================================
If you plan to configure Open vSwitch to connect across the network to
-an OpenFlow controller, then we recommend that you configure and
-enable SSL support in Open vSwitch. SSL support ensures integrity and
-confidentiality of the OpenFlow connections, increasing network
-security.
+an OpenFlow controller, then we recommend that you build Open vSwitch
+with OpenSSL. SSL support ensures integrity and confidentiality of
+the OpenFlow connections, increasing network security.
This file explains how to configure an Open vSwitch to connect to an
-OpenFlow controller over SSL. Refer to INSTALL.Linux for instructions
-on building Open vSwitch with SSL support. (In particular, you must
-pass --enable-ssl to the "configure" script to use SSL.)
+OpenFlow controller over SSL. Refer to INSTALL for instructions on
+building Open vSwitch with SSL support.
Open vSwitch uses TLS version 1.0 or later (TLSv1), as specified by
RFC 2246, which is very similar to SSL version 3.0. TLSv1 was
% ovs-pki req+sign ctl controller
ctl-privkey.pem and ctl-cert.pem would need to be copied to the
-controller for its use at runtime. If you were to use ovs-controller,
+controller for its use at runtime. If you were to use test-controller,
the simple OpenFlow controller included with Open vSwitch, then the
--private-key and --certificate options, respectively, would point to
these files.
OpenFlow controller by verifying a signature against this CA
certificate.
-Once you have these files, configure ovs-vswitchd to use them by
-adding the following keys to your ovs-vswitchd.conf file:
+Once you have these files, configure ovs-vswitchd to use them using
+the ovs-vsctl "set-ssl" command, e.g.:
- ssl.private-key=/etc/vswitch/sc-privkey.pem
- ssl.certificate=/etc/vswitch/sc-cert.pem
- ssl.ca-cert=/etc/vswitch/cacert.pem
+ ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
Substitute the correct file names, of course, if they differ from the
-ones used above.
+ones used above. You should use absolute file names (ones that begin
+with "/"), because ovs-vswitchd's current directory is unrelated to
+the one from which you run ovs-vsctl.
If you are using self-signed certificates (see "SSL Concepts for
OpenFlow") and you did not copy controllerca/cacert.pem from the PKI
-machine to the Open vSwitch, then also add the following key:
+machine to the Open vSwitch, then add the --bootstrap option, e.g.:
- ssl.bootstrap-ca-cert=true
+ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
After you have added all of these configuration keys, you may specify
-"ssl:" connection methods elsewhere in ovs-vswitchd.conf, e.g.:
-
- mgmt.controller=ssl:192.168.0.1
-
+"ssl:" connection methods elsewhere in the configuration database.
"tcp:" connection methods are still allowed even after SSL has been
configured, so for security you should use only "ssl:" connections.
Reporting Bugs
--------------
-Please report problems to ovs-bugs@openvswitch.org.
+Please report problems to bugs@openvswitch.org.