[onos-dev] Southbound SSL/TLS problems

[Alex H]

Let me preface this by saying I'm new to using ONOS although I have experience with OpenFlow and other controllers.

My setup is two virtual machines running on a single host. One virtual machine runs ONOS and the other virtual machine runs mininet/OVS. The virtual machine running ONOS is running on CentOS 7 and the OpenFlow controller VM is running on Ubuntu 14.04. I've followed the instructions on the wiki (https://wiki.onosproject.org/pages/viewpage.action?pageId=6358090) to configure the southbound OVS connection to use SSL/TLS with self-signed certificates. The main difference is that I don't use onos-install to start ONOS and instead start it locally through "ok clean".

When I start ONOS locally (before starting mininet on the other virtual machine), I check the logs and it has a log entry:
OpenFlow Security is disabled

When I try to get OVS to connect to it using ssl (ovs-vsctl set-controller s1 ssl:192.168.56.101:6633), I get these log messages:
OpenFlow SSL disabled
and
java.lang.IllegalArgumentException: Unknown wire version: 22

Getting the "OpenFlow Security is disabled" message before even starting mininet/OVS makes me think this is a ONOS configuration problem. I also suspect that using "ok clean" instead of onos-install might be a problem.

Does anybody have any idea on how to get around this issue?

Also, I did a search and found this topic: https://groups.google.com/a/onosproject.org/forum/#!searchin/onos-dev/ssl/onos-dev/oVbfC9HKZOg/Iv87qyuhAgAJ

I tried implementing that solution to do a feature:install onos-app-vtn-onosfw, but that did not fix it.

[Ali Al-Shabibi]

Hi Alex,

You can enable SSL mode in onos by export the following environment variable:

export EXTRA_JAVA_OPTS=“-DenableOFTLS”

This will enable TLS in ONOS. That said, you still need to set the keystore and truststore for ONOS and pass them via the same environment variables.

export EXTRA_JAVA_OPTS=“-DenableOFTLS -Djavax.net.ssl.keyStore=<path_to_store> -Djavax.net.ssl.trustStore=<path_to_store> -Djavax.net.ssl.keyStorePassword=<passwd> -Djavax.net.ssl.trustStorePassword=<passwd>”

Hope this helps.

Cheers.

--
Ali

> --
> You received this message because you are subscribed to the Google Groups "ONOS Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to onos-dev+u...@onosproject.org.
> To post to this group, send email to onos...@onosproject.org.
> Visit this group at https://groups.google.com/a/onosproject.org/group/onos-dev/.
> To view this discussion on the web visit https://groups.google.com/a/onosproject.org/d/msgid/onos-dev/1aa1182c-680d-4f93-969a-d21e9981687f%40onosproject.org.

[Suibin Zhang]

Two questions there:

1) It is not clear from you msg if you are running onos cell on CentOS or Ubuntu.  There was a problem uncovered by someone. "onos-install" script copy "onos" to the cell at /etc/init.d/onos and run start from there using "start-stop-daemon", which is default in Ubuntu, but not on CentOS. So onos-install won't work on CentOS. You can probably install start-stop-daemon on CentOS to make it work.

2) Running ONOS with SSL OF enable. The config guide calls for configuring "onos-service" to enable the feature. This has to be packaged in onos "onos-package" and "onos-install" to the target cells. The fact that your log shows it disabled indicates that the feature is not enable properly.

--
You received this message because you are subscribed to the Google Groups "ONOS Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to onos-dev+u...@onosproject.org.
To post to this group, send email to onos...@onosproject.org.
Visit this group at https://groups.google.com/a/onosproject.org/group/onos-dev/.
To view this discussion on the web visit https://groups.google.com/a/onosproject.org/d/msgid/onos-dev/1aa1182c-680d-4f93-969a-d21e9981687f%40onosproject.org.

--

Suibin Zhang

On.Lab

sui...@onlab.us

[Alex H]

Ali,

Thank you for the response.  I exported the environment variable like you said but I still get the "OpenFlow Security is disabled" log message.

I originally had the incorrect trustStorePassword value and ONOS did throw an exception for that.  Therefore, I think ONOS is trying to enable OpenFlow security but for whatever reason it is failing.

Any other hints or suggestions would be greatly appreciated.

Thanks,

Alex

[Alex H]

Thank you for the response.

1.  I am trying to start and run ONOS from the CentOS VM.  I am not using "onos-install" and am using "ok clean" to start ONOS.

2.  If I understand correctly, Ali's response and suggested solution attempts to enable the OF TLS feature.  I just responded to Ali and think that ONOS is trying to start OpenFlow security but it is failing for whatever reason.  Is there anything I can check to see what is wrong?

Thanks,

Alex

[Ali Al-Shabibi]

When you start ONOS can you check that the variables you set are being used by karaf. You can do this by running ‘ps aux’ and looking for the java process. You should see the jvm parameters you specified.

Cheers.

--
Ali

> To view this discussion on the web visit https://groups.google.com/a/onosproject.org/d/msgid/onos-dev/CAPUeD132WXcr5m7MCL%2Bu0%2BQRLOO3ow-g2s0nm1QWe-XQeM0QrQ%40mail.gmail.com.

[Alex H]

It looks like the variables are being set correctly:

admin     1770 47.9 15.4 2733484 291532 pts/0  Sl+  15:56   0:24 /usr/java/jdk1.8.0_45/bin/java -server -Xms128M -Xmx512M -XX:+UnlockDiagnosticVMOptions -XX:+UnsyncloadClass -Dcom.sun.management.jmxremote -DenableOFTLS -Djavax.net.ssl.keyStore=/home/admin/keys/onos.jks -Djavax.net.ssl.keyStorePassword=222222 -Djavax.net.ssl.trustStore=/home/admin/keys/onos.jks -Djavax.net.ssl.trustStorePassword=222222 -Djava.endorsed.dirs=/usr/java/jdk1.8.0_45/jre/lib/endorsed:/usr/java/jdk1.8.0_45/lib/endorsed:/home/admin/Applications/apache-karaf-3.0.5/lib/endorsed -Djava.ext.dirs=/usr/java/jdk1.8.0_45/jre/lib/ext:/usr/java/jdk1.8.0_45/lib/ext:/home/admin/Applications/apache-karaf-3.0.5/lib/ext -Dkaraf.instances=/home/admin/Applications/apache-karaf-3.0.5/instances -Dkaraf.home=/home/admin/Applications/apache-karaf-3.0.5 -Dkaraf.base=/home/admin/Applications/apache-karaf-3.0.5 -Dkaraf.data=/home/admin/Applications/apache-karaf-3.0.5/data -Dkaraf.etc=/home/admin/Applications/apache-karaf-3.0.5/etc -Djava.io.tmpdir=/home/admin/Applications/apache-karaf-3.0.5/data/tmp -Djava.util.logging.config.file=/home/admin/Applications/apache-karaf-3.0.5/etc/java.util.logging.properties -Dkaraf.startLocalConsole=true -Dkaraf.startRemoteShell=true -classpath /home/admin/Applications/apache-karaf-3.0.5/lib/karaf-jaas-boot.jar:/home/admin/Applications/apache-karaf-3.0.5/lib/karaf.jar:/home/admin/Applications/apache-karaf-3.0.5/lib/karaf-org.osgi.core.jar org.apache.karaf.main.Main

In the logs I still see:
2016-04-15 15:57:00,694 | INFO  | onos-app-store   | Controller                       | 161 - org.onosproject.onos-of-ctl - 1.6.0.SNAPSHOT | Starting OpenFlow IO
2016-04-15 15:57:00,694 | INFO  | onos-app-store   | Controller                       | 161 - org.onosproject.onos-of-ctl - 1.6.0.SNAPSHOT | OpenFlow Security is disabled

Thanks,

Alex

[Ali Al-Shabibi]

Oh sorry. It should be -DenableOFTLS=true.

Cheers.

--
Ali

[Alex H]

That worked!  Thanks.