:shell复制
_# ovs-vsctl set-manager pssl:6640_

OVS侧设置完毕后,控制器侧需要进行以下配置。将上述所制作的odl.jks证书复制并传输到opendaylight/configuration/ssl目录下,并改名为ctl.jks与truststore.jks(目的与控制器命名一致,方便读取文件)

代码语言:shell复制
root@ubuntu:~/dcnv1r2/opendaylight/configuration/ssl# ll

总用量 16

drwxr-xr-x 2 root root 4096 1月  26 17:00 ./

drwxr-xr-x 5 root root 4096 1月  26 10:15 ../

-rw-r--r-- 1 root root 3575 1月  20 16:09 ctl.jks

-rw-r--r-- 1 root root 3575 1月  20 16:09 truststore.jks

然后进入opendaylight/etc/opendaylight/datastore/initial/config目录修改OVSDB SSL连接配置文件

代码语言:shell复制
root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# ll

总用量 52

drwxr-xr-x 2 root root  4096 1月  26 16:46 ./

drwxr-xr-x 3 root root  4096 1月  26 10:04 ../

-rw-r--r-- 1 root root 14607 1月  26 10:04 aaa-app-config.xml

-rw-r--r-- 1 root root   856 1月  27 14:12 aaa-cert-config.xml

-rw-r--r-- 1 root root   182 1月  26 10:04 aaa-datastore-config.xml

-rw-r--r-- 1 root root   518 1月  26 10:04 aaa-encrypt-service-config.xml

-rw-r--r-- 1 root root   215 1月  26 10:04 aaa-password-service-config.xml

-rw-r--r-- 1 root root   953 1月  26 16:46 default-openflow-connection-config.xml

-rw-r--r-- 1 root root   941 1月  26 10:04 legacy-openflow-connection-config.xml

-rw-r--r-- 1 root root   130 1月  26 10:04 serviceutils-upgrade-config.xml

------------------------------------------------------------------------------------

root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# cat aaa-cert-config.xml

<?xml version="1.0" encoding="UTF-8" standalone="no"?><aaa-cert-service-config xmlns="urn:opendaylight:yang:aaa:cert">

 <use-config>true</use-config>

 <use-mdsal>false</use-mdsal>

 <bundle-name>opendaylight</bundle-name>

 <ctlKeystore>

 <name>ctl.jks</name>

 <alias>controller</alias>

 <store-password>111111</store-password>

 <dname>C = CN, ST = Hubei, L = Wuhan, O = sdn, OU = test, CN = JunWu</dname>

 <validity>365</validity>

 <key-alg>RSA</key-alg>

 <sign-alg>SHA1WithRSAEncryption</sign-alg>

 <keysize>1024</keysize>

 <tls-protocols>TLSv1.2</tls-protocols>

 <cipher-suites>

 <suite-name>TLS_RSA_WITH_AES_128_CBC_SHA</suite-name>

 </cipher-suites>

 </ctlKeystore>

 <trustKeystore>

 <name>truststore.jks</name>

 <store-password>111111</store-password>

 </trustKeystore>

然后进入opendaylight/etc找到org.opendaylight.ovsdb.library.cfg配置文件并修改use-ssl 配置设置use-ssl = true。

代码语言:shell复制
root@ubuntu:~/dcnv1r2/opendaylight/etc# vi org.opendaylight.ovsdb.library.cfg

[1]   已停止               vi org.opendaylight.ovsdb.library.cfg

root@ubuntu:~/dcnv1r2/opendaylight/etc# cat org.opendaylight.ovsdb.library.cfg

_#********************************************************************************************_

_#                               Boot Time Configuration                                     *_

_#                   Config knob changes will require controller restart                     *_

_#********************************************************************************************_

_#Ovsdb plugin's (OVS, HwVtep) support both active and passive connections. OVSDB library by_

_#default listens on all IPs for switch initiated connections. Use following config_

_#knob for changing this default IP._

ovsdb-listener-ip = 0.0.0.0

_#Ovsdb plugin's (OVS, HwVtep) support both active and passive connections. OVSDB library by_

_#default listens on port 6640 for switch initiated connection. Please use following config_

_#knob for changing this default port._

ovsdb-listener-port = 6640

_#This flag will be enforced across all the connection's (passive and active) if set to true_

use-ssl = true

_#Set Json Rpc decoder max frame length value. If the OVSDB node contains large configurations_

_#that can cause connection related issue while reading the configuration from the OVSDB node_

_#database. Increasing the max frame lenge helps resolve the issue. Please see following bug_

_#report for more details ( https://bugs.opendaylight.org/show_bug.cgi?id=2732 &_

_#https://bugs.opendaylight.org/show_bug.cgi?id=2487). Default value set to 100000._

json-rpc-decoder-max-frame-length = 100000

_#********************************************************************************************_

_#                               Run Time Configuration                                      *_

_#                   Config knob changes doesn't require controller resart                   *_

_#********************************************************************************************_

_#Timeout value (in millisecond) after which OVSDB rpc task will be cancelled.Default value is_

_#set to 1000ms, please uncomment and override the value if requires.Changing the value don't_

_#require controller restart._

ovsdb-rpc-task-timeout = 1000

最后进行使用postman,调用(put)http://控制器IP:8181/rests/data/network-topology:network-topology/topology=ovsdb:1,将需要连接的OVS设备信息remote-ip,remote-port导入控制器,即可实现控制器OVSDB协议主动连接ovs设备。

代码语言:shell复制
{

 "topology": [

 {

 "topology-id": "ovsdb:1",

 "node": [

 {

 "node-id": "ovsdb://HOST2",

 "ovsdb:connection-info": {

 "ovsdb:remote-ip": "10.190.51.111",

 "ovsdb:remote-port": 6640

 }

 }

 ]

 }

 ]

}

在ovs上查看信息:

代码语言:shell复制
root@root12-virtual-machine:~_# ovs-vsctl show_

1db8fd94-c6ab-41f8-9993-bdc83a14c430

    Manager "pssl:6640"

        is_connected: true

控制器接口查看信息:

ovsdb.jpgovsdb.jpg

至于此OVSDB pssl连接验证成功。

至于此OVSDB pssl连接验证成功。

1.6 OPENFLOW SSL安全连接

openflow ssl链接,在OVS侧使用下述命令行进行配置

代码语言:shell复制
_# ovs-vsctl set-controller br-int ssl:10.190.23.66:6653_

同1.5,进入opendaylight/etc/opendaylight/datastore/initial/config目录修改openflow SSL连接配置文件,指定端口、协议、证书路径等信息。

代码语言:shell复制
root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# ll

总用量 52

drwxr-xr-x 2 root root  4096 1月  26 16:46 ./

drwxr-xr-x 3 root root  4096 1月  26 10:04 ../

-rw-r--r-- 1 root root 14607 1月  26 10:04 aaa-app-config.xml

-rw-r--r-- 1 root root   856 1月  27 14:12 aaa-cert-config.xml

-rw-r--r-- 1 root root   182 1月  26 10:04 aaa-datastore-config.xml

-rw-r--r-- 1 root root   518 1月  26 10:04 aaa-encrypt-service-config.xml

-rw-r--r-- 1 root root   215 1月  26 10:04 aaa-password-service-config.xml

-rw-r--r-- 1 root root   953 1月  26 16:46 default-openflow-connection-config.xml

-rw-r--r-- 1 root root   941 1月  26 10:04 legacy-openflow-connection-config.xml

-rw-r--r-- 1 root root   130 1月  26 10:04 serviceutils-upgrade-config.xml

------------------------------------------------------------------------------------

root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# cat default-openflow-connection-config.xml

<switch-connection-config xmlns="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:config">

 <instance-name>openflow-switch-connection-provider-default-impl</instance-name>

 <port>6653</port>

 <transport-protocol>TLS</transport-protocol>

 <group-add-mod-enabled>false</group-add-mod-enabled>

 <channel-outbound-queue-size>1024</channel-outbound-queue-size>

 <tls>

 <keystore>configuration/ssl/ctl.jks</keystore>

 <keystore-type>JKS</keystore-type>

 <keystore-path-type>PATH</keystore-path-type>

 <keystore-password>111111</keystore-password>

 <truststore>configuration/ssl/truststore.jks</truststore>

 <truststore-type>JKS</truststore-type>

 <truststore-path-type>PATH</truststore-path-type>

 <truststore-password>111111</truststore-password>

 <certificate-password>111111</certificate-password>

 <cipher-suites>TLS_RSA_WITH_AES_128_CBC_SHA</cipher-suites>

 </tls>

</switch-connection-config>

查看openflow连接信息:

在ovs上查看连接信息:

代码语言:shell复制
root@root12-virtual-machine:~_# ovs-vsctl show_

1db8fd94-c6ab-41f8-9993-bdc83a14c430

    Manager "pssl:6640"

        is_connected: true

    Bridge br-int

        Controller "ssl:10.190.23.66:6653"

            is_connected: true

        Port br-int

            Interface br-int

                type: internal

        Port "veth2"

            Interface "veth2"

        Port "veth1"

            Interface "veth1"

    ovs_version: "2.9.8"

控制接口查看信息:

openflow.jpgopenflow.jpg

至此openflow SSL安全连接验证成功。

0 人点赞