Table of Contents
Advertisement
7 Security
The HPE VAN SDN Controller communicates with different components, both internal and external
to the controller, via secure channels. This section documents these channels, their defaults,
and how to configure them in a deployment environment.
SDN Controller authentication
The SDN Controller identifies itself via Public-Key Infrastructure (PKI) for its communication with
external subsystems and other controllers. It uses a Java keystore and truststore to keep its
private key and public key respectively. These keys can be used for confidential and trusted
communication with clients and keystone. For REST APIs, the controller uses bearer token
authentication to authenticate the client. The client must present a valid token via the
X-Auth-Header to authenticate itself with the controller. Since this means of token authentication
are bearer tokens, use PKI to ensure trusted communication with keystone and clients, and to
avoid unauthorized use of tokens. Make sure that the certificates that you use for both keystone
and the controller are part of a valid trust chain. Token authentication is discussed further under
"SDN Controller keystore and truststore locations and passwords " (page
The controller ships with a self-signed certificate. Therefore, it is recommended that the self-signed
certificate be replaced by a certificate signed by a reputable Certificate Authority (CA). If you
choose to replace the self-signed certificates with CA signed equivalents, see
default controller keystore and truststore to use CA signed certificates" (page
default password for the keystore and truststore should be changed as well.
Enable (2-way SSL) mutually trusted PKI communication to require both the controller and
keystone to present valid certificates before starting the communication.
IMPORTANT:
credentials to not expose any access to the controller. This includes changing the values from
the defaults for the controller password, keystore and truststore passwords, the keystore admin
token, and the controller service token (see
Changing the default controller keystore and truststore to use CA signed
certificates
NOTE:
In a teamed environment, unique certificates are generated for each controller in the
team. You must repeat the following procedure for each controller in the team.
To create a CA-signed keystore and truststore, as the SDN user (for example, sudo - sdn),
do the following:
110
Security
Hewlett Packard Enterprise strongly recommends that you change all default
"Security procedure " (page
112).
"Changing the
110). Also, the
125)).
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
