https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/OVSDB-296 ovsdb <p>In the OvsdbConnectionService class, the TLS connectivity is not enabled for the ovsdb channel at port 6640. The SSLContext needs to be initialized with the parameters from the keystore files like the way it was implemented for openflow channel and the tcp/ssl option needs to be handled appropriately.</p> <p> /**</p> <ul> <li>OVSDB Passive listening thread that uses Netty ServerBootstrap to open</li> <li>passive connection handle channel callbacks.<br/> */<br/> private static void ovsdbManager(int port) { ovsdbManagerWithSsl(port, null /* SslContext */); }</li> </ul> <p> /**</p> <p>Srinivasa Rao Tagirisa</p> <p>Operating System: All<br/> Platform: All</p> OVSDB-296

TLS connectivity support between ovsdb and controller is missing in the southbound plugin.

Improvement Resolved Done Mohamed ElSerngawy srinivasa rao tagirisa Wed, 10 Feb 2016 20:57:23 +0000 Mon, 30 Oct 2017 19:52:44 +0000 Fri, 3 Feb 2017 00:57:15 +0000 unspecified Southbound.Open_vSwitch 0 5 <p>Srini, when you say southbound plugin you mean the Southbound that uses the OVSDB library right?</p> <p>What is the expected use case? This would help come up with how we update the models to enable the support.</p> <p>Hi Sam,</p> <p>You are correct. I am referring to southbound plugin. Potentially, we may have these ovs enabled switches in the public domain.The use case is that we would like to prevent rogue controller from connecting to our switch and vice versa. Therefore, we would like to enable TLS/SSL for the ovsdb channel. The openflow plugin supports SSL/TLS. I see that the southbound plugin has the API implementation to start a TLS based server. What is missing is the SSLContext initialization and the related configuration support from what I understand.</p> <p>Pls let me know if you need more info.</p> <p>thx,<br/> Srini.</p> <p>Hi Sam &amp; Anil,</p> <p>I kind of implemented the SSL feature for ovsdb. Currently, OVSDB port information is hard coded in SouthboundConstants.java file; however, I would like to make certificate files path configurable and like to read from the config file - "custom.properties". There was an implementation in the plugin module which seem to read config information from custom.properties file. Do you have any suggestions on any particular preference ?</p> <p>thx,<br/> Srini</p> <p>Srinivasa,</p> <p>look at the utils.config bundle and there are methods for reading the custom.properties file.</p> <p>There is also the typical config subsystem xml files that can be used.</p> <p>We need to work through which file we want to use going forward. custom.properties was the older method and config subsystem is newer. Using config lets us use RESTCONF to change the config though so it is an advantage.</p> <p>I would like to know though if we need that config in the Southbound. Is there a certificate or authentication bundle in ODL that has a mechanism for adding certificates? Anil, any idea if AAA does this? I will add Ryan to this bug to see if he has some pointers.</p> <p>AAA is more over for north bound authentication and it does not really get into southbound device management. But having a centralize place where we can put controller related certificates is probably a good idea. Ryan any thoughts ?</p> <p>Hi Sam,</p> <p>The custom.properties and system.properties contents are getting overwritten every time I make a new build. For example, I would like to make the path of the custom.properties and certificate files configurable. What are the options I have ? I can probably set system properties in pom.xml file or a command line arg.</p> <p>thx,<br/> Srini.</p> <p>Hi Sam,</p> <p>Here are the code changes that work. Ideally, I would like to use the ConfigProperties.java or the other config subsystem you were referring to.</p> <p>diff --git a/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/OvsdbConnectionService.java b/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/OvsdbConnectio<br/> index 98ad086..7dfff76 100644<br/> &#8212; a/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/OvsdbConnectionService.java<br/> +++ b/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/OvsdbConnectionService.java<br/> @@ -29,6 +29,13 @@ import io.netty.handler.ssl.SslHandler;<br/> import javax.net.ssl.SSLContext;<br/> import javax.net.ssl.SSLEngine;<br/> import javax.net.ssl.SSLEngineResult.HandshakeStatus;<br/> +import java.io.FileInputStream;<br/> +import java.security.KeyStore;<br/> +import javax.net.ssl.KeyManagerFactory;<br/> +import javax.net.ssl.TrustManagerFactory;<br/> +import java.util.Properties;</p> <p> import java.net.InetAddress;<br/> import java.util.Arrays;<br/> @@ -92,6 +99,61 @@ public class OvsdbConnectionService implements AutoCloseable, OvsdbConnection {<br/> }<br/> @Override<br/> public OvsdbClient connect(final InetAddress address, final int port) {<br/> + // PLUME<br/> + LOG.info("Custom Properties" + System.getProperty("custom.properties"));<br/> + // set up new properties object<br/> + // from file "myProperties.txt"<br/> + try </p> { + FileInputStream propFile = new FileInputStream(System.getProperty("custom.properties")); + Properties p = new Properties(System.getProperties()); + p.load(propFile); + // set the system properties + System.setProperties(p); + + } catch (Exception ee) { + LOG.warn(" custom properties open failed", ee); + }<br/> +<br/> + // display new properties<br/> + String secureChannel = System.getProperty("secureChannelEnabled");<br/> + String controllerKeyStore = System.getProperty("controllerKeyStore");<br/> + String controllerKeyStorePassword = System.getProperty("controllerKeyStorePassword");<br/> + String controllerTrustStore = System.getProperty("controllerTrustStore");<br/> + String controllerTrustStorePassword = System.getProperty("controllerTrustStorePassword");<br/> +<br/> + LOG.info("invoke connectWithSsl check channel");<br/> + if (secureChannel.equals("true")) {<br/> + LOG.info("invoke connectWithSsl check channel true");<br/> + TrustManagerFactory tmf = null;<br/> + KeyManagerFactory kmf = null;<br/> + try { + FileInputStream tsf = new FileInputStream(controllerTrustStore); + KeyStore ts = KeyStore.getInstance("JKS"); + ts.load(tsf, controllerTrustStorePassword.toCharArray()); + tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + tmf.init(ts); + LOG.info("invoke connectWithSsl tm init done"); + + FileInputStream ksf = new FileInputStream(controllerKeyStore); + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(ksf, controllerKeyStorePassword.toCharArray()); + kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + kmf.init(ks, controllerKeyStorePassword.toCharArray()); + LOG.info("invoke connectWithSsl ks init done"); + + SSLContext ctx = SSLContext.getInstance("TLS"); + ctx.init(kmf == null ? null : kmf.getKeyManagers(), + tmf == null ? null : tmf.getTrustManagers(), + null); + + LOG.info("invoke connectWithSsl"); + return connectWithSsl(address,port,ctx); + } catch (Exception e) { + LOG.warn("bootstrap.connect failed", e); + }<br/> + }<br/> +<br/> <br/> return connectWithSsl(address, port, null /* SslContext */);<br/> }<br/> @Override<br/> @@ -225,6 +287,60 @@ public class OvsdbConnectionService implements AutoCloseable, OvsdbConnection {<br/> * passive connection handle channel callbacks.<br/> */<br/> private static void ovsdbManager(int port) {<br/> + LOG.info("custom.properties" + System.getProperty("custom.properties"));<br/> + // set up new properties object<br/> + // from file<br/> + try {+ FileInputStream propFile = new FileInputStream(System.getProperty("custom.properties"));+ Properties p = new Properties(System.getProperties());+ p.load(propFile);+ // set the system properties+ System.setProperties(p);++ } <p> catch (Exception ee) </p> { + LOG.warn(" custom properties open failed", ee); + } <p>+<br/> + // display new properties<br/> + String secureChannel = System.getProperty("secureChannelEnabled");<br/> + String controllerKeyStore = System.getProperty("controllerKeyStore");<br/> + String controllerKeyStorePassword = System.getProperty("controllerKeyStorePassword");<br/> + String controllerTrustStore = System.getProperty("controllerTrustStore");<br/> + String controllerTrustStorePassword = System.getProperty("controllerTrustStorePassword");<br/> + LOG.info("invoke connectWithSsl check channel");<br/> + if (secureChannel.equals("true")) {<br/> + LOG.info("invoke connectWithSsl check channel true");<br/> + TrustManagerFactory tmf = null;<br/> + KeyManagerFactory kmf = null;<br/> + try </p> { + FileInputStream tsf = new FileInputStream(controllerTrustStore); + KeyStore ts = KeyStore.getInstance("JKS"); + ts.load(tsf, controllerTrustStorePassword.toCharArray()); + tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); + tmf.init(ts); + LOG.info("invoke connectWithSsl tm init done"); + + FileInputStream ksf = new FileInputStream(controllerKeyStore); + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(ksf, controllerKeyStorePassword.toCharArray()); + kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); + kmf.init(ks, controllerKeyStorePassword.toCharArray()); + LOG.info("invoke connectWithSsl ks init done"); + + SSLContext ctx = SSLContext.getInstance("TLS"); + ctx.init(kmf == null ? null : kmf.getKeyManagers(), + tmf == null ? null : tmf.getTrustManagers(), + null); + + LOG.info("invoke connectWithSsl"); + ovsdbManagerWithSsl(port, ctx /* SslContext */); + return; + } <p> catch (Exception e) </p> { + LOG.warn("bootstrap.connect failed", e); + } <p>+<br/> + }<br/> +<br/> ovsdbManagerWithSsl(port, null /* SslContext */);<br/> }</p> <p>(In reply to srinivasa rao tagirisa from comment #6)<br/> &gt; Hi Sam,<br/> &gt; <br/> &gt; The custom.properties and system.properties contents are getting overwritten<br/> &gt; every time I make a new build. For example, I would like to make the path of<br/> &gt; the custom.properties and certificate files configurable. What are the<br/> &gt; options I have ? I can probably set system properties in pom.xml file or a<br/> &gt; command line arg.<br/> &gt; <br/> &gt; thx,<br/> &gt; Srini.</p> <p>Srini,</p> <p>the custom.properties files are fixed so we can't change that. For the patch to the certificates we should find a common solution for ODL. Below is the email from Mohamed describing some work we could leverage. I will start a discussion with Ryan Goulding to see what can be done.</p> <p>Thanks, Sam</p> <p>====================<br/> Hi Srinivasa,</p> <p>There is a patch on aaa will be use for managing the certificate authentication <a href="https://git.opendaylight.org/gerrit/#/c/30166/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/30166/</a>. I think this could help in the certificate side implementation.</p> <p>Thanks</p> <p>Any updates on this? This was the last mail on this: <a href="https://lists.opendaylight.org/pipermail/ovsdb-dev/2016-February/002620.html" class="external-link" target="_blank" rel="nofollow noopener">https://lists.opendaylight.org/pipermail/ovsdb-dev/2016-February/002620.html</a></p> <p>Did we reach any conclusion? Any wiki describing how to setup certificates and do we have some code to use them for OVSDB?</p> <p>Carbon : <a href="https://git.opendaylight.org/gerrit/#/c/48482/" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/#/c/48482/</a></p> <p>Wiki Page : <a href="https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication" class="external-link" target="_blank" rel="nofollow noopener">https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication</a></p> Development External issue ID 5306 External issue URL Issue Type Rank 0|i021uv: