Changing the default controller keystore and truststore to use CA signed certificates

From the Configurations screen of the controller UI, do the following:

1. In the Advanced tab of the Configurations screen, select each of the following components and change the value of the selfsigned key to false:

   ​

   ​com.hp.sdn.api.impl.AlertPostManager

   ​com.hp.sdn.misc.AdminRestComponent

   ​com.hp.sdn.misc.ServiceRestComponent

2. Select the com.hp.sdn.adm.mgr.impl.hpws.HpwsInstallManager configurable component and ensure that the following keys have the values indicated in the following table:

   Key	Value
   keystore	/opt/sdn/admin/keystore
   keystore.password	password is not displayed(ENC())
   selfsigned	false
   truststore	/opt/sdn/admin/truststore
   truststore.password	password is not displayed (ENC())

Login to the system running the SDN Controller as the sdn user and stop the controller.

sudo service sdna stop

Back up your default /opt/sdn/admin/keystore and /opt/sdn/admin/truststore to a safe location.

In order to create the new keystore and CSR a Java keytool is used. This tool can be found at /opt/sdn/openjdk8-jre/bin/keytool.

As the sdn user, create a new keystore using the following commands:

​cd /opt/sdn/admin

​rm keystore truststore

​/opt/sdn/openjdk8-jre/bin/keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore

To support teaming, you must specify an IP address as the common name when configuring your server for the first and last name question.

Generate a CSR (Certificate Signing Request) for signing:

​/opt/sdn/openjdk8-jre/bin/keytool -keystore keystore -certreq -alias serverKey -keyalg rsa -file sdn-server.csr

Send the sdn-server.csr to a CA to be signed.

The CA will authenticate you and return a signed certificate and its CA certificate chain. We assume the signed certificate from the CA is named signed.cer and the CA's certificate is root.cer. If root.cer is from your own internal CA, then you need to import root.cer into your browser as an authority.

Import the signed certificates into your keystore and truststore as follows.

Import the root.cer certificate into your keystore and truststore:

​/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore keystore -file root.cer -alias CARoot

​/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore truststore -file root.cer -alias CARoot

Import the root-int.cer certificate into your keystore and truststore.

/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore keystore -file root-int.cer -alias CARoot

/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore truststore -file root-int.cer -alias CARoot

If you do not have an intermediate root-int.cer file, then instead use a different alias such as CARootInt. For example:

/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore keystore -file root-int.cer -alias CARootInt

/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore truststore -file root-int.cer -alias CARootInt

Replace your self-signed certificate in your serverKey entry with the signed certificate from your CA signed.cer.

​/opt/sdn/openjdk8-jre/bin/keytool -importcert -keystore keystore -file signed.cer -alias serverKey

Add the certificate from your CA to Linux trusted certs using root. The following is an example:

root@sdnctl1:/opt/sdn/admin# cp cacert.pem /usr/local/share/ca-certificates/cacert.crt

root@sdnctl1:/opt/sdn/admin# update-ca-certificates

The following is an example of what you will see displayed during this process:

Updating certificates in /etc/ssl/certs... 
1 added, 0 removed; done 
Running hooks in /etc/ca-certificates/update.d... 
Adding debian:cacert.pem 
done. 
done. 
root@sdnctl1:/opt/sdn/admin#

Start the controller.

sudo service sdna start