|
|
![]() |
NOTE: In a teamed environment, unique certificates are generated for each controller in the team. You must repeat the following procedure for each controller in the team. |
|
To create a CA-signed keystore and truststore, as the SDN user (for example, sudo - sdn
), do the following:
-
From the Configurations screen of the controller UI, do the following:
-
Select each of the following components and change the value of the
selfsigned
key tofalse
:com.hp.sdn.api.impl.AlertPostManager
com.hp.sdn.misc.AdminRestComponent
com.hp.sdn.misc.ServiceRestComponent
-
Select the
com.hp.sdn.adm.mgr.impl.hpws.HpwsInstallManager
configurable component and ensure that the following keys have the values indicated in the following table:Key Value keystore
/opt/sdn/admin/keystore
keystore.password
password is not displayed(ENC())
selfsigned
false
truststore
/opt/sdn/admin/truststore
truststore.password
password is not displayed (ENC())
-
-
Login to the system running the SDN Controller as the
sdn
user and stop the controller. -
Back up your default
/opt/sdn/admin/keystore
and/opt/sdn/admin/truststore
to a safe location. -
As the
sdn
user, create a new keystore using the following commands:keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore
To support teaming, you must specify an IP address as the common name when configuring your server for the
first and last name
question. -
Generate a CSR (Certificate Signing Request) for signing:
keytool -keystore keystore -certreq -alias serverKey -keyalg rsa -file sdn-server.csr
-
Send the
sdn-server.csr
to a CA to be signed.The CA will authenticate you and return a signed certificate and its CA certificate chain. We assume the signed certificate from the CA is named
signed.cer
and the CA's certificate isroot.cer
. Ifroot.cer
is from your own internal CA, then you need to importroot.cer
into your browser as an authority. -
Import the signed certificates into your keystore and truststore as follows (or to use a script to import the certificate files, see Importing the certificate files using a script).
Import the
root.cer
certificate into your keystore and truststore:keytool -importcert -trustcacerts -keystore keystore -file root.cer -alias CARoot
keytool -importcert -trustcacerts -keystore truststore -file root.cer -alias CARoot
Import the
root-int.cer
certificate into your keystore and truststore.keytool -importcert -trustcacerts -keystore keystore -file root-int.cer -alias CARoot
keytool -importcert -trustcacerts -keystore truststore -file root-int.cer -alias CARoot
If you do not have an intermediate
root-int.cer
file, then instead use a different alias such as CARootInt. For example:keytool -importcert -trustcacerts -keystore keystore -file root-int.cer -alias CARootInt
keytool -importcert -trustcacerts -keystore truststore -file root-int.cer -alias CARootInt
-
Replace your self-signed certificate in your
serverKey
entry with the signed certificate from your CAsigned.cer
(or to use a script to replace the signed certificate with one from your CA, see Importing the certificate files using a script).keytool -importcert -keystore keystore -file signed.cer -alias serverKey
-
Add the certificate from your CA to Ubuntu trusted certs using root. The following is an example:
root@sdnctl1:/opt/sdn/admin# cp cacert.pem /usr/local/share/ca-certificates/cacert.crt
root@sdnctl1:/opt/sdn/admin# update-ca-certificates
The following is an example of what you will see displayed during this process:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done Running hooks in /etc/ca-certificates/update.d... Adding debian:cacert.pem done. done. root@sdnctl1:/opt/sdn/admin#
As an alternative to steps 7 and 8 you can use a post install configuration script (config_flare.py
) run locally on the controller to import the certificate files into the keystore and truststore. The script will also start the controller for you. For general information about the post install configuration script, see the HPE VAN SDN Controller Installation Guide chapter on post install configuration.
The post install configuration Python script is run on the local controller machine. The script is /opt/sdn/scripts/postinstall/config_flare.py
. You can run it interactively or you can use a configuration file to enter the inputs for importing the certificate file. The default configuration file is /opt/sdn/scripts/ansible/config_flare.conf
or you can create a custom configuration file for use with the script.
To run the config_flare.py script to import the certificate files:
-
To use the script you must
ssh
to the controller system. For example,ssh sdn@1.1.1.1
(then enter the ssh password). -
You can run the script either interactively or with a configuration file as follows:
-
If you are running the script interactively without a configuration file, enter the option for importing certificate files on the command line:
python config_flare.py -c
. You will be prompted to enter the location of theroot.cer
,root—int.cer
andsigned.cer
files. -
If you are using the configuration file to enter inputs for the script, edit the
config_flare.conf
file or create a custom configuration file. In the[general]
section enter the controller IP, user name and (optionally) password. If you don’t enter a password in the configuration file, you will be prompted to enter the password when you run the script. In the[scripts]
section set certificate=true. In the[certificate]
section enter the location of theroot.cer
,root—int.cer
andsigned.cer
files. Then run the script with the following command:python config_flare.py -f ../ansible/config_flare.conf
(or whatever the custom configuration file name is)
-