NetConf Over Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol that uses mutual certificate-based authentication and provides a secure and reliable connection between two devices. It is a successor to the Secure Sockets Layer (SSL) protocol. When a NetConf session is established over TLS, the NetConf server acts as the TLS server, and the NetConf client must act as the TLS client.
NetConf sessions over TLS provide some advantages over sessions that use SSH. Whereas SSH authenticates a client by using credentials (username and password) or keys, TLS uses certificates to mutually authenticate both the client and the server. Certificates can provide additional information about a client and can be used to securely authenticate one device to another. Thus, while NetConf sessions over SSH work well for manually managing individual devices, NetConf sessions that use TLS enable secure device-to-device communication for more effectively managing and automating devices in large-scale networks.
TLS subsystem logs are integrated with the system logger (syslog) and appear (along with other OcNOS logs) in /var/log/message with the tag TLS_SUBSYS.
The NetConf server uses TCP port number 6513 to listen for TCP connections established by NetConf over TLS clients.
Note: A maximum of 3 NETCONF sessions over TLS are supported.
Topology
Netconf over TLS Topology
Client Configuration
1. Generate CA authority key and certificate on TLS client:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout rootCAKey.pem -out rootCACert.pem
2. Generate client key and certificate on client:
a. Create a new file named ClientCertReq.config with this content:
[req]
distinguished_name = dn
prompt = no
[dn]
CN = 10.12.65.10 ---------- > <Apply TLS client IP here>
C = IN
L = BNG
O = IPI
OU = IPI-QA
openssl req -newkey rsa:2048 -keyout ClientKey.pem -out ClientCert.csr -config ./ClientCertReq.config -nodes -days 100
3. Client certificate signing:
openssl x509 -req -sha256 -in ClientCert.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ClientCert.pem -days 365
4. Server certificate signing:
openssl x509 -req -sha256 -in ServerCert.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ServerCert.pem -days 365
5. Manually import (SCP) signed server certificate and CA-root certificate to OcNOS (/usr/local/etc/tls/certs).
• File should be in PEM format for CA-root certificate and named cert.pem (/usr/local/etc/tls/certs/ca.pem).
• OcNOS server certificate file should be in PEM format and named cert.pem (/usr/local/etc/tls/certs/cert.pem).
6. Establish TLS session using the below command on the client side:
connect --tls --host 10.12.89.152 --port 6513 --cert /root/QUX/ClientCert.pem
--key /root/QUX/ClientKey.pem --trusted /root/QUX/rootCACert.pem
Note: This example uses the Netopeer2 command as NetConf client over TLS.
Server Configuration
Generate server private key and CSR request on the TLS server:
>enable | Turn on privileged mode. |
#crypto pki generate rsa common-name ipv4 10.12.93.111 | IP address used by TLS clients to connect to the NetConf server running on OcNOS. |
#show crypto csr | Show Certificate Signing Request |
Validation
On TLS server:
# show crypto csr
-----BEGIN CERTIFICATE REQUEST-----
MIICXDCCAUQCAQAwFzEVMBMGA1UEAwwMMTAuMTIuOTMuMTExMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7dTLZpS7sTCrFdP4gQD6X4+PHtYKK7jQdSaM
WaX20dkPqxN8/6VHuY3+fE13eeUSPrDbdSOzPq6f/Rdd/xG76Qi95yYKZnUkTz1/
sF50LfdxL2u+Xg25TA4+Lh6EHYxbmLwX6/o4b8E+78CH+NftH6g1/2YN14PC3lI1
Jlar+YEAzlyy8q1RAHbiazyJmgR0n4KxdtU/c/nzU8zP4OWtJdNquAAMkQUcWwBg
0a88FpFEm5SkQRslLX2BdofpO0SCiMJVkYRJH8yirxKwHx7JBg7EtDovofY585rj
zBZBTycsWYrpWGh+YUm+5ZbEHN+NC2r9UqvLVuHyYWRPB40jxQIDAQABoAAwDQYJ
KoZIhvcNAQELBQADggEBAD0/4MxtfJrz3jeBAMUwIjTBFauTI2rJ0AMxjIcPfvel
wLi/nK4HBU3Ucg9yUqfPYwfi3gLa901AJT5UVPZV0C783nNBrR9GRa91rL0+0Ksa
hptlTCvFug/N7oEIADQ2IHskNTyCSW7MeJaz06amhiGHp+QNjNulAmsXUjPOzKsJ
OILOmBvD10N+GvtvBMhJrxDKzCda9auSdk1If1BRdfmNttnfthoK3PWK5kmkyhlr
l4mz3Mvd9E5UvsMfL8u72FibwaHa3b862/YQdbidN2LS8xjCZTxeitbJooLzywhb
hR99BENUG8zTbmIa8BD2Nt8F3mlo/31kD8eO2QTLqfI=
-----END CERTIFICATE REQUEST-----
PE3#
Note: You should copy and paste the output of the above show command into the ServerCert.csr file on the client.
NETCONF-TLS over User Defined Vrfs
From Release 6.5.3,OcNOS supports the netconf-tls feature over user-defined VRFs, in addition to the default and management VRFs. This allows users to enable the netconf-tls feature across multiple user-defined VRFs simultaneously, providing access to the device via user-defined VRF networks from a remote client.
Users can also customize the netconf-tls ports for user-defined VRFs, using non-default ports (other than 6513).
The process for generating client and server certificates and accessing the device through netconf-tls remains the same as described in previous sections
Server Configuration for user defined vrfs
#configure terminal | Enter configure mode |
(config)#ip vrf vrf_test | Configure User defined vrf |
(config)#feature netconf-tls vrf vrf_test | Enable netconf-tls feature over user defined vrf say vrf name “vrf_test” |
(config)#commit | Commit configuration |
(config)#no feature netconf-tls vrf vrf_test | Disable netconf-tls feature over user define vrf say vrf name “vrf_test” |
(config)#commit | Commit configuration |
Server Configuration for user defined vrfs to configure TLS ports
#configure terminal | Enter configure mode |
(config)#no feature netconf-tls vrf vrf_test | Disable netconf-tls feature over user defined vrf say vrf name “vrf_test” |
(config)#commit | Commit configuration |
(config)#netconf server tls-port 65535 vrf vrf_test | Configure tls port over user defined vrf. |
(config)#commit | Commit configuration |
(config)#feature netconf-tls vrf vrf_test | Enable netconf-tls feature over user defined vrf say vrf name “vrf_test” to reflect the port configuration |
(config)#commit | Commit configuration |
Validation
#show netconf server
VRF Management
Netconf TLS Server: Enabled
TLS-Netconf Port : 6513
VRF Default
Netconf TLS Server: Enabled
TLS-Netconf Port : 6513
VRF vrf_test
Netconf TLS Server: Enabled
TLS-Netconf Port : 65535