[ovs-discuss] Configure SSL on OVS

Mon, 03 Aug 2015 09:46:21 -0700 

Hello,

My team is attempting to configure SSL using OVS using ovs-vsctl interface.  I 
have been attempting to follow the instructions found at 
http://git.openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;f=INSTALL.SSL;hb=HEAD
 but have not been successful.  We currently have 2 mininet ubuntu 14.04 images 
implemented using Oracle VirtualBox.  We have done the following:
*       Created a 3rd network interface implemented using NAT (Static IPs:   
master - 10.0.3.15; slave: 10.0.4.15) on eth2 of both images
*       Created a bridge on each
o       Master
*       sudo ovs-vsctl add-br br0
*       sudo ovs-vsctl add-port br0 eth2
*       sudo ifconfig br0 10.0.4.15/24 up
o       Slave
*       sudo ovs-vsctl add-br br1
*       sudo ovs-vsctl add-port br0 eth2
*       sudo ifconfig br0 10.0.3.15/24 up
*       Created keys on slave using "CONTROLLER KEY GENERATION" and "SWITCH KEY 
GENERATION WITH A SWITCH PKI (EASY METHOD)" instructions
o       cd /etc/openvswitch
o       sudo ovs-pki init
o       sudo ovs-pki req+sign ctl controller
o       sudo ovs-pki req+sign sc switch
   Notes on the key creation.  I did think that I ran the "ovs-pki init" 
statement on the master but the directories are there.
   After this point, I really am not sure what to do.  I have copied the keys 
from the slave into the same directories on the master.  I have run the 
following statement on both:
   Sudo ove-vsctl set-ssl \
     /etc/openvswitch/sc-privkey.pem \
     /etc/optnvswitch/sc-cert.pem \
     /var/lib/openvswitch/pki/controllerca/cacert.pem

   I have also tried to run the following statement:
   Sudo ovs-controller -v pssl:6633 \
     -p /etc/openvswitch/ctl-privkey.pem \
     -c /etc/openvswitch/ctl-cert.pem \
     -C /var/lib/openvswitch/pki/switchca/cecert.pem

   We have also tried various controller statements:
   sudo ovs-vsctl set-controller br1 ptcp:10.0.3.15:6633
   sudo ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem 
/etc/openvswitch/sc-cert.pem /var/lib/openvswitch/pki/controllerca/cacert.pem

Other items of note:
*       We can ping the IPs on eth2 and can use ssh to connect if we supply the 
password.
*       We can get non-OVS SSL to work on eth1 (used Oracle VirtualBox 
Host-Only Ethernet adapter and static IP) using non-OVS SSL generated using 
ssh-keygen.
*       We are attempting to minimize the number of images to reduce memory and 
CPU requirements for students.

Any suggestions / corrections to what we have done above will be greatly 
appreciated.

Thank you!

Tim Hearne

e-mail:  [email protected]





_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to