ODL与OVS之间设置SSL安全连接总结

举报
爱努力的Max 发表于 2022/02/22 14:46:17 2022/02/22
【摘要】 ODL作为目前主流SDN控制器已被各大厂商使用,ODL与OVS之间的SSL安全连接国内外网络上鲜有较为全面的实战分享,本文以ODL与OVS间SSL安全连接(主动连接方式与被动连接方式)实践全面阐述ODL与OVS之间设置SSL安全连接。ODL与OVS之间的安全连接,以OVS设备为连接对象,控制器连接OVS主要分为两种方式:1、主动连接;2、被动连接。此外,配置SSL connection存在两...

ODL作为目前主流SDN控制器已被各大厂商使用,ODL与OVS之间的SSL安全连接国内外网络上鲜有较为全面的实战分享,本文以ODL与OVS间SSL安全连接(主动连接方式与被动连接方式)实践全面阐述ODL与OVS之间设置SSL安全连接。
ODL与OVS之间的安全连接,以OVS设备为连接对象,控制器连接OVS主要分为两种方式:1、主动连接;2、被动连接。此外,配置SSL connection存在两种方式:1、手动生成pem格式证书(ovs客户端使用),然后转换成ODL(JDK平台)支持的jks格式证书;2、手动生成jks证书(ODL使用),然后转换成pem格式证书(OVS使用)。以下验证根据配置SSL connection方式2进行。不论基于上述控制器连接OVS何种方式,控制器侧都需对应不同配置修改。

配置步骤主要分为证书生成(包括OVS端使用证书及控制器端使用证书),OVS设备端配置证书,ODL控制器端配置证书。

1.1 生成ODL端的自签名证书

使用Keytool工具生成一个自签名的证书库odl.jks(包含私钥与公钥证书信息),-alias与-storepass需要控制器侧配置一致。

# keytool -genkey -keyalg RSA -alias controller -keystore odl.jks -storepass 111111 -validity 365 -keysize 2048

将odl.jks经过两步转换为odl.pem文件:odl.jks→odl.p12→odl.pem(密码为了方便建议设置成与odl.jks密码一致111111)

# keytool -importkeystore -srckeystore odl.jks -destkeystore odl.p12 -srcstoretype jks -deststoretype pkcs12

# openssl pkcs12 -in odl.p12 -out odl.pem

odl.pem内容是这样的:

# cat odl.pem
Bag Attributes
    friendlyName: controller
    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQICvDsQcvStsACAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECOcPvR2phfFzBIIEyM5QRmjjmD0I
YcuPocLrPGDJe/x3RV77fessvCEtEWsYqFmW6Xi9SdoG6y0zDgEEpY+jCM+SOruC
IGk7UIu//DBVj+JcaSEu0n8B/rGGuqmU1Ea52sqDW8xxOk0llapYi1P6VX0LgY/H
QJCM/CvArrg/EO5seV6i9iXpOpX6I7yJTfXfMYMP+zncHJ/7AesRSkEA9fBow7tq
d00onsea6HL1nVX8uzyxzHuBsittsOQ5RIyqC+Gpny2mIxkqkXga1XSs2miVspy/
QcxYYts4F8IgA9N5fgenPsCR7K0wgqkO30W6pKMdL2YDCauhJ+E4ylwVaAqwUHZV
btLQKORAps1DKrNV7xpXkJ/Q9BUTbAaqSHPn5mfdsD6cxSM8OEenVdZFmkSWtZNa
ET39e5JfhesPINq/Lx6jl58EiP7y1MgYXN9zsuimoJAVooJ5TfcgeqKZetPzPEop
i0q30dfHQNpJsNkfqnWIlifXMVcGztbpdWSNKs70B8Dr+3wFco3th5EGtSgfVgnb
WFSDdOsvaOP8ljfRlCr6Zs6p6BYoPlIQTIO9lfTz1JPyAE7orIogXXbSsZ1saDPf
nkhzhRP4FSfYbYPeWBSzFcaPOmXSilarEfa7/CROJRn1HTJrDrZZYrQr7Gj/W5Gw
yQbNHEzP0G2LKFtUCBBCrAsr7V6owh5YvrOMriO+SZcsHnbHwl9jSI0AXe97XfkT
qgULx/3zc9G6D0tUwCst5lUo3DYnx8WtbXzcMwrCmTKkpE9pISu1UJytBiz493XD
nOM+MoKZWIyOqcDe2Ac7km6Ybo2wLuA6kIxwYgun6NJl9mAgqJ/+T0itvuOB3PD/
FeqnnRq5eZlSmo3PL5ycKKja0z6z9ylaIWDRZYsPFNBt4jqCa9hizC+VioiuGECJ
Sqf2JH1X5TBhU41Naoe3vur6rpBydkPDj33qELSG2q+90i2M9PT/8akAm0TWTs/u
UwJjMVfVGp5jgbYAAjuyrtkMioFuMlJJg9f53elCttx2Zmaotu3d3I1gh1tTP9ON
bF9Ls5QnqW3Ujkr3qmLUeE2EE3M+uPuoA4GtEPeMili+NeY1WKXORATy2q/d/Aus
31i51k79cZvgL39r/G/DOHkw/xRQSonWRCadNpA12FJ+GxJ2OBHkdtrQ2RPycJ5c
9EvqiY0IGfY1cmY3tgXl925Rxc+EtvMLJqoi8M9WeuwEVo2tuU9DVdwRgLFoQnnP
xCxwRjln75mxAyxUP/dZ79Ex3+CmsZj+OSrM78tKNnsjAGrV5XSPZwnY5+I9o5lw
9dIJL49ROktjQgKZW5SIsNK2zavJuVVP0RgY6nxEMZtR1xwxytCMKNtSe7i1LQST
qbYSaBEeHnjGWYa8JUemyRsegaNkrhWOium5HsmYi8UGQ+aytGIM0PYPe8SVNwol
YKxbg81bzFmw4I/Kqgwzdq+fGp/+NOEqHmsWJi/S5UdA0UwKG68qTglVWL3+mDrT
rVwHD7F96GMkfbp2+w+RaASVcNs6itl/rEI9RkdZA+9uX7wtp0GQc879yJA+MBkS
i/fsmxvwJ24RMRA9fjuMCHt8ma5lmC0OPXLhthh7T5NSZYffHTSbLQHSQCg/raN6
cytEzo9X78+7H5ky4JDH/A==
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    friendlyName: controller
    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD
TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl
cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx
NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1
YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL
EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAI+M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn+F9aTAEvL
TNh10xSJoaFtGeAMZaOU1rU+woeXz+3sZV+WdoExnJXiuB6w5kzJTfNlAFNg41T0
SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP+zmNcwGqi47ll
Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y+tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp
LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU
BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G
KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr+mgtK
wb7u+MelO+EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY
+KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB
u8qJxHRHiivhQFeusKhGd+bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz
fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf
3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw+PrH1tSMcA60RH7SyM+9aVOE5wG41K
ibLf
-----END CERTIFICATE-----

接下来我们需要新建一个cacert.pem的文件用来给OVS使用,它的内容是odl.pem的证书部分,即从中间的"Bag Attributes"到最后的部分:

# cat cacert.pem
Bag Attributes
    friendlyName: controller
    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD
TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl
cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx
NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1
YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL
EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAI+M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn+F9aTAEvL
TNh10xSJoaFtGeAMZaOU1rU+woeXz+3sZV+WdoExnJXiuB6w5kzJTfNlAFNg41T0
SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP+zmNcwGqi47ll
Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y+tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp
LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU
BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G
KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr+mgtK
wb7u+MelO+EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY
+KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB
u8qJxHRHiivhQFeusKhGd+bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz
fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf
3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw+PrH1tSMcA60RH7SyM+9aVOE5wG41K
ibLf
-----END CERTIFICATE-----


请注意:两个中间文件odl.p12和odl.pem已经没有用了,安全起见应该被删除。

1.2 将odl的证书复制到OVS端

把cacert.pem复制到OVS端的/var/lib/openvswitch/pki/controllerca目录下(该目录中可能已经有了一个名为cacert.pem的文件,可先将其备份一下),此目录用来存放OVS信任的证书授权机构的证书。

root@root12-virtual-machine:/var/lib/openvswitch/pki/controllerca# cat cacert.pem
Bag Attributes
    friendlyName: controller
    localKeyID: 54 69 6D 65 20 31 36 34 32 31 32 35 34 31 31 38 33 33
subject=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

issuer=C = CN, ST = Hubei, L = Wuhan, O = test, OU = sdn, CN = Jun Wu

-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIETFbI0TANBgkqhkiG9w0BAQsFADBgMQswCQYDVQQGEwJD
TjEOMAwGA1UECBMFSHViZWkxDjAMBgNVBAcTBVd1aGFuMRIwEAYDVQQKEwlmaWJl
cmhvbWUxDDAKBgNVBAsTA3NkbjEPMA0GA1UEAxMGSnVuIFd1MB4XDTIyMDExNDAx
NTQ1OFoXDTIzMDExNDAxNTQ1OFowYDELMAkGA1UEBhMCQ04xDjAMBgNVBAgTBUh1
YmVpMQ4wDAYDVQQHEwVXdWhhbjESMBAGA1UEChMJZmliZXJob21lMQwwCgYDVQQL
EwNzZG4xDzANBgNVBAMTBkp1biBXdTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAI+M3NJzXklDYtHMy0bs4iIVIkHwQHHCch0bOcNpFmZXEEn+F9aTAEvL
TNh10xSJoaFtGeAMZaOU1rU+woeXz+3sZV+WdoExnJXiuB6w5kzJTfNlAFNg41T0
SizgSvxmbdwl5C2TKpj7vyQPmNoriznwOdF7bQjGKTEPuJTALqP+zmNcwGqi47ll
Ni/z5I4jwyjhfBUdGqUl3it6D4NZ3Y+tTknM7RJD2U5Ush5V0oWWM/CHEjVJNVbp
LnfzsRFG5TggnUDTAiP17FWqRllqpIqtxDDtRdnx4Cv8r8g4jOc5/rVx6EcuMtNU
BA7OZxploDONOROwqfm7iQ7wBgiyOuMCAwEAAaMhMB8wHQYDVR0OBBYEFCDdbV1G
KtmPJqGrDVb4fKz9NnRUMA0GCSqGSIb3DQEBCwUAA4IBAQAVCVTDcbpAghr+mgtK
wb7u+MelO+EymsbGKgNEYFMsqRnyRkbbWaUCMdDDuC9r/Nq0rS4adNMRXUpb3WYY
+KF1Ub7AaiiTAMzNj3lt22ztpYoP05kkQPSj65DCmWBduQHrPJXf/gdW3pPLEexB
u8qJxHRHiivhQFeusKhGd+bi3EMlAlYrO66kXiprt2VCbBBB2Zbdm93pK1yyckmz
fkEQkGTnirni9axs4eZiyjPNRJlGwzwzpZ69qlwknZDPCKfxDtGp7GOFRKKUQVhf
3KTYyH2adJY7Fv0D1aGiKb1rYwpzfFKsjw+PrH1tSMcA60RH7SyM+9aVOE5wG41K
ibLf
-----END CERTIFICATE-----

1.3 生成OVS端的自签名证书并配置OVS端的SSL

进入OVS端的/etc/openvswitch目录,使用自己的pki请求和签署一个数字证书,生成OVS的私钥文件sc-privkey.pem和公钥证书sc-cert.pem:

root@root12-virtual-machine:/etc/openvswitch# ovs-pki --dir=/var/lib/openvswitch/pki req+sign sc switch

root@root12-virtual-machine://etc/openvswitch# ll
total 48
drwxr-xr-x   2 root root  4096 114 10:25 ./
drwxr-xr-x 126 root root 12288 116 06:31 ../
-rw-r--r--   1 root root  4082 114 10:25 sc-cert.pem
-rw-------   1 root root  1679 114 10:25 sc-privkey.pem
-rw-r--r--   1 root root  3617 114 10:25 sc-req.pem
root@root12-virtual-machine://etc/openvswitch#

开启OVS服务,使用ovs-vsctl set-ssl设置OVS端的SSL(配置OVS的私钥文件、OVS的证书文件和ODL的证书文件的位置):

控制器主动安全连接(pssl:6640),主动安全连接与被动连接方式对应的控制器侧的操作不一样,这部分会在续篇进行介绍:
# ovs-vsctl set-manager pssl:6640
# ovs-vsctl set-manager ssl:10.190.23.66:6640 (控制器被动,OVS设备主动连接)

默认设置Bootstrap: false
# ovs-vsctl set-ssl  /etc/openvswitch/sc-privkey.pem  /etc/openvswitch/sc-cert.pem  /var/lib/openvswitch/pki/controllerca/cacert.pem

默认设置Bootstrap: true
# ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem

使用ovs-vsctl get-ssl查看配置信息:

# ovs-vsctl get-ssl
Private key: /etc/openvswitch/sc-privkey.pem
Certificate: /etc/openvswitch/sc-cert.pem
CA Certificate: /var/lib/openvswitch/pki/controllerca/cacert.pem
Bootstrap: true

1.4 将OVS的证书复制到ODL端

把OVS端的sc-cert.pem复制到odl端的SSL文件夹中,然后在odl端使用keytool -importcert将sc-cert.pem导入到odl的证书库odl.jks中:

# keytool -importcert -file sc-cert.pem -keystore odl.jks
Enter keystore password:
Owner: CN=sc id:b7e00bac-95d2-43f7-a9f3-e2017cdc1d57, OU=Open vSwitch certifier, O=Open vSwitch, ST=CA, C=US
Issuer: CN=OVS switchca CA Certificate (2022 1� 04 17:11:15), OU=switchca, O=Open vSwitch, ST=CA, C=US
Serial number: 4
Valid from: Fri Jan 14 10:25:58 CST 2022 until: Mon Jan 12 10:25:58 CST 2032
Certificate fingerprints:
         SHA1: B6:E6:5A:94:E3:37:0A:B0:EC:FE:41:CB:2F:FD:67:84:BB:8A:F1:60
         SHA256: 5B:EF:35:AD:A9:AB:29:B8:7C:89:5A:CF:07:72:5B:1F:E7:85:59:1A:44:8E:39:F0:FC:11:E6:46:80:79:8A:F8
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore odl.jks -destkeystore odl.jks -deststoretype pkcs12".

root@root12-virtual-machine:/home/root12/dcnv1r2/opendaylight/configuration/ssl# ll
total 16
drwxr-xr-x 2 root root 4096 114 14:53 ./
drwxr-xr-x 5 root root 4096 114 14:49 ../
-rw-r--r-- 1 root root 2224 114 09:55 odl.jks
-rw-r--r-- 1 root root 4082 114 10:25 sc-cert.pem

使用下面的命令查看证书库的内容,可以发现证书库已经包含有了PrivateKeyEntry和trustedCertEntry:

# keytool -list -keystore odl.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

controller, Jan 14, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): CE:55:30:19:B6:B8:7C:D4:C8:5B:63:0D:73:26:E6:74:AD:AF:C8:F5:10:FA:6B:96:ED:B2:5F:83:B9:C7:12:C9
mykey, Jan 17, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 5B:EF:35:AD:A9:AB:29:B8:7C:89:5A:CF:07:72:5B:1F:E7:85:59:1A:44:8E:39:F0:FC:11:E6:46:80:79:8A:F8

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore odl.jks -destkeystore odl.jks -deststoretype pkcs12".
root@root12-virtual-machine:/home/root12/dcnv1r2/opendaylight/configuration/ssl#

到此处已经生成OVS、与ODL端所需要证书,并且做好OVS端SSL配置,接下来需要进行控制器侧SSL配置。

1.5 控制器主动连接OVS设备ODL端配置SSL

如上所述控制器主动连接方式,在OVS侧使用下述命令行进行配置

# ovs-vsctl set-manager pssl:6640

OVS侧设置完毕后,控制器侧需要进行以下配置。将上述所制作的odl.jks证书复制并传输到opendaylight/configuration/ssl目录下,并改名为ctl.jks与truststore.jks(目的与控制器命名一致,方便读取文件)

root@ubuntu:~/dcnv1r2/opendaylight/configuration/ssl# ll
总用量 16
drwxr-xr-x 2 root root 4096 126 17:00 ./
drwxr-xr-x 5 root root 4096 126 10:15 ../
-rw-r--r-- 1 root root 3575 120 16:09 ctl.jks
-rw-r--r-- 1 root root 3575 120 16:09 truststore.jks

然后进入opendaylight/etc/opendaylight/datastore/initial/config目录修改OVSDB SSL连接配置文件

root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# ll
总用量 52
drwxr-xr-x 2 root root  4096 126 16:46 ./
drwxr-xr-x 3 root root  4096 126 10:04 ../
-rw-r--r-- 1 root root 14607 126 10:04 aaa-app-config.xml
-rw-r--r-- 1 root root   856 127 14:12 aaa-cert-config.xml
-rw-r--r-- 1 root root   182 126 10:04 aaa-datastore-config.xml
-rw-r--r-- 1 root root   518 126 10:04 aaa-encrypt-service-config.xml
-rw-r--r-- 1 root root   215 126 10:04 aaa-password-service-config.xml
-rw-r--r-- 1 root root   953 126 16:46 default-openflow-connection-config.xml
-rw-r--r-- 1 root root   941 126 10:04 legacy-openflow-connection-config.xml
-rw-r--r-- 1 root root   130 126 10:04 serviceutils-upgrade-config.xml
------------------------------------------------------------------------------------

root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# cat aaa-cert-config.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?><aaa-cert-service-config xmlns="urn:opendaylight:yang:aaa:cert">
  <use-config>true</use-config>
  <use-mdsal>false</use-mdsal>
  <bundle-name>opendaylight</bundle-name>
  <ctlKeystore>
    <name>ctl.jks</name>
    <alias>controller</alias>
    <store-password>111111</store-password>
    <dname>C = CN, ST = Hubei, L = Wuhan, O = sdn, OU = test, CN = JunWu</dname>
    <validity>365</validity>
    <key-alg>RSA</key-alg>
    <sign-alg>SHA1WithRSAEncryption</sign-alg>
    <keysize>1024</keysize>
    <tls-protocols>TLSv1.2</tls-protocols>
    <cipher-suites>
      <suite-name>TLS_RSA_WITH_AES_128_CBC_SHA</suite-name>
    </cipher-suites>
  </ctlKeystore>
  <trustKeystore>
    <name>truststore.jks</name>
    <store-password>111111</store-password>
  </trustKeystore>

然后进入opendaylight/etc找到org.opendaylight.ovsdb.library.cfg配置文件并修改use-ssl 配置设置use-ssl = true。

root@ubuntu:~/dcnv1r2/opendaylight/etc# vi org.opendaylight.ovsdb.library.cfg

[1]+  已停止               vi org.opendaylight.ovsdb.library.cfg
root@ubuntu:~/dcnv1r2/opendaylight/etc# cat org.opendaylight.ovsdb.library.cfg
#********************************************************************************************
#                               Boot Time Configuration                                     *
#                   Config knob changes will require controller restart                     *
#********************************************************************************************
#Ovsdb plugin's (OVS, HwVtep) support both active and passive connections. OVSDB library by
#default listens on all IPs for switch initiated connections. Use following config
#knob for changing this default IP.
ovsdb-listener-ip = 0.0.0.0

#Ovsdb plugin's (OVS, HwVtep) support both active and passive connections. OVSDB library by
#default listens on port 6640 for switch initiated connection. Please use following config
#knob for changing this default port.
ovsdb-listener-port = 6640

#This flag will be enforced across all the connection's (passive and active) if set to true
use-ssl = true

#Set Json Rpc decoder max frame length value. If the OVSDB node contains large configurations
#that can cause connection related issue while reading the configuration from the OVSDB node
#database. Increasing the max frame lenge helps resolve the issue. Please see following bug
#report for more details ( https://bugs.opendaylight.org/show_bug.cgi?id=2732 &
#https://bugs.opendaylight.org/show_bug.cgi?id=2487). Default value set to 100000.
json-rpc-decoder-max-frame-length = 100000


#********************************************************************************************
#                               Run Time Configuration                                      *
#                   Config knob changes doesn't require controller resart                   *
#********************************************************************************************
#Timeout value (in millisecond) after which OVSDB rpc task will be cancelled.Default value is
#set to 1000ms, please uncomment and override the value if requires.Changing the value don't
#require controller restart.
ovsdb-rpc-task-timeout = 1000

最后进行使用postman,调用(put)http://控制器IP:8181/rests/data/network-topology:network-topology/topology=ovsdb%3A1,将需要连接的OVS设备信息remote-ip,remote-port导入控制器,即可实现控制器OVSDB协议主动连接ovs设备。

{
    "topology": [
        {
            "topology-id": "ovsdb:1",
            "node": [
                {
                    "node-id": "ovsdb://HOST2",
                    "ovsdb:connection-info": {
                        "ovsdb:remote-ip": "10.190.51.111",
                        "ovsdb:remote-port": 6640
                    }
                }
            ]
        }
    ]
}

在ovs上查看信息:

root@root12-virtual-machine:~# ovs-vsctl show
1db8fd94-c6ab-41f8-9993-bdc83a14c430
    Manager "pssl:6640"
        is_connected: true

控制器接口查看信息:

至于此OVSDB pssl连接验证成功。

至于此OVSDB pssl连接验证成功。

1.6 OPENFLOW SSL安全连接

openflow ssl链接,在OVS侧使用下述命令行进行配置

# ovs-vsctl set-controller br-int ssl:10.190.23.66:6653

同1.5,进入opendaylight/etc/opendaylight/datastore/initial/config目录修改openflow SSL连接配置文件,指定端口、协议、证书路径等信息。

root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# ll
总用量 52
drwxr-xr-x 2 root root  4096 126 16:46 ./
drwxr-xr-x 3 root root  4096 126 10:04 ../
-rw-r--r-- 1 root root 14607 126 10:04 aaa-app-config.xml
-rw-r--r-- 1 root root   856 127 14:12 aaa-cert-config.xml
-rw-r--r-- 1 root root   182 126 10:04 aaa-datastore-config.xml
-rw-r--r-- 1 root root   518 126 10:04 aaa-encrypt-service-config.xml
-rw-r--r-- 1 root root   215 126 10:04 aaa-password-service-config.xml
-rw-r--r-- 1 root root   953 126 16:46 default-openflow-connection-config.xml
-rw-r--r-- 1 root root   941 126 10:04 legacy-openflow-connection-config.xml
-rw-r--r-- 1 root root   130 126 10:04 serviceutils-upgrade-config.xml
------------------------------------------------------------------------------------

root@ubuntu:~/dcnv1r2/opendaylight/etc/opendaylight/datastore/initial/config# cat default-openflow-connection-config.xml
<switch-connection-config xmlns="urn:opendaylight:params:xml:ns:yang:openflow:switch:connection:config">
  <instance-name>openflow-switch-connection-provider-default-impl</instance-name>
  <port>6653</port>
  <transport-protocol>TLS</transport-protocol>
  <group-add-mod-enabled>false</group-add-mod-enabled>
  <channel-outbound-queue-size>1024</channel-outbound-queue-size>
  <tls>
     <keystore>configuration/ssl/ctl.jks</keystore>
     <keystore-type>JKS</keystore-type>
     <keystore-path-type>PATH</keystore-path-type>
     <keystore-password>111111</keystore-password>
     <truststore>configuration/ssl/truststore.jks</truststore>
     <truststore-type>JKS</truststore-type>
     <truststore-path-type>PATH</truststore-path-type>
     <truststore-password>111111</truststore-password>
     <certificate-password>111111</certificate-password>
     <cipher-suites>TLS_RSA_WITH_AES_128_CBC_SHA</cipher-suites>
  </tls>
</switch-connection-config>

查看openflow连接信息:
在ovs上查看连接信息:

root@root12-virtual-machine:~# ovs-vsctl show
1db8fd94-c6ab-41f8-9993-bdc83a14c430
    Manager "pssl:6640"
        is_connected: true
    Bridge br-int
        Controller "ssl:10.190.23.66:6653"
            is_connected: true
        Port br-int
            Interface br-int
                type: internal
        Port "veth2"
            Interface "veth2"
        Port "veth1"
            Interface "veth1"
    ovs_version: "2.9.8"

控制接口查看信息:

至此openflow SSL安全连接验证成功。

【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。