projects
/
openvswitch
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
bridge: Implement basic periodic update of interface statistics.
[openvswitch]
/
INSTALL.SSL
diff --git
a/INSTALL.SSL
b/INSTALL.SSL
index 8df47bc106934eacda318100d91e70d4ab8f1bbe..3b625fbd949bfb745ae8bad39266a7c709056fd3 100644
(file)
--- a/
INSTALL.SSL
+++ b/
INSTALL.SSL
@@
-287,30
+287,31
@@
cacert.pem:
OpenFlow controller by verifying a signature against this CA
certificate.
OpenFlow controller by verifying a signature against this CA
certificate.
-Once you have these files, configure ovs-vswitchd to use them
by
-
adding the following keys to your ovs-vswitchd.conf file
:
+Once you have these files, configure ovs-vswitchd to use them
using
+
the ovs-vsctl "set-ssl" command, e.g.
:
- ssl.private-key=/etc/vswitch/sc-privkey.pem
- ssl.certificate=/etc/vswitch/sc-cert.pem
- ssl.ca-cert=/etc/vswitch/cacert.pem
+ ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
Substitute the correct file names, of course, if they differ from the
Substitute the correct file names, of course, if they differ from the
-ones used above.
+ones used above. You should use absolute file names (ones that begin
+with "/"), because ovs-vswitchd's current directory is unrelated to
+the one from which you run ovs-vsctl.
If you are using self-signed certificates (see "SSL Concepts for
OpenFlow") and you did not copy controllerca/cacert.pem from the PKI
If you are using self-signed certificates (see "SSL Concepts for
OpenFlow") and you did not copy controllerca/cacert.pem from the PKI
-machine to the Open vSwitch, then a
lso add the following key
:
+machine to the Open vSwitch, then a
dd the --bootstrap option, e.g.
:
- ssl.bootstrap-ca-cert=true
+ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
After you have added all of these configuration keys, you may specify
After you have added all of these configuration keys, you may specify
-"ssl:" connection methods elsewhere in ovs-vswitchd.conf, e.g.:
-
- mgmt.controller=ssl:192.168.0.1
-
+"ssl:" connection methods elsewhere in the configuration database.
"tcp:" connection methods are still allowed even after SSL has been
configured, so for security you should use only "ssl:" connections.
"tcp:" connection methods are still allowed even after SSL has been
configured, so for security you should use only "ssl:" connections.
+Unlike most Open vSwitch settings, the SSL settings are read only
+once, at ovs-vswitchd startup time. For changes to take effect,
+ovs-vswitchd must be killed and restarted.
+
Reporting Bugs
--------------
Reporting Bugs
--------------