The SDN Controller identifies itself via Public-Key Infrastructure (PKI) for its communication with external subsystems and other controllers. It uses a Java keystore and truststore to keep its private key and public key respectively. These keys can be used for confidential and trusted communication with clients and keystone. For REST APIs, the controller uses bearer token authentication to authenticate the client. The client must present a valid token via the X-Auth-Header to authenticate itself with the controller. Since this means of token authentication are bearer tokens, use PKI to ensure trusted communication with keystone and clients, and to avoid unauthorized use of tokens. Make sure that the certificates that you use for both keystone and the controller are part of a valid trust chain. Token authentication is discussed further under SDN Controller keystore and truststore locations and passwords .

The controller ships with a self-signed certificate. Therefore, it is recommended that the self-signed certificate be replaced by a certificate signed by a reputable Certificate Authority (CA). If you choose to replace the self-signed certificates with CA signed equivalents, see Changing the default controller keystore and truststore to use CA signed certificates. Also, the default password for the keystore and truststore should be changed as well.

Enable (2-way SSL) mutually trusted PKI communication to require both the controller and keystone to present valid certificates before starting the communication.