Creating The Cassandra Keystore And Truststore - HP HPE VAN SDN Controller 2.7 Administrator's Manual

To enable JMX console remote access, edit /opt/sdn/virgo/bin/dmk.sh. The following
line determines whether JMX allows remote access or not, in this case indicating local only
access.
-Dcom.sun.management.jmxremote.local.only=true \
Any changes to this file require a controller restart to recognize the change.

Creating the Cassandra keystore and truststore

To create the keystore and truststore, use the following procedure:
1. Login to the system running the SDN Controller and stop the controller.
2. As the sdn user (for example, su - sdn or sudo -i -u sdn), do the following:
3. Back up your default /opt/sdn/cassandra/conf/.keystore and
/opt/sdn/cassandra/conf/.truststore to a safe location.
4. Create a new keystore using the following commands (note the default password here is
skyline):
cd /opt/sdn/cassandra/conf
rm .keystore .truststore
/opt/sdn/openjdk8-jre/bin/keytool -genkey -alias serverKey -keyalg
rsa -keysize 2048 -keystore .keystore
You must specify a fully qualified domain for your server for the "first and last name" question
as some CAs, such as VeriSign, expect it.
5. Generate a CSR (Certificate Signing Request) for signing:
/opt/sdn/openjdk8-jre/bin/keytool -keystore .keystore -certreq -alias
serverKey -keyalg rsa -file sdn-server.csr
6. Send the sdn-server.csr to a CA to be signed.
The CA will authenticate you and return a signed certificate and its CA certificate chain. This
procedure assumes that the signed certificate from the CA is named signed.cer and the
CA's certificate is root.cer.
7. Import the signed root certificate into your keystores:
NOTE:
the .truststore of all the other members on the team.
/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore
.keystore -file root.cer -alias CARoot
/opt/sdn/openjdk8-jre/bin/keytool -importcert -trustcacerts -keystore
.truststore -file root.cer -alias CARoot
8. Replace your self-signed certificate in your serverKey entry with the signed certificate from
your CA (signed.cer).
/opt/sdn/openjdk8-jre/bin/keytool -importcert -keystore .keystore
-file signed.cer -alias serverKey
9. Login to the controller UI:
https://controller_ip:8443/sdn/ui
10. Select Configurations on the left navigation pane, select the System tab and then select
the com.hp.sdn.teaming.impl.CassandraProcessManager component.
11. Select Modify on the top. When the Modify System Configuration dialog box opens, update
the location and password of the new keystore. Click Apply.
12. Restart the controller.
124 Security
In a team, you must add the certificate (and chain) from each other controller to