Jump to: navigation, search

OVSDB Integration:TLS Communication

Overview

In this wiki, we will show how to establish a TLS communication between Opendaylight and OVS instance. Ovsdb southbound APIs use the Certificate Management Service to store and manage the OVS instances certificates. For more details on how to use the Certificate Management Service check the following link https://wiki.opendaylight.org/view/AAA:How_to_use_the_Certificate_management_Service_to_manage_the_TLS_communication.

Step by step

Currently Opendaylight OVSDB southbound API support the TLS communication based on the following patch https://git.opendaylight.org/gerrit/#/c/48482/.

1- You will need to download the master branch of ovsdb project

   $ git clone https://git.opendaylight.org/gerrit/ovsdb

2- Then you will need to download the ovsdb TLS patch.

   $ cd ovsdb
   $ git fetch https://git.opendaylight.org/gerrit/ovsdb refs/changes/82/48482/9 && git checkout FETCH_HEAD

3- Now build the ovsdb project

   $ mvn clean install -e

4- Start the southbound distribution using the following command

   $./southbound/southbound-karaf/target/assembly/bin/karaf

5- We will need to change the Certificate management service configuration to be able to use the SSL communication. The configuration file exist under ovsdb/southbound/southbound-karaf/target/assembly/etc/opendaylight/datastore/initial/config/aaa-cert-config.xml . Open the aaa-cert-config.xml and change use-config attribute to true <use-config>true</use-config>. For more information about the aaa-cert-config.xml check the config section at the certificate management service [[1]] . Also we will need to change the ovsdb configuration to use the SSL communication. At the southbound/southbound-karaf/target/assembly/etc/org.opendaylight.ovsdb.library.cfg file uncomment the use-ssl flag and change it to true.

6- After changing the certificate management service configuration we must restart Opendaylight. At karaf CLI run the following command.

   karaf> shutdown -r  

4- If you have an OVS instance up and running, you can use it. Otherwise you can use the following vagrant file to spawn a VM has OVS instance. https://github.com/serngawy/DevOp-VMs/blob/master/Vagrant-mininet/Vagrantfile

   $ vagrant up

it will takes couple of minutes to spawn the VM.

5- We will create a self sign certificate for the OVS instance to securely communicate with Opendaylight. Now get access to the VM console using the following command.

   $ vagrant ssh

check the OVS instance status

   $ sudo ovs-vsctl show
      97386782-e6ff-4658-8f87-e2a16458b472
      ovs_version: "2.4.0"

go to the openvswitch directory and run the following command

   $ cd /etc/openvswitch
   $ sudo ovs-pki req+sign sc switch

This will create a private key and self sign certificate that we will use to authorize this OVS instance to Opendaylight. Check for the created certificate using the following command

   $ ls
   conf.db  sc-cert.pem  sc-privkey.pem  sc-req.pem  system-id.conf

6- Now we will configure the SSL communication at the OVS instance.

  sudo ovs-vsctl --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem  /etc/openvswitch/sc-cert.pem  /home/vagrant/odlcert.pem

7- We will need to add the OVS self sign certificate that we create at Opendaylight certificate store using the Certificate management service REST APIs. Open the sc-cert.pem file and copy the certificate string.

   -----BEGIN CERTIFICATE-----
   MIIDfjCCAmYCAQMwDQYJKoZIhvcNAQEFBQAwgYExCzAJBgNVBAYTAlVTMQswCQYD
   VQQIEwJDQTEVMBMGA1UEChMMT3BlbiB2U3dpdGNoMREwDwYDVQQLEwhzd2l0Y2hj
  YTE7MDkGA1UEAxMyT1ZTIHN3aXRjaGNhIENBIENlcnRpZmljYXRlICgyMDE1IERl
  YyAxNyAxODo1OToxNCkwHhcNMTYwMjA0MjAzNzQ1WhcNMjYwMjAxMjAzNzQ1WjCB
  hzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQKEwxPcGVuIHZTd2l0
  Y2gxHzAdBgNVBAsTFk9wZW4gdlN3aXRjaCBjZXJ0aWZpZXIxMzAxBgNVBAMTKnNj
  IGlkOjE3ODRlZDk3LTAzNWQtNGZkMi1hNjJjLTE0NmQyNDVmM2VmNjCCASIwDQYJ  
  KoZIhvcNAQEBBQADggEPADCCAQoCggEBALFIzU/I3euU8pknbVVfjPSqdfO5M+6Y
   wJ1Ub9xr3f0dz741UKH5ZOe/pxcsBFnMX008dHNKba2SkP1HUv9ChiQMdHYHp6FG
   PdurEnlpt/FjIQvB+5PX4a9Uj7DWTKB3emzGGeUNIgpWeZdSmY1HEiI3YAIKKXYI
   RlJk3AqL+XqFWzoXCjwp3TJhu8vp8Daobzz3KWa6bTRZO9G4WaqBCRgf0OSYX8CZ
   uMWtcomj/Oh4GJmFfu6fz2v0WDy0v3jVexyPSZ+epRnJcm6pq0Gxlm7I2zEtwOtu
   wX8iOq6C0AwD7K+5uB7Y8SotiJIWoLiwafAU7ny2gLl+B6FNBOSgRVkCAwEAATAN
   BgkqhkiG9w0BAQUFAAOCAQEAlUVKNfrtjQo33v4F4yviGhuq6B5zSjyBr+v+Ioo1
   8MoaDwYDi9G/OuX1Ccf2sl+NSRemOgI3O91VI9OK1GSvzpkKfFj94SxU0x0kusPv 
   DEbpnPfrWhd3C/cPFO2WwaupzdMp+0+aim1QqTCc62V+BWLLx+pPMZuZDUanZBNm
   pap49Ce8qKQHYttw6EgBa9P1hg7wx3q4Hkxv6Qb3mvFiOsnPFsMAQE0My5TcMPJE
   Bd0iqn4+348pKVw0kmmZXcAQua5Dx67REg9bh2IQeCj+phTb3HJwlEMoMBRFLKjk
   aOZ0+UrWZoS9jRIvdKD2Gq2oho6hECXlwZtGn00h9KOrhQ==
   -----END CERTIFICATE-----

8- At our Opendaylight distribution host run the following curl command to store the certificate at the datastore. You need to replace the certificate string.

   $ curl -X POST -u admin:admin -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
      "aaa-cert-rpc:input": {
      "aaa-cert-rpc:node-alias": "ovs1",
      "aaa-cert-rpc:node-cert":      "MIIDfjCCAmYCAQMwDQYJKoZIhvcNAQEFBQAwgYExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEChMMT3BlbiB2U3dpdGNoMREwDwYDVQQLEwhzd2l0Y2hjYTE7MDkGA1UEAxMyT1ZTIHN3aXRjaGNhIENBIENlcnRpZmljYXRlICgyMDE1IERlYyAxNyAxODo1OToxNCkwHhcNMTYwMjA0MjAzNzQ1WhcNMjYwMjAxMjAzNzQ1WjCBhzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQKEwxPcGVuIHZTd2l0Y2gxHzAdBgNVBAsTFk9wZW4gdlN3aXRjaCBjZXJ0aWZpZXIxMzAxBgNVBAMTKnNjIGlkOjE3ODRlZDk3LTAzNWQtNGZkMi1hNjJjLTE0NmQyNDVmM2VmNjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALFIzU/I3euU8pknbVVfjPSqdfO5M+6YwJ1Ub9xr3f0dz741UKH5ZOe/pxcsBFnMX008dHNKba2SkP1HUv9ChiQMdHYHp6FGPdurEnlpt/FjIQvB+5PX4a9Uj7DWTKB3emzGGeUNIgpWeZdSmY1HEiI3YAIKKXYIRlJk3AqL+XqFWzoXCjwp3TJhu8vp8Daobzz3KWa6bTRZO9G4WaqBCRgf0OSYX8CZuMWtcomj/Oh4GJmFfu6fz2v0WDy0v3jVexyPSZ+epRnJcm6pq0Gxlm7I2zEtwOtuwX8iOq6C0AwD7K+5uB7Y8SotiJIWoLiwafAU7ny2gLl+B6FNBOSgRVkCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAlUVKNfrtjQo33v4F4yviGhuq6B5zSjyBr+v+Ioo18MoaDwYDi9G/OuX1Ccf2sl+NSRemOgI3O91VI9OK1GSvzpkKfFj94SxU0x0kusPvDEbpnPfrWhd3C/cPFO2WwaupzdMp+0+aim1QqTCc62V+BWLLx+pPMZuZDUanZBNmpap49Ce8qKQHYttw6EgBa9P1hg7wx3q4Hkxv6Qb3mvFiOsnPFsMAQE0My5TcMPJEBd0iqn4+348pKVw0kmmZXcAQua5Dx67REg9bh2IQeCj+phTb3HJwlEMoMBRFLKjkaOZ0+UrWZoS9jRIvdKD2Gq2oho6hECXlwZtGn00h9KOrhQ=="
     }
   }' "http://localhost:8181/restconf/operations/aaa-cert-rpc:setNodeCertifcate"

9- Check if the certificate has been stored at the Opendaylight using the following command

   $ curl -X POST -u admin:admin -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
      "aaa-cert-rpc:input": {
        "aaa-cert-rpc:node-alias": "ovs1"
      }
    }'   "http://localhost:8181/restconf/operations/aaa-cert-rpc:getNodeCertifcate"

you should see the certificate at the output response.

10- Now back to the OVS instance VM, we will set the SSL manager using the following command.

   $ sudo ovs-vsctl set-manager ssl:{ODL_IP-Address}:6640

Check if the connection has been established correctly.

   $ sudo ovs-vsctl show 
     97386782-e6ff-4658-8f87-e2a16458b472
     Manager "ssl:192.168.1.101:6640"
          is_connected: true
     ovs_version: "2.4.0"

11- We will also test the passive TLS communication. At the VM runs the following commands.

   $ sudo ovs-vsctl del-manager
   $ sudo ovs-vsctl set-manager pssl:6640

12- At the Opendaylight distribution host run the following curl command.

   $ curl -X PUT -u admin:admin -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
    "network-topology:node": [
       {
           "node-id": "ovsdb://7978e1d5-31f9-4853-b6f9-2ea8eb3170a4",
           "connection-info": {
             "ovsdb:remote-port": "6640",
             "ovsdb:remote-ip": "{OVS_VM_IP-Address}"
           }
       }
     ]
   }' "http://localhost:8181/restconf/config/network-topology:network-topology/topology/ovsdb:1/node/ovsdb:%2F%2F7978e1d5-31f9-4853-b6f9-2ea8eb3170a4"

13- Now check the connection at the VM.

   $ sudo ovs-vsctl show
      97386782-e6ff-4658-8f87-e2a16458b472
      Manager "pssl:6640"
         is_connected: true
      ovs_version: "2.4.0"