What is TLS/SSL?
TLS stands for Transport Layer Security, and SSL stands for Secure Sockets Layer. They are different but are used interchangeably in conversation. Regardless of which implementation is used, they both boil down to the same encryption technique under the hood, umbrellaed underneath asymmetric cryptography. So, for our purposes, we can think of them as one in the same. Both facilitate secure communication of data from point A to point B.
...
- Have a private and public key pair.
- Have a signed certificate (either self or authority).
- Provide their signed certificate to the correspondent node ahead of time (web browsers normally mask this process from you).
Preparing Your Keys and Certificates
In the context of Floodlight (a Java application) and OVS, we need to prepare two pairs of keys – one for Floodlight and one for OVS. We also need to generate a certificate for each. (We will share the certificates later on.)
Floodlight Key/Cert. Preparation
Java has its own key management framework, accessible from the keytool terminal program. keytool can be used to generate, import, export, view, and do pretty much any operation on keys and the keystore. By default, your JVM keystore is in $JAVA_HOME/jre/lib/security/<keystore-name>.jks, however, we will start with a clean slate and to make sure we don't mess up any existing keystore you might have. First, change directories to a known location where you want the keystore to reside. I'll change to my checked out copy of Floodlight. Then, invoke the keytool utility to create a new certificate, public, and private key. I specify an alias for the key, which will be helpful when referring to it later on. The keystore parameter specifies the name of the keystore file. Also, the storepass parameter creates a password for the keystore. By default, the JVM keystore has the password of changeit, so I am using the same for this tutorial (but if you are going to have a permanent or semi-permanent deployment, I highly recommend you come up with something else). The keytool utility will prompt you for general information. The last thing it will ask for is a password for the key itself, which can be different from the keystore password. For simplicity, I am setting the key's password the same as the keystore itself.
...
To finish up, copy cacert.pem from your working directory to your OVS installation at "/var/lib/openvswitch/pki/controllerca/cacert.pem". Note, this can be on the localhost if OVS is also running there, or on another machine entirely. It is important to use this directory, since we will assume Floodlight's certificate will be located there in the following steps.
Open vSwitch Key/Cert. Preparation
A prerequisite to using OVS with SSL is that you have built OVS with SSL support. If you have not done so, the following may fail to execute. Simply download the necessary SSL packages for your distribution according to the OVS installation guide and reinstall OVS before proceeding.
...