X-Git-Url: http://git.onelab.eu/?p=sliver-openvswitch.git;a=blobdiff_plain;f=INSTALL.SSL;h=061af97ab1ba010f6b7bc50e51a45892f5c508af;hp=8df47bc106934eacda318100d91e70d4ab8f1bbe;hb=ec988646afe6aee6a63d6894a3e9b50f715d5941;hpb=d17ee8689bff22541dccaa792b70a848641f3646 diff --git a/INSTALL.SSL b/INSTALL.SSL index 8df47bc10..061af97ab 100644 --- a/INSTALL.SSL +++ b/INSTALL.SSL @@ -2,15 +2,13 @@ ================================ If you plan to configure Open vSwitch to connect across the network to -an OpenFlow controller, then we recommend that you configure and -enable SSL support in Open vSwitch. SSL support ensures integrity and -confidentiality of the OpenFlow connections, increasing network -security. +an OpenFlow controller, then we recommend that you build Open vSwitch +with OpenSSL. SSL support ensures integrity and confidentiality of +the OpenFlow connections, increasing network security. This file explains how to configure an Open vSwitch to connect to an -OpenFlow controller over SSL. Refer to INSTALL.Linux for instructions -on building Open vSwitch with SSL support. (In particular, you must -pass --enable-ssl to the "configure" script to use SSL.) +OpenFlow controller over SSL. Refer to INSTALL for instructions on +building Open vSwitch with SSL support. Open vSwitch uses TLS version 1.0 or later (TLSv1), as specified by RFC 2246, which is very similar to SSL version 3.0. TLSv1 was @@ -117,7 +115,7 @@ that contains the PKI structure: % ovs-pki req+sign ctl controller ctl-privkey.pem and ctl-cert.pem would need to be copied to the -controller for its use at runtime. If you were to use ovs-controller, +controller for its use at runtime. If you were to use test-controller, the simple OpenFlow controller included with Open vSwitch, then the --private-key and --certificate options, respectively, would point to these files. @@ -287,27 +285,24 @@ cacert.pem: OpenFlow controller by verifying a signature against this CA certificate. -Once you have these files, configure ovs-vswitchd to use them by -adding the following keys to your ovs-vswitchd.conf file: +Once you have these files, configure ovs-vswitchd to use them using +the ovs-vsctl "set-ssl" command, e.g.: - ssl.private-key=/etc/vswitch/sc-privkey.pem - ssl.certificate=/etc/vswitch/sc-cert.pem - ssl.ca-cert=/etc/vswitch/cacert.pem + ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem Substitute the correct file names, of course, if they differ from the -ones used above. +ones used above. You should use absolute file names (ones that begin +with "/"), because ovs-vswitchd's current directory is unrelated to +the one from which you run ovs-vsctl. If you are using self-signed certificates (see "SSL Concepts for OpenFlow") and you did not copy controllerca/cacert.pem from the PKI -machine to the Open vSwitch, then also add the following key: +machine to the Open vSwitch, then add the --bootstrap option, e.g.: - ssl.bootstrap-ca-cert=true + ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem After you have added all of these configuration keys, you may specify -"ssl:" connection methods elsewhere in ovs-vswitchd.conf, e.g.: - - mgmt.controller=ssl:192.168.0.1 - +"ssl:" connection methods elsewhere in the configuration database. "tcp:" connection methods are still allowed even after SSL has been configured, so for security you should use only "ssl:" connections.