Built-in OpenFlow controller
The HPE VAN SDN Controller has a built-in OpenFlow controller for controller-to-switch communications. The OpenFlow controller component relies on PKI to establish mutual trust (2-way SSL) between itself and the OpenFlow switches that it manages. To establish TLS connections for controller-to-switch OpenFlow communications, Hewlett Packard Enterprise recommends the following:
Use different store names for the built-in OpenFlow controller keystore and truststore than used for the HPE VAN SDN Controller keystore and truststore.
Use the same CA (certificate authority) to sign the controller and all device certificates.
For information about configuring TLS, see the latest HPE OpenFlow Administrator Guide for your switch.
Creating a keystore and truststore for OpenFlow switch communication
The process for creating the OpenFlow keystore and truststore is similar to the steps outlined under Changing the default controller keystore and truststore to use CA signed certificates.
Built-in OpenFlow controller keystore and truststore locations and passwords
The HPE VAN SDN Controller has a built-in OpenFlow
controller for controller-to-switch communications. The configurations
for the built-in OpenFlow controller keystore and truststore are located
in the com.hp.sdn.ctl.of.impl.ControllerManager component.
The keystore and keystore.password keys
store the location of the keystore and the password of the keystore
respectively. Similarly, the truststore and truststore.password keys
store the location of the truststore and the password of the truststore
respectively.
You can configure the com.hp.sdn.ctl.of.impl.ControllerManager component
in the Configurations screen Basic tab
(screen example is shown below). A controller restart is required
if these configurations are changed.
The path to the keystore or truststore location
must be specified as a relative path from the /opt/sdn/virgo directory.
For example, to specify a location of /opt/sdn/config/of.jks enter
the following:
../config/of.jks
