The SDN Controller identifies itself via Public-Key Infrastructure (PKI) for its communication with external subsystems and other controllers. It uses a Java keystore and truststore to keep its private key and public key respectively. For REST APIs, the controller does not rely on the truststore to establish trust. Instead, it uses token authentication to authenticate the client. The client must present a valid token via the X-Auth-Header to authenticate itself with the controller. Token authentication is discussed more under “SDN Controller keystore and truststore locations and passwords ”.

The controller ships with a self-signed certificate. Therefore, it is recommended that the self-signed certificate be replaced by a certificate signed by a reputable Certificate Authority (CA). Also, the default password for the keystore and truststore should be changed as well.