[OVSDB-296] TLS connectivity support between ovsdb and controller is missing in the southbound plugin. Created: 10/Feb/16 Updated: 30/Oct/17 Resolved: 03/Feb/17 |
|
| Status: | Resolved |
| Project: | ovsdb |
| Component/s: | Southbound.Open_vSwitch |
| Affects Version/s: | unspecified |
| Fix Version/s: | None |
| Type: | Improvement | ||
| Reporter: | srinivasa rao tagirisa | Assignee: | Mohamed ElSerngawy |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Operating System: All |
||
| Description |
|
In the OvsdbConnectionService class, the TLS connectivity is not enabled for the ovsdb channel at port 6640. The SSLContext needs to be initialized with the parameters from the keystore files like the way it was implemented for openflow channel and the tcp/ssl option needs to be handled appropriately. /**
/** Srinivasa Rao Tagirisa |
| Comments |
| Comment by Sam Hague [ 10/Feb/16 ] |
|
Srini, when you say southbound plugin you mean the Southbound that uses the OVSDB library right? What is the expected use case? This would help come up with how we update the models to enable the support. |
| Comment by srinivasa rao tagirisa [ 11/Feb/16 ] |
|
Hi Sam, You are correct. I am referring to southbound plugin. Potentially, we may have these ovs enabled switches in the public domain.The use case is that we would like to prevent rogue controller from connecting to our switch and vice versa. Therefore, we would like to enable TLS/SSL for the ovsdb channel. The openflow plugin supports SSL/TLS. I see that the southbound plugin has the API implementation to start a TLS based server. What is missing is the SSLContext initialization and the related configuration support from what I understand. Pls let me know if you need more info. thx, |
| Comment by srinivasa rao tagirisa [ 16/Feb/16 ] |
|
Hi Sam & Anil, I kind of implemented the SSL feature for ovsdb. Currently, OVSDB port information is hard coded in SouthboundConstants.java file; however, I would like to make certificate files path configurable and like to read from the config file - "custom.properties". There was an implementation in the plugin module which seem to read config information from custom.properties file. Do you have any suggestions on any particular preference ? thx, |
| Comment by Sam Hague [ 16/Feb/16 ] |
|
Srinivasa, look at the utils.config bundle and there are methods for reading the custom.properties file. There is also the typical config subsystem xml files that can be used. We need to work through which file we want to use going forward. custom.properties was the older method and config subsystem is newer. Using config lets us use RESTCONF to change the config though so it is an advantage. I would like to know though if we need that config in the Southbound. Is there a certificate or authentication bundle in ODL that has a mechanism for adding certificates? Anil, any idea if AAA does this? I will add Ryan to this bug to see if he has some pointers. |
| Comment by Anil Vishnoi [ 16/Feb/16 ] |
|
AAA is more over for north bound authentication and it does not really get into southbound device management. But having a centralize place where we can put controller related certificates is probably a good idea. Ryan any thoughts ? |
| Comment by srinivasa rao tagirisa [ 18/Feb/16 ] |
|
Hi Sam, The custom.properties and system.properties contents are getting overwritten every time I make a new build. For example, I would like to make the path of the custom.properties and certificate files configurable. What are the options I have ? I can probably set system properties in pom.xml file or a command line arg. thx, |
| Comment by srinivasa rao tagirisa [ 18/Feb/16 ] |
|
Hi Sam, Here are the code changes that work. Ideally, I would like to use the ConfigProperties.java or the other config subsystem you were referring to. diff --git a/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/OvsdbConnectionService.java b/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/OvsdbConnectio import java.net.InetAddress; + + // display new properties + String secureChannel = System.getProperty("secureChannelEnabled"); + String controllerKeyStore = System.getProperty("controllerKeyStore"); + String controllerKeyStorePassword = System.getProperty("controllerKeyStorePassword"); + String controllerTrustStore = System.getProperty("controllerTrustStore"); + String controllerTrustStorePassword = System.getProperty("controllerTrustStorePassword"); + + LOG.info("invoke connectWithSsl check channel"); + if (secureChannel.equals("true")) { + LOG.info("invoke connectWithSsl check channel true"); + TrustManagerFactory tmf = null; + KeyManagerFactory kmf = null; + try { + FileInputStream tsf = new FileInputStream(controllerTrustStore); + KeyStore ts = KeyStore.getInstance("JKS"); + ts.load(tsf, controllerTrustStorePassword.toCharArray()); + tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + tmf.init(ts); + LOG.info("invoke connectWithSsl tm init done"); + + FileInputStream ksf = new FileInputStream(controllerKeyStore); + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(ksf, controllerKeyStorePassword.toCharArray()); + kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + kmf.init(ks, controllerKeyStorePassword.toCharArray()); + LOG.info("invoke connectWithSsl ks init done"); + + SSLContext ctx = SSLContext.getInstance("TLS"); + ctx.init(kmf == null ? null : kmf.getKeyManagers(), + tmf == null ? null : tmf.getTrustManagers(), + null); + + LOG.info("invoke connectWithSsl"); + return connectWithSsl(address,port,ctx); + } catch (Exception e) { + LOG.warn("bootstrap.connect failed", e); + } + } + return connectWithSsl(address, port, null /* SslContext */); } @Override @@ -225,6 +287,60 @@ public class OvsdbConnectionService implements AutoCloseable, OvsdbConnection { * passive connection handle channel callbacks. */ private static void ovsdbManager(int port) { + LOG.info("custom.properties" + System.getProperty("custom.properties")); + // set up new properties object + // from file + try {+ FileInputStream propFile = new FileInputStream(System.getProperty("custom.properties"));+ Properties p = new Properties(System.getProperties());+ p.load(propFile);+ // set the system properties+ System.setProperties(p);++ } catch (Exception ee) { + LOG.warn(" custom properties open failed", ee); + }+ catch (Exception e) { + LOG.warn("bootstrap.connect failed", e); + }+ |
| Comment by Sam Hague [ 18/Feb/16 ] |
|
(In reply to srinivasa rao tagirisa from comment #6) Srini, the custom.properties files are fixed so we can't change that. For the patch to the certificates we should find a common solution for ODL. Below is the email from Mohamed describing some work we could leverage. I will start a discussion with Ryan Goulding to see what can be done. Thanks, Sam ==================== There is a patch on aaa will be use for managing the certificate authentication https://git.opendaylight.org/gerrit/#/c/30166/. I think this could help in the certificate side implementation. Thanks |
| Comment by Vishal Thapar [ 29/Jun/16 ] |
|
Any updates on this? This was the last mail on this: https://lists.opendaylight.org/pipermail/ovsdb-dev/2016-February/002620.html Did we reach any conclusion? Any wiki describing how to setup certificates and do we have some code to use them for OVSDB? |
| Comment by Anil Vishnoi [ 03/Feb/17 ] |
|
Carbon : https://git.opendaylight.org/gerrit/#/c/48482/ Wiki Page : https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication |