7. Update the keystore’s internal serverkey to match the newly chosen KeystorePass value
you entered in step 4 using the following:
/opt/sdn/openjdk8-jre/bin/keytool -keypasswd -alias serverkey
-storepass <newKeystorePass> -keypass <oldKeystorePass> -new
<newKeystorePass> -keystore /opt/sdn/admin/keystore
8. Update the truststore password to match the newly chosen TruststorePass value you
entered in step 4 using the following:
/opt/sdn/openjdk8-jre/bin/keytool -storepasswd -storepass
<oldKeystorePass> -new <newKeystorePass> -keystore
/opt/sdn/admin/truststore
9. Update the jar signing keystore password (named sdnjar_trust.jks) using the following:
a. Use the keytool command to assign a new password. The default or old keystore
password is skyline.
/opt/sdn/openjdk8-jre/bin/keytool -storepasswd -storepass
<oldKeystorePass> -new <newpass4sign> -keystore
/opt/sdn/admin/sdnjar_trust.jksWhere <newpass4sign> is a newly chosen
password. This new password does not have to match the others.
b. Update the dmk.sh to provide the new password as an environment variable for the
running controller.
• Navigate to the /opt/sdn/virgo/bin directory as the sdn user.
• Open the dmk.sh file to edit.
• In the dmk.sh file, find the line containing XX:HeapDumpPath....
• After the XX:HeapDumpPath... line, add a new line
-Dsdn.trustpass=<newpass4sign>
• Save the dmk.sh file.
c. Restart the sdnc service (sudo service sdnc restart) for the modified password
to be read by the controller.
When you have completed security configuration restart Keystone service and restart the controller.
Be sure to remove the visible passwords from the shell history.
Security best practices
Observing these rules can help to prevent unauthorized access to the controller:
• Do not enable shell history on your controller.
• Do not allow other users besides sdn, sdnadmin and the Linux user to have access to your
controller system.
• Do not store your authentication token in plain text, such as a non-encrypted cookie.
• Do not use self-signed certificates in a production environment.
• Do not alter contents under /opt/sdn/Cassandra and /opt/sdn/Hazelcast.
• To prevent authentication tokens from being stolen:
Always log out of the UI and close the web page, when you are done using it.◦
◦ Never leave a browser window open and unattended when you are accessing the UI.
126 Security
To Next Page
Loading...
