Changing the default controller keystore and truststore to use CA signed certificates


	NOTE: In a teamed environment, unique certificates are generated for each controller in the team. You must repeat the following procedure for each controller in the team.

To create a CA-signed keystore and truststore, as the SDN user (for example, sudo - sdn), do the following:

From the Configurations screen of the controller UI, do the following:

Select each of the following components and change the value of the selfsigned key to false:

com.hp.sdn.api.impl.AlertPostManager

com.hp.sdn.misc.AdminRestComponent

com.hp.sdn.misc.ServiceRestComponent

Select the com.hp.sdn.adm.mgr.impl.hpws.HpwsInstallManager configurable component and ensure that the following keys have the values indicated in the following table:

Key	Value
`keystore`	`/opt/sdn/admin/keystore`
`keystore.password`	password is not displayed(ENC())
`selfsigned`	`false`
`truststore`	`/opt/sdn/admin/truststore`
`truststore.password`	password is not displayed (ENC())

Login to the system running the SDN Controller as the sdn user and stop the controller.

sudo service sdnc stop
Back up your default /opt/sdn/admin/keystore and /opt/sdn/admin/truststore to a safe location.
As the sdn user, create a new keystore using the following commands:

cd /opt/sdn/admin

rm keystore truststore

keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore

To support teaming, you must specify an IP address as the common name when configuring your server for the first and last name question.
Generate a CSR (Certificate Signing Request) for signing:

keytool -keystore keystore -certreq -alias serverKey -keyalg rsa -file sdn-server.csr
Send the sdn-server.csr to a CA to be signed.

The CA will authenticate you and return a signed certificate and its CA certificate chain. We assume the signed certificate from the CA is named signed.cer and the CA's certificate is root.cer. If root.cer is from your own internal CA, then you need to import root.cer into your browser as an authority.
Import the signed certificates into your keystore and truststore as follows (or to use a script to import the certificate files, see Importing the certificate files using a script).

Import the root.cer certificate into your keystore and truststore:

keytool -importcert -trustcacerts -keystore keystore -file root.cer -alias CARoot

keytool -importcert -trustcacerts -keystore truststore -file root.cer -alias CARoot

Import the root-int.cer certificate into your keystore and truststore.

keytool -importcert -trustcacerts -keystore keystore -file root-int.cer -alias CARoot

keytool -importcert -trustcacerts -keystore truststore -file root-int.cer -alias CARoot

If you do not have an intermediate root-int.cer file, then instead use a different alias such as CARootInt. For example:

keytool -importcert -trustcacerts -keystore keystore -file root-int.cer -alias CARootInt

keytool -importcert -trustcacerts -keystore truststore -file root-int.cer -alias CARootInt
Replace your self-signed certificate in your serverKey entry with the signed certificate from your CA signed.cer (or to use a script to replace the signed certificate with one from your CA, see Importing the certificate files using a script).

keytool -importcert -keystore keystore -file signed.cer -alias serverKey
Add the certificate from your CA to Ubuntu trusted certs using root. The following is an example:

root@sdnctl1:/opt/sdn/admin# cp cacert.pem /usr/local/share/ca-certificates/cacert.crt

root@sdnctl1:/opt/sdn/admin# update-ca-certificates

The following is an example of what you will see displayed during this process:
```
Updating certificates in /etc/ssl/certs... 
1 added, 0 removed; done 
Running hooks in /etc/ca-certificates/update.d... 
Adding debian:cacert.pem 
done. 
done. 
root@sdnctl1:/opt/sdn/admin#
```
Start the controller.

sudo service sdnc start

Importing the certificate files using a script

As an alternative to steps 7 and 8 you can use a post install configuration script (config_flare.py) run locally on the controller to import the certificate files into the keystore and truststore. The script will also start the controller for you. For general information about the post install configuration script, see the HPE VAN SDN Controller Installation Guide chapter on post install configuration.

The post install configuration Python script is run on the local controller machine. The script is /opt/sdn/scripts/postinstall/config_flare.py. You can run it interactively or you can use a configuration file to enter the inputs for importing the certificate file. The default configuration file is /opt/sdn/scripts/ansible/config_flare.conf or you can create a custom configuration file for use with the script.

To run the config_flare.py script to import the certificate files:

To use the script you must ssh to the controller system. For example, ssh sdn@1.1.1.1 (then enter the ssh password).
You can run the script either interactively or with a configuration file as follows:
- If you are running the script interactively without a configuration file, enter the option for importing certificate files on the command line: python config_flare.py -c. You will be prompted to enter the location of the root.cer, root—int.cer and signed.cer files.
- If you are using the configuration file to enter inputs for the script, edit the config_flare.conf file or create a custom configuration file. In the [general] section enter the controller IP, user name and (optionally) password. If you don’t enter a password in the configuration file, you will be prompted to enter the password when you run the script. In the [scripts] section set certificate=true. In the [certificate] section enter the location of the root.cer, root—int.cer and signed.cer files. Then run the script with the following command:
  
  python config_flare.py -f ../ansible/config_flare.conf (or whatever the custom configuration file name is)
Respond to any prompts as the script runs.

prev	up	next
Security	home	SDN Controller keystore and truststore locations and passwords