The HPE VAN SDN Controller has a built-in OpenFlow controller for controller-to-switch communications. The OpenFlow controller component relies on PKI to establish mutual trust (2-way SSL) between itself and the OpenFlow switches that it manages. To establish TLS connections for controller-to-switch OpenFlow communications, Hewlett Packard Enterprise recommends the following:
-
Use different store names for the built-in OpenFlow controller keystore and truststore than used for the HPE VAN SDN Controller keystore and truststore.
-
Use the same CA (certificate authority) to sign the controller and all device certificates.
For information about configuring TLS, see the latest HPE OpenFlow Administrator Guide for your switch.
The process for creating the OpenFlow keystore and truststore is similar to the steps outlined under Changing the default controller keystore and truststore to use CA signed certificates.
The HPE VAN SDN Controller has a built-in OpenFlow controller for controller-to-switch communications. The configurations for the built-in OpenFlow controller keystore and truststore are located in the com.hp.sdn.ctl.of.impl.ControllerManager configuration. The keystore and keystore.password keys store the location of the keystore and the password of the keystore respectively. Similarly, the truststore and truststore.password keys store the location of the truststore and the password of the truststore respectively.
A controller restart is required if these configurations are changed.
The path to the keystore or truststore location must be specified as a relative path from the /opt/sdn/virgo directory. For example, to specify a location of /opt/sdn/config/of.jks enter the following:
