projects
/
openvswitch
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
meta-flow: Fix "sparse" warning in mf_are_prereqs_ok().
[openvswitch]
/
INSTALL.SSL
diff --git
a/INSTALL.SSL
b/INSTALL.SSL
index 8df47bc106934eacda318100d91e70d4ab8f1bbe..f322b41315bfef638b9a513d19027204862b0a18 100644
(file)
--- a/
INSTALL.SSL
+++ b/
INSTALL.SSL
@@
-2,15
+2,13
@@
================================
If you plan to configure Open vSwitch to connect across the network to
================================
If you plan to configure Open vSwitch to connect across the network to
-an OpenFlow controller, then we recommend that you configure and
-enable SSL support in Open vSwitch. SSL support ensures integrity and
-confidentiality of the OpenFlow connections, increasing network
-security.
+an OpenFlow controller, then we recommend that you build Open vSwitch
+with OpenSSL. SSL support ensures integrity and confidentiality of
+the OpenFlow connections, increasing network security.
This file explains how to configure an Open vSwitch to connect to an
OpenFlow controller over SSL. Refer to INSTALL.Linux for instructions
This file explains how to configure an Open vSwitch to connect to an
OpenFlow controller over SSL. Refer to INSTALL.Linux for instructions
-on building Open vSwitch with SSL support. (In particular, you must
-pass --enable-ssl to the "configure" script to use SSL.)
+on building Open vSwitch with SSL support.
Open vSwitch uses TLS version 1.0 or later (TLSv1), as specified by
RFC 2246, which is very similar to SSL version 3.0. TLSv1 was
Open vSwitch uses TLS version 1.0 or later (TLSv1), as specified by
RFC 2246, which is very similar to SSL version 3.0. TLSv1 was
@@
-287,30
+285,31
@@
cacert.pem:
OpenFlow controller by verifying a signature against this CA
certificate.
OpenFlow controller by verifying a signature against this CA
certificate.
-Once you have these files, configure ovs-vswitchd to use them
by
-
adding the following keys to your ovs-vswitchd.conf file
:
+Once you have these files, configure ovs-vswitchd to use them
using
+
the ovs-vsctl "set-ssl" command, e.g.
:
- ssl.private-key=/etc/vswitch/sc-privkey.pem
- ssl.certificate=/etc/vswitch/sc-cert.pem
- ssl.ca-cert=/etc/vswitch/cacert.pem
+ ovs-vsctl set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
Substitute the correct file names, of course, if they differ from the
Substitute the correct file names, of course, if they differ from the
-ones used above.
+ones used above. You should use absolute file names (ones that begin
+with "/"), because ovs-vswitchd's current directory is unrelated to
+the one from which you run ovs-vsctl.
If you are using self-signed certificates (see "SSL Concepts for
OpenFlow") and you did not copy controllerca/cacert.pem from the PKI
If you are using self-signed certificates (see "SSL Concepts for
OpenFlow") and you did not copy controllerca/cacert.pem from the PKI
-machine to the Open vSwitch, then a
lso add the following key
:
+machine to the Open vSwitch, then a
dd the --bootstrap option, e.g.
:
- ssl.bootstrap-ca-cert=true
+ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
After you have added all of these configuration keys, you may specify
After you have added all of these configuration keys, you may specify
-"ssl:" connection methods elsewhere in ovs-vswitchd.conf, e.g.:
-
- mgmt.controller=ssl:192.168.0.1
-
+"ssl:" connection methods elsewhere in the configuration database.
"tcp:" connection methods are still allowed even after SSL has been
configured, so for security you should use only "ssl:" connections.
"tcp:" connection methods are still allowed even after SSL has been
configured, so for security you should use only "ssl:" connections.
+Unlike most Open vSwitch settings, the SSL settings are read only
+once, at ovs-vswitchd startup time. For changes to take effect,
+ovs-vswitchd must be killed and restarted.
+
Reporting Bugs
--------------
Reporting Bugs
--------------