Using OpenSSL TLS Certificates for OVSDB and other Services


This feature provides a common Transport Layer Socket (TLS) within Netvisor One that you can use for any service such as the Open vSwitch Database Management Protocol (OVSDB) or a Web service. TLS is needed for any SSL connection to a Netvisor One service. For OVSDB, it is needed to connect to a controller using SSL.


 For HTTPS communication between a REST API client and the Tomcat application server which is running a switch, you need to configure and deploy a server certificate in a Tomcat server.


You can create one common certificate for all Netvisor One services or create multiple named certificates. Each service can use a different certificate identified by name or container name or zone.


The Certificate facility keeps track of certificate use by using various applications. It notifies the applications when a certificate is updated and it also prevents a certificate from being deleted if an application is using it.


There are two ways to generate certificates:

  • Self-signed certificate
  • Certificate signed by a Certificate Authority (CA)


Self-signed Certificate


If you want to generate a self-signed certificate use the cert-create command. This command creates a server certificate and self-signs it.


Certificate signed by a Certificate Authority (CA)


If you want to generate a certificate that is signed by a CA, follow these steps:


1. Create a certificate signing request.

2. Export the certificate signing request and send it to the CA administrator.

3. Import the certificate received from CA administrator against the right certificate signing request.

4. Import the intermediate root and root certificate to the switch, if not done already.


CLI Commands


These commands allow you to manage TLS certificates. These commands are also available for REST API.


To create a server certificate that self-signs, use the cert-create command:


CLI (network-admin@Leaf1) > cert-create country country-string state state-string city city-string organization organization-string organizational-unit organization-unit-string common-name common-name-string name name-string [container/zone name]


cert-create

Creates a server certificate and self-sign.

 country country-string

Specify a country name (two letter code).

 state state-string

Specify a state or province name.

 city city-string

Specify a city name.

 organization organization-string

Specify an organization name.

 organizational-unit organizational-unit-string

Specify an organizational unit name.

 common-name common-name-string

Specify a common name.

 name name-string

Specify a certificate name.

any of the following options:

 

 container zone name

Specify a certificate zone name.


To delete a certificate, use the cert-delete command:


CLI (network-admin@Leaf1) > cert-delete name name-string [container/zone name]


cert-delete

Deletes a certificate.

name name-string

Specify a country name (two letter code).

any of the following options:

 

container zone name

Specify a certificate zone name.


To import a CA certificate file, use the cert-import command:


CLI (network-admin@Leaf1) > cert-import name name-string file-ca file-ca-string [container zone name][file-inter file-inter-string]


cert-import

Imports certificates from the SFTP directory.

name name-string

Specify a certificate name.

file-ca file-ca-string

Specify the name of CA certificate file.

file-server file-server-string

Specify the name of server certificate file.

any of the following options:

 

container zone name

Specify a certificate zone name.

any of the following options:

 

file-inter file-inter-string

Specify the name of intermediate CA certificate file.


To import a server certificate file, use the cert-import command:


CLI (network-admin@Leaf1) > cert-import name name-string file-server file-server-string [container zone name][file-ca file-ca-string]file-inter file-inter-string]


cert-import

Imports certificates from SFTP directory.

name name-string

Specify the certificate name.

file-server file-server-string

Specify the name of server certificate file.

at least one of the following options:

 

container zone name

Specify a certificate zone name.

any of the following options:

 

file-ca file-ca-string

Specify the name of the CA certificate file.

file-inter file-inter-string

Specify the name of the intermediate CA certificate file.


To create a certificate signing request, use the cert-request-create command:


CLI (network-admin@Leaf1) > cert-request-create name name-string [container/zone name]


cert-request-create

Create a certificate signing request from an existing server certificate.

name name-string

Specify the certificate name.

at least one of the following options:

 

container zone name

Specify a certificate zone container name.


To display a certificate signing request, use the cert-request-show command:


CLI (network-admin@Leaf1) > cert-request-show name name-string [container/zone name]cert-request cert-request-name


----------------------------------------------------------------

-----BEGIN CERTIFICATE REQUEST-----                              

MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCdXMxCzAJBgNVBAgMAmNhMQswCQYDVQQH

DAJtcDELMAkGA1UECgwCcGwxDTALBgNVBAsMBGVuZ2cxEjAQBgNVBAMMCXBsdXJp

YnVzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMrE6Jowg0VKUw2M

NlL8vp1N8dYE/UL5pvu8FKYWgwG7tC2fjHunZCI0XmssFtZysQul/r9nk+edA5tt

0zIWRmqTB60wnWmzl6uGymeAsC9OSm0ZHFc9zZfUxKjRM/n1dOri3Pw/rODbCjM9

qwO5hsvZc/c1o3ajYFrj1yMlKDIiPW1td1VTpc5TL6wCwnDM697Yb9oQ0cbLKTDl

w5AjQSgJK29rLUl8ptAZXIUkeendpE4MCYrl6Hd+ziOJHXncj65MJyfANTZMrtGD

IJD3m+JsKZt882vMw3AZ3C9WEuE0OZrbabGBHqVKARik2qFhu2bGjlbuj/M6TOf5

Jj1WROUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCh1YhXRNwkwmw3FVH4H0Xi

rczy0FkyHkdSbIUIf+6n3qroRpBpcEdrx8fREyiw8hLUks9OcUlT+nSshsWIitI7

R5dcFlyo5HUVjqQQVMlSq3j4fM9XE8y8KRMZ3mfLXRTmuFPxbBuE3ZGjlBSLnBgK

ODqHF1gVa4u7l9mO3TRXczLQiAPaw38/kxEwkh4erJp4jjXf8K0h9JMGvYONYWeI

1PbiZpjIWDLNbg6sKqqrPAxEAjzGNMgNPIMXRepmEmnC/BaLVA04noZran8LRLNp

Id41o3TnlXiAodF/Mc7H5fI1hYf0YzWDSfz3PNufn6Dusu5M2ma7jtWlEdBW8huH

-----END CERTIFICATE REQUEST-----

 

To display certificates, use the cert-show command:


CLI (network-admin@Leaf1) > cert-show [cert-type ca|intermediate|server] [subject subject-string] [issuer issuer-string] [serial-number serial-number-number] [valid-from valid-from-string] [valid-to valid-to-string] [country country-string] [state state-string] [city city-string] [organization organization-string] [organizational-unit organizational-unit-string] [common-name common-name-string] [ name name-string] [container/zone name]


name  used-by cert-type container subject                                    

----- ------- --------- --------- ------------------------------------------

cert3         ca                  /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1

cert3         server              /C=us/ST=ca/L=mp/O=pl/OU=engg/CN=pluribus1

cert1 ovs     ca                  /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus   

cert1 ovs     server              /C=US/ST=CA/L=PA/O=ovs/OU=ou/CN=Pluribus   

 

 

Configuring OpenvSwitch for Certificates


The following openvswitch-create and openvswitch-modify command options allow you to specify a certificate name when creating an OpenvSwitch configuration.


CLI (network-admin@Leaf1) > openvswitch-create name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]


openvswitch create

Create an OpenvSwitch configuration.

any of the following options:

 

cert-name cert-name-string

Specify the certificate name for SSL connections.

ca-cert-name ca-cert-name-string

Specify the CA Certificate name for SSL connection.

cert-location none|global|container

Specify the certificate location - global or within the container.


CLI (network-admin@Leaf1) > openvswitch-modify name name-string [cert-name cert-name string[ [ca-cert-name ca-cert-name-string] [cert-location none|global|container]


cert-name cert-name-string

Specify the certificate name for SSL connections.

ca-cert-name ca-cert-name-string

Specify the certificate name for SSL connections.

cert-location none|global|container

Specify the certificate location - global or within the container.