-The instructions above set up Open vSwitch for operation over a
-plaintext TCP connection. Production use of Open vSwitch should use
-SSL[*] to ensure confidentiality and authenticity of traffic among
-switches and controllers. The source must be configured with
---enable-ssl=yes to build with SSL support.
-
-To use SSL with Open vSwitch, you must set up a public-key infrastructure
-(PKI) including a pair of certificate authorities (CAs), one for
-controllers and one for switches. If you have an established PKI,
-Open vSwitch can use it directly. Otherwise, refer to "Establishing a
-Public Key Infrastructure" below.
-
-To configure the controller to listen for SSL connections on port 6633
-(the default), invoke it as follows:
-
- # ovs-controller -v pssl: --private-key=PRIVKEY --certificate=CERT \
- --ca-cert=CACERT
-
-where PRIVKEY is a file containing the controller's private key, CERT
-is a file containing the controller CA's certificate for the
-controller's public key, and CACERT is a file containing the root
-certificate for the switch CA. If, for example, your PKI was created
-with the instructions below, then the invocation would look like:
-
- # ovs-controller -v pssl: --private-key=ctl-privkey.pem \
- --certificate=ctl-cert.pem --ca-cert=pki/switchca/cacert.pem
-
-To configure a switch to connect to a controller running on port 6633
-(the default) on host 192.168.1.2 over SSL, invoke secchan as follows:
-
- # secchan -v DATAPATH ssl:192.168.1.2 --private-key=PRIVKEY \
- --certificate=CERT --ca-cert=CACERT
-
-where DATAPATH is the datapath to connect to (e.g. dp0 or
-unix:/var/run/dp0.sock), PRIVKEY is a file containing the switch's
-private key, CERT is a file containing the switch CA's certificate for
-the switch's public key, and CACERT is a file containing the root
-certificate for the controller CA. If, for example, your PKI was
-created with the instructions below, then the invocation would look
-like:
-
- # secchan -v DATAPATH ssl:192.168.1.2 --private-key=sc-privkey.pem \
- --certificate=sc-cert.pem --ca-cert=pki/controllerca/cacert.pem
-
-[*] To be specific, Open vSwitch uses TLS version 1.0 or later (TLSv1), as
- specified by RFC 2246, which is very similar to SSL version 3.0.
- TLSv1 was released in January 1999, so all current software and
- hardware should implement it.
-
-Establishing a Public Key Infrastructure
-----------------------------------------
-
-If you do not have a PKI, the ovs-pki script included with Open vSwitch
-can help. To create an initial PKI structure, invoke it as:
- % ovs-pki init
-which will create and populate a new PKI directory. The default
-location for the PKI directory depends on how the Open vSwitch tree was
-configured (to see the configured default, look for the --dir option
-description in the output of "ovs-pki --help").
-
-The pki directory contains two important subdirectories. The
-controllerca subdirectory contains controller certificate authority
-related files, including the following:
-
- - cacert.pem: Root certificate for the controller certificate
- authority. This file must be provided to secchan with the
- --ca-cert option to enable it to authenticate valid controllers.
-
- - private/cakey.pem: Private signing key for the controller
- certificate authority. This file must be kept secret. There is
- no need for switches or controllers to have a copy of it.
-
-The switchca subdirectory contains switch certificate authority
-related files, analogous to those in the controllerca subdirectory:
-
- - cacert.pem: Root certificate for the switch certificate
- authority. This file must be provided to the controller program
- with the --ca-cert option to enable it to authenticate valid
- switches.
-
- - private/cakey.pem: Private signing key for the switch
- certificate authority. This file must be kept secret. There is
- no need for switches or controllers to have a copy of it.
-
-After you create the initial structure, you can create keys and
-certificates for switches and controllers with ovs-pki. To create a
-controller private key and certificate in files named ctl-privkey.pem
-and ctl-cert.pem, for example, you could run:
- % ovs-pki req+sign ctl controller
-ctl-privkey.pem and ctl-cert.pem would need to be copied to the
-controller for its use at runtime (they could then be deleted from
-their original locations). The --private-key and --certificate
-options of ovs-controller, respectively, would point to these files.
-
-Analogously, to create a switch private key and certificate in files
-named sc-privkey.pem and sc-cert.pem, for example, you could run:
- % ovs-pki req+sign sc switch
-sc-privkey.pem and sc-cert.pem would need to be copied to the switch
-for its use at runtime (they could then be deleted from their original
-locations). The --private-key and --certificate options,
-respectively, of secchan would point to these files.