Controller code verification
All controller code is signed by HP. Validating the certificate via jarsigner should return an HP X.509 certificate similar to the following:
X.509, CN=Hewlett-Packard, OU=HPGlobal, OU=Digital ID Class 3 - Java Object Signing, O=Hewlett-Packard, L=Andover, ST=Massachusetts, C=US
[certificate is valid from 11/14/12 4:00 PM to 11/15/14 3:59 PM]
[certificate is valid from 2/7/10 4:00 PM to 2/7/20 3:59 PM]
[CertPath not validated: null]
If a controller jar or war file is tampered with, the jar verification fails, and the container does not start up.
If an application is not signed by HP, or has its certificate trusted by the controller (see section below), the application is not allowed to run on the controller.
Adding certificates to the jar-signing truststore
To deploy other signed applications onto the controller, use the Java keytool to import the public certificate that was used to sign the application jars and/or zips into the controller jar-signing truststore (
keytool -importcert -keystore /opt/sdn/admin/sdnjar_trust.jks -file signed_app.cer -alias mysignedcert
The controller needs to be restarted for the new truststore to take effect.
Running the SDN Controller Without Jar-Signing Validation
The SDN Controller enforces jar-signing validation by default. For an experimental/development environment where unsigned applications need to be deployed, jar-signing validation can be turned off altogether:
Use the following command to stop the SDN Controller:
sudo service sdnc stop
/opt/sdn/virgo/bin/dmk.sh script to add the following option to the list of
cd $KERNEL_HOME; exec $JAVA_EXECUTABLE \
Start the SDN Controller:
sudo service sdnc start
To enable jar-signing validation, remove the line containing the
-Dsdn.signedJar=none option from the
/opt/sdn/virgo/bin/dmk.sh script and restart the controller.