Hi Sam I'm not quit sure what could be causing this issue, suppose there is no need to restart. "getServerContext()" will be executed every time a connection established. Will try ti reproduce it today.
thanks On Sun, Mar 18, 2018 at 11:01 AM, Sam Hague <[email protected]> wrote: > Mohamed, > > Tim is using the JKS - he pushes all that before connecting the OVS nodes > to ODL. > > Do you know if there are any timing with the JKS when ODL starts compared > to when certs are added via rest? ovsdb southbound stats up and has the > certificateManager > which it uses to start the netty listening on 6640. Then client certs are > included to the ODL via rest. Then connections attempted from the ovs nodes > but they never connect. Reboot ODL and the connections then work. > > Could there be something in the reboot which actally gets the client certs > applied? > > Or does the server context change when cert are applied? At startup the > ovsdb southbound does certManagerSrv.getServerContext() and opens the > listening channel. That same context is used when the incoming connections > come in - ovsdb does not do another read of that context. > > Thanks, Sam > > On Thu, Mar 15, 2018 at 3:03 PM, Tim Rozet <[email protected]> wrote: > >> Hi Mohamed, >> Right, that is one of the wiki pages I followed. There are several that >> I kind of had to merge the info together to get it to all work. The read >> from the trust store should work. I tested it manually and we have an >> unless here in puppet so we do not re-add the cert: >> https://github.com/openstack/puppet-neutron/blob/master/mani >> fests/plugins/ovs/opendaylight.pp#L191 >> >> We create a JKS for the controller keystore. For the trust store I >> believe ODL creates it on boot based on this config: >> https://git.opendaylight.org/gerrit/gitweb?p=integration/pac >> kaging/puppet-opendaylight.git;a=blob;f=templates/aaa-cert- >> config.xml.erb;h=d6faa891630cba1c4747f64ea977d07de08c6b65; >> hb=refs/heads/master >> >> >> Tim Rozet >> Red Hat SDN Team >> >> On Thu, Mar 15, 2018 at 2:41 PM, Mohamed El-Serngawy < >> [email protected]> wrote: >> >>> Hi, >>> >>> The logs attached with the bug is not really showing errors, Just the >>> aaa-cert service waiting for aaa-encryption service then it starts fine. >>> >>> Tim, >>> >>> I assume you followed the link at [0] to configure the ssl. After you >>> add the OVS certificate using the REST API, can you just confirm that you >>> are able to read the certificate from the trust-store ? are you using MDSAL >>> or java Key Store files ? >>> >>> [0] https://wiki.opendaylight.org/view/OVSDB_Integration:TLS >>> _Communication >>> >>> >>> >>> On Thu, Mar 15, 2018 at 2:27 PM, Luis Gomez <[email protected]> wrote: >>> >>>> I do not remember that issue when I tested OF TLS in the past, I will >>>> have to retest to confirm. >>>> >>>> On Mar 15, 2018, at 11:24 AM, Tim Rozet <[email protected]> wrote: >>>> >>>> Hi Luis, >>>> To clarify we are not talking about SSL configuration here. We indeed >>>> configure the file you mentioned along with other config files pax web, >>>> ovsdb to only allow SSL/TLS, creating controller and trust stores. This is >>>> all done prior to ODL starting. The failure here is that ODL allows a REST >>>> implementation to add certificates to the trust store for OVS switches >>>> (which obviously implies ODL is up and running). At deploy time, we >>>> generate certificates for OVS and then add them via REST to ODL. At that >>>> point ODL should trust the switch and allow connections. However, OVSDB >>>> never seems to read again from the trust store (unless rebooted) and does >>>> not allow the switch to connect. >>>> >>>> Tim Rozet >>>> Red Hat SDN Team >>>> >>>> On Thu, Mar 15, 2018 at 1:55 PM, Luis Gomez <[email protected]> wrote: >>>> >>>>> AFAIR for ofp you need to modify this config file: >>>>> >>>>> /etc/opendaylight/datastore/initial/config/default-openflow- >>>>> connection-config.xml >>>>> >>>>> which means you have to reboot the controller after. >>>>> >>>>> BR/Luis >>>>> >>>>> >>>>> On Mar 15, 2018, at 10:42 AM, Sam Hague <[email protected]> wrote: >>>>> >>>>> Mo, and ofp devs, >>>>> >>>>> how do you handle openflow connections using ssl? We have the bug >>>>> below where ODL is required to be restarted to pick up connections over >>>>> ssl. >>>>> >>>>> Is that a design requirement that ODL has to be restarted or is there >>>>> a different config that can be used? >>>>> >>>>> Thanks, Sam >>>>> >>>>> https://jira.opendaylight.org/browse/OVSDB-449 >>>>> _______________________________________________ >>>>> integration-dev mailing list >>>>> [email protected] >>>>> https://lists.opendaylight.org/mailman/listinfo/integration-dev >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >>> -- >>> Mohamed ElSerngawy >>> >>> +1 438 993 2462 <(438)%20993-2462> >>> >> >> > -- Mohamed ElSerngawy +1 438 993 2462
_______________________________________________ openflowplugin-dev mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/openflowplugin-dev
