OpenFlow and REST API Security Configuration
The OpenFlow channel and REST API operate independently. Settings, such as the keystore path, in one module will not impact the other. |
---|
OpenFlow Channel Security
Floodlight supports either non-secure, plain vanilla TCP for its OpenFlow connections to switches or trust-based TLS/SSL. Floodlight ships with all security disabled for ease of initial deployment; however, you can easily turn it on and off via the floodlightdefault.properties file in src/main/resources/floodlightdefault.properties.
net.floodlightcontroller.core.internal.OFSwitchManager.keyStorePath=/path/to/your/keystore-file.jks net.floodlightcontroller.core.internal.OFSwitchManager.keyStorePassword=your-keystore-password net.floodlightcontroller.core.internal.OFSwitchManager.useSsl=NO
You may tweak the settings above to point Floodlight to your keystore path and provide it with your keystore password, which must be the same for each key in the keystore.
Any value provided to useSsl other than "yes", "yep", "true", "ja", or "stimmt" – case insensitive – will result in TLS/SSL being disabled for OpenFlow channels. By default, and if omitted, Floodlight will disable TLS/SSL on the southbound OpenFlow interface.
In order for Floodlight to facilitate secure OpenFlow connections, it must have a public/private key pair. In order for a switch to connect with Floodlight, the switch's certificate must be preinstalled in the Java keystore. Please follow these steps to configure your Java (and if applicable Open vSwitch) keystore.
REST API Security
Floodlight supports three security modes for the REST API – (1) non-secure, plain vanilla HTTP, (2) trust-based HTTPS, or (3) simple HTTPS encryption. Method (1) and either of (2) or (3) may be used concurrently on separate transport ports. (In other words, you may have one unsecured REST API and another secure REST API.)
net.floodlightcontroller.restserver.RestApiServer.keyStorePath=/path/to/your/keystore-file.jks net.floodlightcontroller.restserver.RestApiServer.keyStorePassword=your-keystore-password net.floodlightcontroller.restserver.RestApiServer.httpsNeedClientAuthentication=NO net.floodlightcontroller.restserver.RestApiServer.useHttps=NO net.floodlightcontroller.restserver.RestApiServer.useHttp=YES net.floodlightcontroller.restserver.RestApiServer.httpsPort=8081 net.floodlightcontroller.restserver.RestApiServer.httpPort=8080
You may tweak the settings above to point Floodlight to your keystore path and provide it with your keystore password, which must be the same for each key in the keystore.
Any value provided to httpsNeedClientAuthentication, useHttp, or useHttps other than "yes", "yep", "true", "ja", or "stimmt" – case insensitive – will result in that particular setting being disabled. By default, and if omitted, the particular setting is disabled.
httpsNeedClientAuthentication will turn on/off trust-based HTTPS. By default, and if omitted, trust-based HTTPS is disabled.
In order for Floodlight to host a secure REST API, it must have a public/private key pair. In order for a user to connect with Floodlight's secure trust-based REST API, the user's certificate must be preinstalled in the Java keystore. Please follow these steps to configure your Java keystore.