Configuring Transport Layer Security-Based XMPP in OpenSDN¶

date:: 2019-04-03

Overview: TLS-Based XMPP¶

Transport Layer Security (TLS)-based XMPP can be used to secure all Extensible Messaging and Presence Protocol (XMPP)-based communication that occurs in the OpenSDN environment.

Secure XMPP is based on RFC 6120, Extensible Messaging and Presence Protocol (XMPP): Core.

TLS XMPP in OpenSDN¶

In the OpenSDN environment, the Transport Layer Security (TLS) protocol is used for certificate exchange, mutual authentication, and negotiating ciphers to secure the stream from potential tampering and eavesdropping.

The RFC 6120 highlights a basic stream message exchange format for TLS negotiation between an XMPP server and an XMPP client.

Note

Simple Authentication and Security Layer (SASL) authentication is not supported in the OpenSDN environment.

Configuring XMPP client and server in OpenSDN¶

In the OpenSDN environment, XMPP based communications are used in client and server exchanges, between the compute node (as the XMPP client), and:

the control node (as the XMPP server)
the DNS server (as the XMPP server)

Configuring Control Node for XMPP Server¶

To enable secure XMPP, the following parameters are configured at the XMPP server.

On the control node, enable the parameters in the configuration file:

/etc/contrail/contrail-control.conf.

Parameter	Description	Default
`xmpp_server_cert`	Path to the node’s public certificate	`/etc/contrail/ssl/certs/server.pem`
`xmpp_server_key`	Path to server’s or node’s private key	`/etc/contrail/ssl/certs/server-privkey.pem`
`xmpp_ca_cert`	Path to CA certificate	`/etc/contrail/ssl/certs/ca-cert.pem`
`xmpp_auth_enable=true`	Enables SSL based XMPP	Default is set to false, XMPP is disabled. Note: The keyword `true` is case sensitive.

Configuring DNS Server for XMPP Server¶

To enable secure XMPP, the following parameters are configured at the XMPP DNS server.

On the DNS server control node, enable the parameters in the configuration file:

/etc/contrail/contrail-control.conf

Parameter	Description	Default
`xmpp_server_cert`	Path to the node’s public certificate	`/etc/contrail/ssl/certs/server.pem`
`xmpp_server_key`	Path to server’s or node’s private key	`/etc/contrail/ssl/certs/server-privkey.pem`
`xmpp_ca_cert`	Path to CA certificate	`/etc/contrail/ssl/certs/ca-cert.pem`
`xmpp_dns_auth_enable=true`	Enables SSL based XMPP	Default is set to false, XMPP is disabled. Note: The keyword `true` is case sensitive.

Configuring Control Node for XMPP Client¶

To enable secure XMPP, the following parameters are configured at the XMPP client.

On the compute node, enable the parameters in the configuration file:

/etc/contrail/contrail-vrouter-agent.conf

Parameter	Description	Default
`xmpp_server_cert`	Path to the node’s public certificate	`/etc/contrail/ssl/certs/server.pem`
`xmpp_server_key`	Path to server’s/node’s private key	`/etc/contrail/ssl/private/server-privkey.pem`
`xmpp_ca_cert`	Path to CA certificate	`/etc/contrail/ssl/certs/ca-cert.pem`
`xmpp_auth_enable=true` `xmpp_dns_auth_enable=true`	Enables SSL based XMPP	Default is set to false, XMPP is disabled. Note: The keyword `true` is case sensitive.