Manualshelf

HP VAN SDN Controller Administrator Guide

ManualsBrandsHP ManualsSoftwareHP VAN SDN Controller Software Products
51525354555657585960
51
Revoking trust via CRL
For the controller’s REST API, a CRL (Certificate Revocation List) may also be specified to allow
blacklisting of certain clients. This is done by modifying the
/opt/sdn/virgo/configuration/tomcat-server.xml file to include the CRL file location in the SSL
connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="../admin/keystore"
keystorePass="skyline"
crlFile="<location_of_CRL file>"/>
For the above change to take effect, restart the controller.
SDN Administrative REST API
The main SDN Controller daemon (sdnc) is accompanied by an ancillary daemon process (sdna),
which runs under user sdnadmin in order to grant it access to some elevated privileges.
The administrative REST API can be used to securely perform various management functions in a
privileged context. It would be undesirable for the main SDN Controller process to possess those
privileges as it may be hosting execution of third-party code.
The SDN Administrator daemon can be accessed via the REST API vi HTTPS on port 8081. The
access is secured through either token-based authentication or basic authentication, against the
locally running keystone server, which is the same as the main SDN Controller REST API.
The following set of features are accessible through the administrative REST API:
SDN Controller daemon (sdnc) stop/start/restart
Adding/removing the team master IP alias (required only when in team mode)
Downloading the ZIP bundle of log files
Uploading upgrade Debian bundles and installing/removing Debian packages
Uploading upgrade ZIP bundles and executing upgrade commands
System reboot
The install process adds a number of sudoers entries for the sdnadmin user. These are as follows:
/sbin/ifconfig
/sbin/reboot
/usr/bin/service
/usr/bin/at
/usr/bin/dpkg
All, or any, of the above entries can be blocked or removed from the sudoers configuration. The
/sbin/ifconfig entry is only required when running in teamed mode. Otherwise the controller
cannot migrate the team IP address from node to node as team master changes.
The sdna daemon can be completely disabled by stopping the daemon by using the sudo
service sdna stop command and then removing the /etc/init/sdna.conf file.