diff options
| author | Ben Pfaff <blp@nicira.com> | 2010-03-03 16:54:00 -0800 |
|---|---|---|
| committer | Ben Pfaff <blp@nicira.com> | 2010-03-04 10:05:44 -0800 |
| commit | 3b12addabb60c1eae0f58942281a388a6bc5d45b (patch) | |
| tree | 659f0957c7901f9f958f88edbbd92094c295db99 /INSTALL.SSL | |
| parent | 39a559f2a77e78c53f439a904986337b0d6d15cf (diff) | |
Update Open vSwitch documentation.
Diffstat (limited to 'INSTALL.SSL')
| -rw-r--r-- | INSTALL.SSL | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/INSTALL.SSL b/INSTALL.SSL index 8df47bc1..4ba09254 100644 --- a/INSTALL.SSL +++ b/INSTALL.SSL @@ -287,30 +287,31 @@ cacert.pem: OpenFlow controller by verifying a signature against this CA certificate. -Once you have these files, configure ovs-vswitchd to use them by -adding the following keys to your ovs-vswitchd.conf file: +Once you have these files, configure ovs-vswitchd to use them using +the ovs-vsctl "set-ssl" command, e.g.: - ssl.private-key=/etc/vswitch/sc-privkey.pem - ssl.certificate=/etc/vswitch/sc-cert.pem - ssl.ca-cert=/etc/vswitch/cacert.pem + ovs-vsctl set-ssl /etc/vswitch/sc-privkey.pem /etc/vswitch/sc-cert.pem /etc/vswitch/cacert.pem Substitute the correct file names, of course, if they differ from the -ones used above. +ones used above. You should use absolute file names (ones that begin +with "/"), because ovs-vswitchd's current directory is unrelated to +the one from which you run ovs-vsctl. If you are using self-signed certificates (see "SSL Concepts for OpenFlow") and you did not copy controllerca/cacert.pem from the PKI -machine to the Open vSwitch, then also add the following key: +machine to the Open vSwitch, then add the --bootstrap option, e.g.: - ssl.bootstrap-ca-cert=true + ovs-vsctl -- --bootstrap set-ssl /etc/vswitch/sc-privkey.pem /etc/vswitch/sc-cert.pem /etc/vswitch/cacert.pem After you have added all of these configuration keys, you may specify -"ssl:" connection methods elsewhere in ovs-vswitchd.conf, e.g.: - - mgmt.controller=ssl:192.168.0.1 - +"ssl:" connection methods elsewhere in the configuration database. "tcp:" connection methods are still allowed even after SSL has been configured, so for security you should use only "ssl:" connections. +Unlike most Open vSwitch settings, the SSL settings are read only +once, at ovs-vswitchd startup time. For changes to take effect, +ovs-vswitchd must be killed and restarted. + Reporting Bugs -------------- |