Hi Tim, This most properly mean that the ovs certificate is not in the trust keystore. Just need to clarify things, based on the your previous email you mentioned "We create a JKS for the controller keystore. For the trust store I believe ODL creates it on boot"
Is this mean you create the ctl.jks file place it under /configuration/ssl/ ? if yes, so I guess the issue at [0]. The certificate manager at the first time start check if the keystores files are there, If not create them. Let me know if my understand is correct ? You may do one more thing to confirm, just create an empty trust keystore file with the respect to the config at aaa-cert-config.xml and check if it will gonna work without restart. [0] https://github.com/opendaylight/aaa/blob/master/aaa-cert/src/main/java/org/opendaylight/aaa/cert/impl/CertificateManagerService.java#L70 Thanks On Tue, Mar 20, 2018 at 12:19 PM, Tim Rozet <[email protected]> wrote: > Hi Mohamed, > I managed to reproduce the issue. I flipped on debugging and I see: > > 2018-03-20 11:07:09,492 | INFO | entLoopGroup-4-1 | LoggingHandler > | 60 - io.netty.common - 4.1.16.Final | [id: 0xfe0d155e, L:/ > 0.0.0.0:6640] READ COMPLETE > 2018-03-20 11:07:09,492 | DEBUG | entLoopGroup-5-4 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | New Passive channel created : [id: 0xae5053bf, L:/ > 192.0.2.8:6640 - R:/192.0.2.8:51224] > 2018-03-20 11:07:09,593 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP > 2018-03-20 11:07:09,593 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP > 2018-03-20 11:07:09,693 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP > 2018-03-20 11:07:09,693 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP > 2018-03-20 11:07:09,793 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP > 2018-03-20 11:07:09,794 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP > 2018-03-20 11:07:09,894 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | Handshake status NEED_UNWRAP > 2018-03-20 11:07:09,894 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | handshake not done yet NEED_UNWRAP > 2018-03-20 11:07:09,894 | DEBUG | assiveConnServ-5 | > OvsdbConnectionService | 399 - org.opendaylight.ovsdb.library - > 1.6.0.SNAPSHOT | channel closed [id: 0xae5053bf, L:/192.0.2.8:6640 ! R:/ > 192.0.2.8:51224] > > Which looks like it is coming from here: > https://github.com/opendaylight/ovsdb/blob/e6b469e18d5f72402ccb817ce1fb14 > 69dd2a9d6c/library/impl/src/main/java/org/opendaylight/ovsdb/lib/impl/ > OvsdbConnectionService.java#L439 > > Tim Rozet > Red Hat SDN Team > > On Mon, Mar 19, 2018 at 11:53 AM, Mohamed El-Serngawy < > [email protected]> wrote: > >> Hi Sam >> >> I'm not quit sure what could be causing this issue, suppose there is no >> need to restart. "getServerContext()" will be executed every time a >> connection established. Will try ti reproduce it today. >> >> thanks >> >> >> On Sun, Mar 18, 2018 at 11:01 AM, Sam Hague <[email protected]> wrote: >> >>> Mohamed, >>> >>> Tim is using the JKS - he pushes all that before connecting the OVS >>> nodes to ODL. >>> >>> Do you know if there are any timing with the JKS when ODL starts >>> compared to when certs are added via rest? ovsdb southbound stats up and >>> has the certificateManager >>> which it uses to start the netty listening on 6640. Then client certs >>> are included to the ODL via rest. Then connections attempted from the ovs >>> nodes but they never connect. Reboot ODL and the connections then work. >>> >>> Could there be something in the reboot which actally gets the client >>> certs applied? >>> >>> Or does the server context change when cert are applied? At startup the >>> ovsdb southbound does certManagerSrv.getServerContext() and opens the >>> listening channel. That same context is used when the incoming connections >>> come in - ovsdb does not do another read of that context. >>> >>> Thanks, Sam >>> >>> On Thu, Mar 15, 2018 at 3:03 PM, Tim Rozet <[email protected]> wrote: >>> >>>> Hi Mohamed, >>>> Right, that is one of the wiki pages I followed. There are several >>>> that I kind of had to merge the info together to get it to all work. The >>>> read from the trust store should work. I tested it manually and we have an >>>> unless here in puppet so we do not re-add the cert: >>>> https://github.com/openstack/puppet-neutron/blob/master/mani >>>> fests/plugins/ovs/opendaylight.pp#L191 >>>> >>>> We create a JKS for the controller keystore. For the trust store I >>>> believe ODL creates it on boot based on this config: >>>> https://git.opendaylight.org/gerrit/gitweb?p=integration/pac >>>> kaging/puppet-opendaylight.git;a=blob;f=templates/aaa-cert-c >>>> onfig.xml.erb;h=d6faa891630cba1c4747f64ea977d07de08c6b65;hb= >>>> refs/heads/master >>>> >>>> >>>> Tim Rozet >>>> Red Hat SDN Team >>>> >>>> On Thu, Mar 15, 2018 at 2:41 PM, Mohamed El-Serngawy < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> The logs attached with the bug is not really showing errors, Just the >>>>> aaa-cert service waiting for aaa-encryption service then it starts fine. >>>>> >>>>> Tim, >>>>> >>>>> I assume you followed the link at [0] to configure the ssl. After you >>>>> add the OVS certificate using the REST API, can you just confirm that you >>>>> are able to read the certificate from the trust-store ? are you using >>>>> MDSAL >>>>> or java Key Store files ? >>>>> >>>>> [0] https://wiki.opendaylight.org/view/OVSDB_Integration:TLS >>>>> _Communication >>>>> >>>>> >>>>> >>>>> On Thu, Mar 15, 2018 at 2:27 PM, Luis Gomez <[email protected]> wrote: >>>>> >>>>>> I do not remember that issue when I tested OF TLS in the past, I will >>>>>> have to retest to confirm. >>>>>> >>>>>> On Mar 15, 2018, at 11:24 AM, Tim Rozet <[email protected]> wrote: >>>>>> >>>>>> Hi Luis, >>>>>> To clarify we are not talking about SSL configuration here. We >>>>>> indeed configure the file you mentioned along with other config files pax >>>>>> web, ovsdb to only allow SSL/TLS, creating controller and trust stores. >>>>>> This is all done prior to ODL starting. The failure here is that ODL >>>>>> allows a REST implementation to add certificates to the trust store for >>>>>> OVS >>>>>> switches (which obviously implies ODL is up and running). At deploy >>>>>> time, >>>>>> we generate certificates for OVS and then add them via REST to ODL. At >>>>>> that point ODL should trust the switch and allow connections. However, >>>>>> OVSDB never seems to read again from the trust store (unless rebooted) >>>>>> and >>>>>> does not allow the switch to connect. >>>>>> >>>>>> Tim Rozet >>>>>> Red Hat SDN Team >>>>>> >>>>>> On Thu, Mar 15, 2018 at 1:55 PM, Luis Gomez <[email protected]> wrote: >>>>>> >>>>>>> AFAIR for ofp you need to modify this config file: >>>>>>> >>>>>>> /etc/opendaylight/datastore/initial/config/default-openflow- >>>>>>> connection-config.xml >>>>>>> >>>>>>> which means you have to reboot the controller after. >>>>>>> >>>>>>> BR/Luis >>>>>>> >>>>>>> >>>>>>> On Mar 15, 2018, at 10:42 AM, Sam Hague <[email protected]> wrote: >>>>>>> >>>>>>> Mo, and ofp devs, >>>>>>> >>>>>>> how do you handle openflow connections using ssl? We have the bug >>>>>>> below where ODL is required to be restarted to pick up connections over >>>>>>> ssl. >>>>>>> >>>>>>> Is that a design requirement that ODL has to be restarted or is >>>>>>> there a different config that can be used? >>>>>>> >>>>>>> Thanks, Sam >>>>>>> >>>>>>> https://jira.opendaylight.org/browse/OVSDB-449 >>>>>>> _______________________________________________ >>>>>>> integration-dev mailing list >>>>>>> [email protected] >>>>>>> https://lists.opendaylight.org/mailman/listinfo/integration-dev >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Mohamed ElSerngawy >>>>> >>>>> +1 438 993 2462 <(438)%20993-2462> >>>>> >>>> >>>> >>> >> >> >> -- >> Mohamed ElSerngawy >> >> +1 438 993 2462 <(438)%20993-2462> >> > > -- Mohamed ElSerngawy +1 438 993 2462
_______________________________________________ openflowplugin-dev mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/openflowplugin-dev
