Revoking Trust
Revoking trust via truststore
The controller components rely on the public certificates in the respective truststore to establish
trust with a given identity. Therefore, revoking trust from a client with a given public certificate
amounts to removing its certificate from the respective truststore. To remove a given certificate
from the truststore:
• List the certificates in your truststore:
/opt/sdn/openjdk8-jre/bin/keytool –list –v -keystore truststore
[-storepass password]
• Delete certificate from truststore:
/opt/sdn/openjdk8-jre/bin/keytool –delete –alias cert-aliastruststore
Revoking trust via CRL
For the controller’s REST API, a CRL (Certificate Revocation List) might also be specified to
allow blacklisting of certain clients. This is done by modifying the /opt/sdn/virgo/
configuration/tomcat-server.xml file to include the CRL file location in the SSL connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="../admin/keystore"
keystorePass="skyline"/>
For the change to take effect, restart the controller.
SDN administrative REST API
The main SDN Controller daemon (sdnc) is accompanied by an ancillary daemon process (sdna),
which runs under user sdnadmin in order to grant it access to some elevated privileges.
The administrative REST API can be used to securely perform various management functions
in a privileged context. It would be undesirable for the main SDN Controller process to possess
those privileges as it might be hosting execution of third-party code.
The SDN Administrator daemon can be accessed via the REST API via HTTPS on port 8081.
The access is secured through either token-based authentication or basic authentication, against
the locally running Keystone server, which is the same as the main SDN Controller REST API.
The following set of features are accessible through the administrative REST API:
• SDN Controller daemon (sdnc) stop/start/restart
• Adding/removing the team leader IP alias (required only when in team mode)
• Configure iptables rules to protect team communication
NOTE: If the iptables rule programming for Cassandra fails, the Cassandra server will
not come up. In previous releases, the server would come up regardless of the iptables
rule programming.
• Downloading the ZIP bundle of log files
• Uploading upgrade Debian bundles and installing/removing Debian packages
• Uploading upgrade ZIP bundles and executing upgrade commands
• System reboot
122 Security
To Next Page
Loading...
