Revoking Trust

Revoking Trust
prev	Chapter 6 SDN Controller security features	next

Revoking trust via truststore

The controller components rely on the public certificates in the respective truststore to establish trust with a given identity. Therefore, revoking trust from a client with a given public certificate amounts to removing its certificate from the respective truststore. To remove a given certificate from the truststore:

List the certificates in your truststore:
keytool –list –v -keystore truststore [-storepass password]
Delete certificate from truststore:
keytool –delete –alias cert-aliastruststore

Revoking trust via CRL

For the controller’s REST API, a CRL (Certificate Revocation List) might also be specified to allow blacklisting of certain clients. This is done by modifying the /opt/sdn/virgo/configuration/tomcat-server.xml file to include the CRL file location in the SSL connector:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" 
keystoreFile="../admin/keystore"
keystorePass="skyline"
crlFile="location_of_CRL file"/>

For the change to take effect, restart the controller.

prev	up	next
Controller code verification	home	SDN administrative REST API