HP VAN SDN Controller Software Products 5 SDN Controller authentication, 5.1 SDN Controller security guidelines, 5.2 SDN Controller authentication, 5.3Creating SDN Controller keystore and truststore

5 SDN Controller authentication

5.1 SDN Controller security guidelines

The HP VAN SDN controller communicates with different components, both internal and external to the controller, via secure channels. This section documents these channels, their defaults, and how to configure them in a deployment environment.

5.2 SDN Controller authentication

The SDN Controller identifies itself via Public-Key Infrastructure (PKI) for its communication with external subsystems and other controllers. It uses a Java keystore and truststore to keep its private key and public key respectively. For REST APIs, the controller does not rely on the truststore to establish trust. Instead, it uses token authentication to authenticate the client. The client must present a valid token via the X-Auth-Headerto authenticate itself with the controller. Token authentication is discussed more under “SDN Controller keystore and truststore locations and passwords ” (page 64).

The controller ships with a self-signed certificate. Therefore, it is recommended that the self-signed certificate be replaced by a certificate signed by a reputable Certificate Authority (CA). Also, the default password for the keystore and truststore should be changed as well.

5.3Creating SDN Controller keystore and truststore

1.Login to the system running the SDN Controller and stop the controller.

2.As the SDN user (i.e. sudo - sdn), do the following:

3.Back up your default /opt/sdn/admin/keystore and /opt/sdn/admin/truststore to a safe location.

4.Create a new keystore using the following commands: cd /opt/sdn/admin

rm keystore truststore

keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore

You must specify a fully qualified domain for your server for the "first and last name" question as some CAs, such as VeriSign, expect it.

5.Generate a CSR (Certificate Signing Request) for signing:

keytool -keystore keystore -certreq -alias serverKey -keyalg rsa -file sdn-server.csr

6.Send the sdn-server.csrto a CA to be signed.

The CA will authenticate you and return a signed certificate and its CA certificate chain. We assume the signed certificate from the CA is named signed.cer and the CA's certificate is root.cer. If root.cer is from your own internal CA, then you need to import root.cer into your browser as an authority.

7.Import the signed root certificate into your keystores:

keytool -importcert -trustcacerts -keystore keystore -file root.cer -alias CARoot

keytool -importcert -trustcacerts -keystore truststore -file root.cer -alias CARoot

5.1 SDN Controller security guidelines 63