HP VAN SDN Controller Administrator Guide

3 SDN Controller Authentication

HP VAN SDN Controller Security Guidelines

The HP VAN SDN controller communicates with different components, both internal and external

to the controller, via secure channels. This section documents these channels, their defaults, and

how to configure them in a deployment environment.

SDN Controller Authentication

The SDN controller identifies itself via Public-Key Infrastructure (PKI) for its communication with

external subsystems and other controllers. It uses a Java keystore and truststore to keep its private

key and public key respectively. For REST APIs, the controller does not rely on the truststore to

establish trust. Instead, it uses token authentication to authenticate the client. The client must

present a valid token via the X-Auth-Header to authenticate itself with the controller. Token

authentication is discussed more under "Openflow Controller Keystore and Truststore Locations

and Passwords" on page 46.

The controller ships with a self-signed certificate. Therefore, it is recommended that the self-signed

certificate be replaced by a certificate signed by a reputable Certificate Authority (CA). Also, the

default password for the keystore and truststore should be changed as well.

Creating SDN Controller Keystore and Truststore

1. Login to the system running the SDN controller and stop the controller.

2. As the SDN user (i.e. sudo - sdn), do the following:

3. Back up your default /opt/sdn/admin/keystore and /opt/sdn/admin/truststore to a safe location.

4. Create a new keystore:

cd /opt/sdn/admin

rm keystore truststore

keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore

keystore

You must specify a fully qualified domain for your server for the “first and last name” question as

some CAs, such as VeriSign, expect it.

5. Generate a CSR (Certificate Signing Request) for signing:

keytool -keystore keystore -certreq -alias serverKey -keyalg rsa -file

sdn-server.csr