[ovs-discuss] Configure SSL on OVS

HEARNE, TIMOTHY S th1618 at att.com
Mon Aug 3 16:43:00 UTC 2015


Hello,

My team is attempting to configure SSL using OVS using ovs-vsctl interface.  I have been attempting to follow the instructions found at http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;f=INSTALL.SSL;hb=HEAD but have not been successful.  We currently have 2 mininet ubuntu 14.04 images implemented using Oracle VirtualBox.  We have done the following:
*       Created a 3rd network interface implemented using NAT (Static IPs:   master - 10.0.3.15; slave: 10.0.4.15) on eth2 of both images
*       Created a bridge on each
o       Master
*       sudo ovs-vsctl add-br br0
*       sudo ovs-vsctl add-port br0 eth2
*       sudo ifconfig br0 10.0.4.15/24 up
o       Slave
*       sudo ovs-vsctl add-br br1
*       sudo ovs-vsctl add-port br0 eth2
*       sudo ifconfig br0 10.0.3.15/24 up
*       Created keys on slave using "CONTROLLER KEY GENERATION" and "SWITCH KEY GENERATION WITH A SWITCH PKI (EASY METHOD)" instructions
o       cd /etc/openvswitch
o       sudo ovs-pki init
o       sudo ovs-pki req+sign ctl controller
o       sudo ovs-pki req+sign sc switch
   Notes on the key creation.  I did think that I ran the "ovs-pki init" statement on the master but the directories are there.
   After this point, I really am not sure what to do.  I have copied the keys from the slave into the same directories on the master.  I have run the following statement on both:
   Sudo ove-vsctl set-ssl \
     /etc/openvswitch/sc-privkey.pem \
     /etc/optnvswitch/sc-cert.pem \
     /var/lib/openvswitch/pki/controllerca/cacert.pem

   I have also tried to run the following statement:
   Sudo ovs-controller -v pssl:6633 \
     -p /etc/openvswitch/ctl-privkey.pem \
     -c /etc/openvswitch/ctl-cert.pem \
     -C /var/lib/openvswitch/pki/switchca/cecert.pem

   We have also tried various controller statements:
   sudo ovs-vsctl set-controller br1 ptcp:10.0.3.15:6633
   sudo ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem

Other items of note:
*       We can ping the IPs on eth2 and can use ssh to connect if we supply the password.
*       We can get non-OVS SSL to work on eth1 (used Oracle VirtualBox Host-Only Ethernet adapter and static IP) using non-OVS SSL generated using ssh-keygen.
*       We are attempting to minimize the number of images to reduce memory and CPU requirements for students.

Any suggestions / corrections to what we have done above will be greatly appreciated.

Thank you!

Tim Hearne

e-mail:  timothy.hearne at att.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20150803/b27f0855/attachment-0002.html>


More information about the discuss mailing list