HP VAN SDN Controller Administrator Guide
46
Openflow Controller TLS
The Openflow controller component relies on PKI to establish mutual trust (2-way SSL) between
itself and the Openflow switches that it manages. It is recommended that the Openflow keystore
and truststore used for Openflow switch communication be separate from the SDN controller’s
keystore and truststore used for north-bound communication.
Creating Openflow Controller Keystore and Truststore
The process for creating the Openflow keystore and truststore is similar to the steps outlined under
"Creating SDN Controller Keystore and Truststore" on page 43, and therefore is not repeated
here. The store names for both the Openflow keystore/truststore and the SDN controller’s
keystore/truststore should be different. Please note that both the Controller and Device
certificates must be signed by the same CA, so that the TLS connection will be established.
Please refer to your switch’s manual on how to configure TLS on your switch.
Openflow Controller Keystore and Truststore Locations and Passwords
The Openflow Controller’s configurations for keystore/truststore are located in the
com.hp.sdn.ctl.of.impl.ControllerManager configuration. The keystore and keystore.password
properties capture the location of the keystore and the password of the keystore respectively.
Similarly, the truststore and truststore.password capture the location of the truststore and the
password of the truststore respectively.
Figure 41 Components that Reference OpenFlow Keystore and Truststore
A controller restart is required if these configurations are changed.