Authentication between vSmart Controller

Authentication between vSmart Controller

Now let’s say if you have multiple vSmart controller in your Network domain, then these controller must authenticates each other so that they can establish a full mesh of Permanent DTLS connection for synchronizing OMP routes.

Each vSmart Controller learns the other vSmart controller IP from vBond Orchestrator when it does handshake with vBond.

During this vSmart Controller receives the vSmart authorized serial number file, and if this file contains the multiple SN, then it indicates that network have multiple vSmart Controller. As one vSmart controller authenticates with vBond, vBond sends the IP address of other vSmart controller to that vSmart Controller to which it has authenticated with.

Now vSmart Controller follows these steps to authenticate each other in parallel.

1. vSmart1 initiates the an encrypted DTLS connection with vSmart2 and send its trusted root CA signed certificate to other vSmart2
2. vSmart2 uses it chain of trust to extract the vSmart1 serial number, this SN must match with one of the number present in vSmart authorized serial number file, if they don’t match vSmart2 tears down the DTLS connection.
3. vSmart2 uses its extract the organization name from certificate and its compares with its own organization name configured on it. If the match is not correct vSmart2 will tear down the DTLS connection
4. If it matches , then it will use the root CA chain to verify certificate , if Certificate signature is correct vSmart confirm that certificate is valid and if signature is not correct vSmart2 will tear down the connection

If the verification matches, vSmart2 authentication of vSmart1 is said to be complete.

Now vSmart1 will try authentication with vSmart2 in same fashion as below:

1. vSmart2 will send the trusted root CA signed certificate to vSmart1
2. vSmart1 uses it chain of trust to extract the vSmart2 serial number, this SN must match with one of the number present in vSmart authorized serial number file, if they don’t match vSmart1 tears down the DTLS connection.
3. vSmart1 uses its extract the organization name from certificate and its compares with its own organization name configured on it. If the match is not correct vSmart1 will tear down the DTLS connection
4. If it matches , then it will use the root CA chain to verify certificate , if Certificate signature is correct vSmart confirm that certificate is valid and if signature is not correct vSmart1 will tear down the connection

After these steps are performed successfully, vSmart1 authentication of vSmart2 is said to be complete and temporary DTLS connection is transitioned to Permanent DTLS Connection.