TNSR Setup¶
Current versions of TNSR software set up a default RESTCONF configuration and
a set of basic PKI certificates sufficient to run and access the RESTCONF
daemon at boot time if one does not already exist. This is equivalent to running
the shortcut command below (pki generate-restconf-certs) and adding a
RESTCONF server setup in the host namespace.
This initial setup is good enough for basic RESTCONF purposes but can be customized and improved in several ways as described in the remainder of this recipe.
See also
Administrators who are satisfied with the default setup may want to skip ahead to RESTCONF Examples for usage examples or Adding More RESTCONF Users for information on how to allow additional users to access RESTCONF.
Generate Certificates¶
There are two ways to create the necessary PKI structure for the RESTCONF server: Using the shortcut command or creating the PKI certificates manually.
Certificate Shortcut Command¶
The shortcut command generates a basic set of certificates for use with the RESTCONF service, but does not offer as much customization as generating the certificates manually.
See also
tnsr(config)# pki generate-restconf-certs length 4096 subject-alt-names tnsr.example.com 198.51.100.2
Generated new Certificates (and missing Keys - RSA 4096 bits):
CA cert/key : restconf-CA (New RSA key)
server side cert/key : restconf (New RSA key)
client side cert/key : restconf-client (New RSA key)
If this is sufficient, proceed ahead to Setup NACM, or continue reading to learn how to create the certificates manually instead.
Manually Generate Certificates¶
The PKI structure can also be generated manually for more fine-grained control, such as using different CA and certificate names, non-default digest options, different lifetimes, and different CN/SAN values.
Create a self-signed Certificate Authority:
tnsr(config)# pki private-key restconf-CA generate
tnsr(config)# pki signing-request settings clear
tnsr(config)# pki signing-request set common-name restconf-CA
tnsr(config)# pki signing-request set digest sha512
tnsr(config)# pki signing-request restconf-CA generate
tnsr(config)# pki signing-request restconf-CA sign self purpose ca
Create a certificate for the user tnsr, signed by restconf-CA:
tnsr(config)# pki private-key restconf-client generate key-length 4096
tnsr(config)# pki signing-request settings clear
tnsr(config)# pki signing-request set common-name tnsr
tnsr(config)# pki signing-request set digest sha512
tnsr(config)# pki signing-request restconf-client generate
tnsr(config)# pki signing-request restconf-client sign ca-name restconf-CA days-valid 365 digest sha512 purpose client
Create a certificate for the RESTCONF service to use. The common-name should be the hostname of the TNSR router, which should also exist in DNS:
tnsr(config)# pki private-key restconf generate key-length 4096
tnsr(config)# pki signing-request settings clear
tnsr(config)# pki signing-request set common-name tnsr.example.com
tnsr(config)# pki signing-request set subject-alt-names add hostname tnsr.example.com
tnsr(config)# pki signing-request set subject-alt-names add ipv4-address 198.51.100.2
tnsr(config)# pki signing-request set digest sha512
tnsr(config)# pki signing-request restconf generate
tnsr(config)# pki signing-request restconf sign ca-name restconf-CA days-valid 365 digest sha512 purpose server
Setup NACM¶
Disable NACM while making changes, to avoid locking out the account making the changes:
tnsr(config)# nacm disable
Set default policies:
tnsr(config)# nacm exec-default deny
tnsr(config)# nacm read-default deny
tnsr(config)# nacm write-default deny
Set up an admin group containing the default users plus tnsr, which
will match the common-name of the user certificate created above:
tnsr(config)# nacm group admin
tnsr(config-nacm-group)# member root
tnsr(config-nacm-group)# member tnsr
tnsr(config-nacm-group)# exit
Setup rules to permit any action by members of the admin group:
tnsr(config)# nacm rule-list admin-rules
tnsr(config-nacm-rule-list)# group admin
tnsr(config-nacm-rule-list)# rule permit-all
tnsr(config-nacm-rule)# module *
tnsr(config-nacm-rule)# access-operations *
tnsr(config-nacm-rule)# action permit
tnsr(config-nacm-rule)# exit
tnsr(config-nacm-rule-list)# exit
Enable NACM:
tnsr(config)# nacm enable
tnsr(config)# exit
Enable RESTCONF¶
Enable RESTCONF and configure it for TLS on port 443 with client certificate
authentication:
tnsr(config)# restconf
tnsr(config-restconf)# global authentication-type client-certificate
tnsr(config-restconf)# global server-ca-cert-path restconf-CA
tnsr(config-restconf)# global server-certificate restconf
tnsr(config-restconf)# global server-key restconf
tnsr(config-restconf)# server host 198.51.100.2 443 true
tnsr(config-restconf)# enable true