1. Manuals
  2. Brands
  3. HP Manuals
  4. Controller
  5. HPE VAN SDN Controller 2.7
  6. Administrator's manual

Controller Code Verification; Adding Certificates To The Jar-Signing Truststore; Running The Sdn Controller Without Jar-Signing Validation - HP HPE VAN SDN Controller 2.7 Administrator's Manual

Hide thumbs
Table of Contents

Advertisement

Controller code verification

All controller code is signed by Hewlett Packard Enterprise. Validating the certificate via jarsigner
should return an Hewlett Packard Enterprise X.509 certificate similar to the following:
X.509, CN=Hewlett-Packard, OU=HPGlobal, OU=Digital ID Class 3 - Java
Object Signing, O=Hewlett-Packard, L=Andover, ST=Massachusetts, C=US
[certificate is valid from 11/14/12 4:00 PM to 11/15/14 3:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at
https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network,
O="VeriSign, Inc.", C=US
[certificate is valid from 2/7/10 4:00 PM to 2/7/20 3:59 PM]
[CertPath not validated: null]
If a controller jar or war file is tampered with, the jar verification fails, and the container does not
start up.
If an application is not signed by Hewlett Packard Enterprise, or has its certificate trusted by the
controller (see section below), the application is not allowed to run on the controller.

Adding certificates to the jar-signing truststore

To deploy other signed applications onto the controller, use the Java keytool to import the public
certificate that was used to sign the application jars and/or zips into the controller jar-signing
truststore (/opt/sdn/admin/sdnjar_trust.jks):
/opt/sdn/openjdk8-jre/bin/keytool -importcert -keystore
/opt/sdn/admin/sdnjar_trust.jks -file signed_app.cer -alias mysignedcert
The controller needs to be restarted for the new truststore to take effect.

Running the SDN Controller Without Jar-Signing Validation

The SDN Controller enforces jar/zip-signing validation by default. For an experimental/development
environment where unsigned applications need to be deployed, jar/zip-signing validation can be
turned off altogether:
1.
Use the following command to stop the SDN Controller:
sudo service sdnc stop
2.
Modify the /opt/sdn/virgo/bin/dmk.sh script to add the following option to the list of
JMX_OPTS:
-Dsdn.signedJar=none
For example:
cd $KERNEL_HOME; exec $JAVA_EXECUTABLE \
$JAVA_OPTS \
$DEBUG_OPTS \
$JMX_OPTS \
-XX:+HeapDumpOnOutOfMemoryError \
-XX:ErrorFile=$KERNEL_HOME/serviceability/error.log \
-XX:HeapDumpPath=$KERNEL_HOME/serviceability/heap_dump.hprof \
-Dsdn.signedJar=none \
-Djava.security.auth.login.config=$AUTH_LOGIN \
-Dorg.eclipse.virgo.kernel.authentication.file=$AUTH_FILE \
3.
Start the SDN Controller:
sudo service sdnc start
To enable jar/zip-signing validation, remove the line containing the -Dsdn.signedJar=none
option from the /opt/sdn/virgo/bin/dmk.sh script and restart the controller.
Controller code verification 121
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for HP HPE VAN SDN Controller 2.7

Related Content for HP HPE VAN SDN Controller 2.7

Table of Contents