HPE Knowledge Article

Transcription

1 HPE Knowledge Article HPE 5930/5940 Switch Series - Connect to OVSDB Client Article Number mmr_sf-en_us Environment HPE 5930/5940 switches can be configured as OVSDB servers. One common use case of this functionality is an OVSDB server for an VMWare NSX Controller cluster. This enables the 5930/5940 to be a HW VTEP for a VMWare NSX environment. The connection between the 5930/5940 and NSX must be done over SSL. This document explains how to configure this feature for VMWare NSX. Issue Certification generation, placement on switch and placement on NSX is outlined here. This outline applies to Comware version R2609 and later releases. This does not apply to Comware R24xx versions. Cause Resolution Steps to set up NSX HW VTEP with Comware 1) Create certificate files 2) Configure the 5930/5940 (need R2609) 3) Configure HW VTEP in NSX with certificate 1) Steps to create the certificate files, ca.crt and server.pem Make sure that the clock times are the same on the linux machine and the switch. Use the linux command date and/or ntp settings on the switch Performed on linux: mkdir certgeneration cd certgeneration cp /etc/ssl/openssl.cnf./

2 touch index.txt echo 01 > serial mkdir democa cd democa mkdir newcerts cp../index.txt. cp../serial. cd.. openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt openssl rsa -in ca.key -out ca.key openssl genrsa -aes256 -out server.key 2048 openssl rsa -in server.key -out server.key openssl req -new -key server.key -out server.csr -config openssl.cnf openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf cat server.crt server.key > server.pem get ca.crt and server.pem onto switch See bottom for a capture of generation of certificates. 2) Example configuration for the switch interface Ten-GigabitEthernet1/0/20 port link-mode bridge vtep access port service-loopback group 1 type vsi-gateway tunnel global source-address vxlan tunnel mac-learning disable l2vpn enable ovsdb server ssl ip port 6640 ovsdb server ssl ip port 6640 ovsdb server ssl ip port 6640 #for L3 VTEP # ip address of loopback interface # is the address of 1st NSX Controller # is the address of 2nd NSX Controller # is the address of 3rd NSX Controller pki domain vmware ca identifier ca.crt certificate request entity vmware public-key rsa general name vmware length 2048 undo crl check enable pki entity vmware ovsdb server pki domain vmware ovsdb server bootstrap ca-certificate flash:/vswitchd.cacert pki import domain vmware pem ca filename ca.crt pki import domain vmware pem local filename server.pem ovsdb server enable vtep enable 3) Configure HW VTEP in NSX

3 In vsphere Web Client: Networking and Security Service Definitions Hardware Devices Green plus sign to add new From the file, server.pem: Copy all text from the beginning to the end of the certificate, including the line before and after. E.g: -----BEGIN CERTIFICATE----- MIID9zCCAt+gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBiTELMAkGA1UEBhMCVVMx FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEDAOBgNVBAcMB0FuZG92ZXIxDDAKBgNV BAoMA0hQRTEMMAoGA1UECwwDSFBFMQ4wDAYDVQQDDAVTY290dDEkMCIGCSqGSIb3 DQEJARYVc2NvdHQudy5yZWV2ZUBocGUuY29tMB4XDTE4MDMwMzE1MTEzOFoXDTE5 MDMwMzE1MTEzOFowdzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 dhmxddakbgnvbaoma0hqrtemmaoga1uecwwdsfbfmq4wdaydvqqddavty290ddek MCIGCSqGSIb3DQEJARYVc2NvdHQudy5yZWV2ZUBocGUuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsrHb8bWrZwMu86MPl/P9KJGRgKN/ieUl5rD3 dt8mxhv1g5nbph0895hk0a6n2dfndcccml6mkibghhbf4i0s7jmfxvlqmehwi1xp eujqwxpzrik79/4agtfstzzipy2bmrnjpoaevcmmmckzx9v2aqulugovzwnpp1xx LflD43pgdR5cDI8GBH0CYakuSb0WxC+DqEGVSsu4cntA/JHwznUcDrj8XdZXKmwi bzg46tsf3w8ecnzlyrdopodzra6djvx6vonbbwnmstzdeqnf/p6djszycfcddwzf HA4aD+Lap7mhcMLjQsepMMHM5VZhIS7fmeYKL8WAP1s9WFHYKwIDAQABo3sweTAJ BgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0 awzpy2f0ztadbgnvhq4efgqucun+njsedlyclecbrzbqp6jkzzcwhwydvr0jbbgw FoAUT1hFkdOMmPZ31XyRB6CzrpjG2BEwDQYJKoZIhvcNAQELBQADggEBAHw5cZWM EtKppB7sRj8jMR5WXuS+LJqKVnr0BS2mVkxlnVc+P8xDEdphtPkd+xeHX83c6xtB sxpw774e37wstvnkei5dmg2c3da2c5qrpcsxxvk8uirpszxghkvgjc82jgyaozhi qv00yrh3c/sq+vfq6oxuf9og6gpjvkawynejuwtpdnvy6bfcrkln4ofmq5eevcll MbWupJQ6UTPMwScX3SfU4jSYFYhdQl4NsSB7H9q2kOLW7KCrh1yMBsHqHNuc7eJb oyuedcqr5ifuv0iv9or+k3qkoils59nwtrzqc/gaqeycx1luh6ve68bwc30cbvnl RrldNBOQxRLS4i4= -----END CERTIFICATE----- Paste it into here:

4 Once OK is clicked, the OVSDB connection between the switch and NSX should be established. The Hardware Device should appear as Up on this screen. If it does not connect properly, debug ovsdb server should be captured. Capture of certificate generation: Starting with the first openssl command: openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt Generating a 2048 bit RSA private key writing new private key to 'ca.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Andover Organization Name (eg, company) [Internet Widgits Pty Ltd]:HPE Organizational Unit Name (eg, section) []:HPE Common Name (e.g. server FQDN or YOUR name) []:John Address []:john@hpe.com user1@host1:~/cert5$ openssl rsa -in ca.key -out ca.key writing RSA key

5 openssl genrsa -aes256 -out server.key 2048 Generating RSA private key, 2048 bit long modulus e is (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: user1@host1:~/cert5$ openssl rsa -in server.key -out server.key Enter pass phrase for server.key: writing RSA key user1@host1:~/cert5$ openssl req -new -key server.key -out server.csr -config openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Andover Organization Name (eg, company) [Internet Widgits Pty Ltd]:HPE Organizational Unit Name (eg, section) []:HPE Common Name (e.g. server FQDN or YOUR name) []:John Address []:john@hpe.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:7519 An optional company name []:HPE user1@host1:~/cert5$ openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf Using configuration from openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 3 10:07: GMT Not After : Mar 3 10:07: GMT Subject: countryname = US stateorprovincename = Massachusetts organizationname = HPE organizationalunitname = HPE commonname = John address = john@hpe.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BC:AC:DE:44:4B:C8:9D:AF:40:96:85:B0:3B:E2:66:61:C9:1D:58:0C X509v3 Authority Key Identifier: keyid:ec:e6:46:d2:a9:e6:54:30:da:5c:6b:80:b2:e7:8a:85:9f:1f:08:76

6 Certificate is to be certified until Mar 3 10:07: GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated user1@host1:~/cert5$ cat server.crt server.key > server.pem user1@host1:~/cert5$ i Copyright 2018 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice.the only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services.nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.