Jump to: navigation, search

OpenDaylight Controller:SSL RestConf

This page explains how to enable SSL on RestConf

Introduction

This page was written using the Lithium release and is geared towards modifying the source code to make things work.

In this page we will set up a keystore to use with Jetty's RestConf. This keystore will be generated using the keytool binary from the java JDK. We will also disable port 8080 and redirect http traffic to port 8181 to 8443.

Prequesite

  • maven 3.1.1+
  • keytool
  • JDK 1.7+

Instructions

Preparing the environment

Compile odlparent, yangtools and controller.

Generate a certificate keystore

Reference: http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#loading-keys-and-certificates

We will generate the .keystore into the configuration/ssl folder of karaf for easier access. That folder is taken from controller/karaf/opendaylight-karaf-resources/src/main/resources/ and copied over when karaf is compiled.

Create an ssl folder under controller/karaf/opendaylight-karaf-resources/src/main/resources/configuration and cd to that folder, we're going to generate the keystore in that folder:

$JAVA_HOME/bin/keytool -keystore .keystore -alias jetty -genkey -keyalg RSA
 Enter keystore password:  123456
What is your first and last name?
  [Unknown]:  odl
What is the name of your organizational unit?
  [Unknown]:  odl
What is the name of your organization?
  [Unknown]:  odl
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=odl, OU=odl, O=odl,
L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes

This should have generated a keystore file under the configuration/ssl folder.

Modify opendaylight-karaf-resources

Locate the bundle org.opendaylight.controller/opendaylight-karaf-resources/1.5.2-SNAPSHOT; That bundle contains 2 files that must be modified to enable https.

The first file is custom.properties and the section below should be added:

org.osgi.service.http.secure.enabled=true
org.ops4j.pax.web.ssl.keystore=configuration/ssl/.keystore
org.ops4j.pax.web.ssl.password=123456
org.ops4j.pax.web.ssl.keypassword=123456

The second file is the jetty.xml file:

<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
<Configure class="org.eclipse.jetty.server.Server">
   <Call name="addConnector">
       <Arg>
           <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
               <Set name="host">
                   <Property name="jetty.host" />
               </Set>
               <Set name="port">
                   <Property name="jetty.port" default="8181" />
               </Set>
               <Set name="maxIdleTime">300000</Set>
               <Set name="Acceptors">2</Set>
               <Set name="statsOn">false</Set>
               <Set name="confidentialPort">8443</Set>
               <Set name="lowResourcesConnections">20000</Set>
               <Set name="lowResourcesMaxIdleTime">5000</Set>
           </New>
       </Arg>
   </Call>
   <Call name="addBean">
       <Arg>
           <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
               <Set name="name">karaf</Set>
               <Set name="loginModuleName">karaf</Set>
               <Set name="roleClassNames">
                   <Array type="java.lang.String">
                       <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
                       </Item>
                   </Array>
               </Set>
           </New>
       </Arg>
   </Call>
   <Call name="addBean">
       <Arg>
           <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
               <Set name="name">default</Set>
               <Set name="loginModuleName">karaf</Set>
               <Set name="roleClassNames">
                   <Array type="java.lang.String">
                       <Item>org.apache.karaf.jaas.boot.principal.RolePrincipal
                       </Item>
                   </Array>
               </Set>
           </New>
       </Arg>
   </Call>
</Configure>

Modify sal-rest-connector

Locate the bundle org.opendaylight.controller/sal-rest-connector/1.2.2-SNAPSHOT; this bundle only has 1 file to modify and it's web.xml located in the resources folder. Modify the security section so that it looks like this:

   <security-constraint>
       <web-resource-collection>
           <web-resource-name>NB api</web-resource-name>
           <url-pattern>/*</url-pattern>
           <http-method>POST</http-method>
           <http-method>GET</http-method>
           <http-method>PUT</http-method>
           <http-method>PATCH</http-method>
           <http-method>DELETE</http-method>
           <http-method>HEAD</http-method>
       </web-resource-collection>
       <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
   </security-constraint>

The goal here is to add a user data constraint that adds a transport guarantee using SSL.

Test RestConf with https

Before testing, make sure the karaf distribution was correctly updated, check the configuration/ssl folder and if the keystore file is present, you can go ahead and run karaf.

Run the karaf instance in the controller, wait for it to load everything. You can use curl to test if things work:

This one should work:

curl -l -k https://localhost:8443/restconf/operational/network-topology:network-topology/ --user admin:admin

This one should not work:

curl -l http://localhost:8181/restconf/operational/network-topology:network-topology/ --user admin:admin

Note: If using the controller karaf distribution, network-topology might not be present.

Using Karaf custom.properties

Reference: http://blog.nanthrax.net/2012/12/how-to-enable-https-certificate-client-auth-with-karaf/

Modifying custom.properties doesn't seem to work when adding theses:

secureChannelEnabled=true
controllerKeyStore=keystore
controllerKeyStorePassword=123456
controllerTrustStore=keystore
controllerTrustStorePassword=123456