The OpenFlow controller component relies on PKI to establish mutual trust (2-way SSL) between itself and the OpenFlow switches that it manages. HP recommends using separate keystores and truststores for the controller-to-switch OpenFlow communications.
The process for creating the OpenFlow keystore and truststore is similar to the steps outlined under “Creating the SDN Controller keystore and truststore”, and therefore is not repeated here. The store names for both the OpenFlow keystore/truststore and the SDN Controller’s keystore/truststore should be different. Please note that both the Controller and Device certificates must be signed by the same CA, so that the TLS connection will be established. See your switch’s manual for information about configuring TLS on your switch.
The OpenFlow Controller’s configurations for keystore/truststore are located in the com.hp.sdn.ctl.of.impl.ControllerManager configuration. The keystore and keystore.password properties capture the location of the keystore and the password of the keystore respectively. Similarly, the truststore and truststore.password capture the location of the truststore and the password of the truststore respectively.
A controller restart is required if these configurations are changed.