Mohamed, Tim is using the JKS - he pushes all that before connecting the OVS nodes to ODL.
Do you know if there are any timing with the JKS when ODL starts compared to when certs are added via rest? ovsdb southbound stats up and has the certificateManager which it uses to start the netty listening on 6640. Then client certs are included to the ODL via rest. Then connections attempted from the ovs nodes but they never connect. Reboot ODL and the connections then work. Could there be something in the reboot which actally gets the client certs applied? Or does the server context change when cert are applied? At startup the ovsdb southbound does certManagerSrv.getServerContext() and opens the listening channel. That same context is used when the incoming connections come in - ovsdb does not do another read of that context. Thanks, Sam On Thu, Mar 15, 2018 at 3:03 PM, Tim Rozet <[email protected]> wrote: > Hi Mohamed, > Right, that is one of the wiki pages I followed. There are several that I > kind of had to merge the info together to get it to all work. The read > from the trust store should work. I tested it manually and we have an > unless here in puppet so we do not re-add the cert: > https://github.com/openstack/puppet-neutron/blob/master/ > manifests/plugins/ovs/opendaylight.pp#L191 > > We create a JKS for the controller keystore. For the trust store I > believe ODL creates it on boot based on this config: > https://git.opendaylight.org/gerrit/gitweb?p=integration/ > packaging/puppet-opendaylight.git;a=blob;f=templates/aaa- > cert-config.xml.erb;h=d6faa891630cba1c4747f64ea977d0 > 7de08c6b65;hb=refs/heads/master > > > Tim Rozet > Red Hat SDN Team > > On Thu, Mar 15, 2018 at 2:41 PM, Mohamed El-Serngawy < > [email protected]> wrote: > >> Hi, >> >> The logs attached with the bug is not really showing errors, Just the >> aaa-cert service waiting for aaa-encryption service then it starts fine. >> >> Tim, >> >> I assume you followed the link at [0] to configure the ssl. After you add >> the OVS certificate using the REST API, can you just confirm that you are >> able to read the certificate from the trust-store ? are you using MDSAL or >> java Key Store files ? >> >> [0] https://wiki.opendaylight.org/view/OVSDB_Integration:TLS >> _Communication >> >> >> >> On Thu, Mar 15, 2018 at 2:27 PM, Luis Gomez <[email protected]> wrote: >> >>> I do not remember that issue when I tested OF TLS in the past, I will >>> have to retest to confirm. >>> >>> On Mar 15, 2018, at 11:24 AM, Tim Rozet <[email protected]> wrote: >>> >>> Hi Luis, >>> To clarify we are not talking about SSL configuration here. We indeed >>> configure the file you mentioned along with other config files pax web, >>> ovsdb to only allow SSL/TLS, creating controller and trust stores. This is >>> all done prior to ODL starting. The failure here is that ODL allows a REST >>> implementation to add certificates to the trust store for OVS switches >>> (which obviously implies ODL is up and running). At deploy time, we >>> generate certificates for OVS and then add them via REST to ODL. At that >>> point ODL should trust the switch and allow connections. However, OVSDB >>> never seems to read again from the trust store (unless rebooted) and does >>> not allow the switch to connect. >>> >>> Tim Rozet >>> Red Hat SDN Team >>> >>> On Thu, Mar 15, 2018 at 1:55 PM, Luis Gomez <[email protected]> wrote: >>> >>>> AFAIR for ofp you need to modify this config file: >>>> >>>> /etc/opendaylight/datastore/initial/config/default-openflow- >>>> connection-config.xml >>>> >>>> which means you have to reboot the controller after. >>>> >>>> BR/Luis >>>> >>>> >>>> On Mar 15, 2018, at 10:42 AM, Sam Hague <[email protected]> wrote: >>>> >>>> Mo, and ofp devs, >>>> >>>> how do you handle openflow connections using ssl? We have the bug below >>>> where ODL is required to be restarted to pick up connections over ssl. >>>> >>>> Is that a design requirement that ODL has to be restarted or is there a >>>> different config that can be used? >>>> >>>> Thanks, Sam >>>> >>>> https://jira.opendaylight.org/browse/OVSDB-449 >>>> _______________________________________________ >>>> integration-dev mailing list >>>> [email protected] >>>> https://lists.opendaylight.org/mailman/listinfo/integration-dev >>>> >>>> >>>> >>> >>> >> >> >> -- >> Mohamed ElSerngawy >> >> +1 438 993 2462 <(438)%20993-2462> >> > >
_______________________________________________ openflowplugin-dev mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/openflowplugin-dev
