Call Home Reverse SSH for YumaPro SDK


YumaPro SDK 17.10 introduces support for the Call Home protocol defined in IETF RFC 8071

By default, Call Home is not enabled but must be configured by the developer/user. 


Potential use cases for the Call Home protocol include SoHo routers, or any device that connects to a network, which can be configured to "call home" to a remote location to receive a pre-determined config upon first boot, based on location, model number, or any number of criterion. Any device which uses netconfd-pro as its configuration management server can be configured to use Call Home.


In order to enable the Call Home parameter for netconfd-pro, the developer/user must at a minimum configure the with-callhome and calhome-server parameters.

Other Call Home related parameters include callhome-retry-interval, callhome-retry-max, callhome-sshd-config, callhome-sshd-command, callhome-subsys-command, and server-id.


Example netconfd-pro configuration for the "caller"


The following is an example configuration file for netconfd-pro which enables the Call Home protocol. We'll refer to this as callhome.conf and assume it is located in the /etc/yumapro/ directory:


with-callhome true
callhome-retry-interval 20
callhome-retry-max 100
callhome-server ch1@192.0.1.44


Using the above callhome.conf configuration, netconfd-pro will attempt to initiate a connection with the server located at 192.0.1.44 as callhome server "ch1". 

Note that netconfd-pro will likely need to run with elevated (root) privileges in order for the sshd daemon to access the files and keys needed for operation:


user1@device1:~$ sudo netconfd-pro --config=/etc/yumapro/callhome.conf


Now netconfd-pro immediately attempts to connect to 192.0.1.44 as user ch1 every 20 seconds, and the attempts will cease once 100 attempts have failed, per our callhome.conf configuration above.


Example yangcli-pro configuration for the "home" server


Now we need to make the home server (192.0.1.44 in this case) aware of the remote server's credentials so that we may complete the Call Home connection.


To do this we will first launch yangcli-pro (with the callhome-enabled and callhome-user parameters set) as user ch1 on our home server (192.0.1.44) and then set a user configuration for the remote caller with the "user-cfg" yangcli-pro command. In this case the user name is "user1" and the password is "password":


ch1@192.0.1.44> yangcli-pro --callhome-enabled=true --callhome-user=user1

  yangcli-pro version 17.10-3
  libssh2 version 1.5.0

  Copyright (c) 2008-2012, Andy Bierman, All Rights Reserved.
  Copyright (c) 2012-2017, YumaWorks, Inc., All Rights Reserved.

  Type 'help' or 'help <command-name>' to get started
  Use the <tab> key for command and value completion
  Use the <enter> key to accept the default value in brackets

  These escape sequences are available when filling parameter values:

  ?  help
  ??  full help
  ?s  skip current parameter
  ?se  skip rest of optional parameters
  ?c  cancel current command

  These assignment statements are available when entering commands:

  $<varname> = <expr>  Local user variable assignment
  $$<varname> = <expr>  Global user variable assignment
  @<filespec> = <expr>  File assignment


> user-cfg create=user1 user-name=user1 password=password

A new user is created: user-id=user1 name=user1 password=password

>


At this point a Call Home connection will be established between the remote caller and home manager. After receiving the <hello> message from the remote netconfd-pro server, the home manager can now configure the remote caller as needed:


NETCONF 1.1 session established for user1 on 192.168.0.18

Client Session Id: 1
Server Session Id: 3

Server Protocol Capabilities
   base:1.0
   base:1.1
   candidate:1.0
   confirmed-commit:1.0
   confirmed-commit:1.1
   interleave:1.0
   notification:1.0
   partial-lock:1.0
   rollback-on-error:1.0
   url:1.0
   validate:1.0
   validate:1.1
   with-defaults:1.0
   xpath:1.0
   yang-library:1.0

Server Module Capabilities
   ietf-netconf@2011-06-01
      Features: 
         candidate 
         confirmed-commit 
         rollback-on-error 
         validate 
         url 
         xpath 
   iana-crypt-hash@2014-08-06
      Features: 
         crypt-hash-md5 
         crypt-hash-sha-256 
         crypt-hash-sha-512 
   ietf-inet-types@2013-07-15
   ietf-netconf-acm@2012-02-22
   ietf-netconf-monitoring@2010-10-04
   ietf-netconf-notifications@2012-02-06
   ietf-netconf-partial-lock@2009-10-19
   ietf-netconf-with-defaults@2011-06-01
   ietf-restconf@2017-01-26
   ietf-restconf-monitoring@2017-01-26
   ietf-yang-library@2016-06-21
   ietf-yang-patch@2017-02-22
   ietf-yang-types@2013-07-15
   nc-notifications@2008-07-14
   notifications@2013-03-15
   yang-data-ext@2017-07-03
   yuma-app-common@2017-07-25
   yuma-ncx@2015-10-16
   yuma-system@2013-07-15
   yuma-time-filter@2012-11-15
   yuma-types@2015-09-25
   yumaworks-app-common@2018-01-07
   yumaworks-event-filter@2014-02-09
   yumaworks-extensions@2018-01-08
   yumaworks-getbulk@2016-05-10
   yumaworks-ids@2014-07-12
   yumaworks-restconf@2017-07-03
   yumaworks-support-save@2017-07-27
   yumaworks-system@2017-12-22
   yumaworks-templates@2017-02-20
   yumaworks-types@2015-10-04

Server Enterprise Capabilities
   urn:yumaworks:params:xml:ns:netconf:config-id?id=56810

Protocol version set to: RFC 6241 (base:1.1)
Default target set to: <candidate>
Save operation mapped to: commit
Default with-defaults behavior: explicit
Additional with-defaults behavior: trim,report-all,report-all-tagged
YANG library set to: RFC 7895
module-set-id: 3515
user1-callhome-1>


Call Home over TLS


To use Call Home with TLS encryption there are some additional steps.


First, please follow all the steps outlined in our Solution Article Configure TLS.


Once you have correctly setup your TLS certificates and keys as described in the article you can proceed to configure Call Home over TLS.


Example netconfd-pro configuration for the TLS "caller"


The following is an example configuration file for netconfd-pro which enables the Call Home protocol over TLS. Note we are using five additional parameters than the previous Call Home over SSH setup (callhome-tls-server, with-netconf-tls, netconf-tls-certificate, netconf-tls-key, cert-usermap). We'll refer to this configuration as callhome-tls.conf and assume it is located in the /etc/yumapro/ directory:


 with-callhome true
 callhome-retry-interval 20
 callhome-retry-max 100
 callhome-server ch1@192.0.1.44
 callhome-tls-server ch1@192.0.1.44
 with-netconf-tls true
 netconf-tls-certificate ~/certs/server.crt
 netconf-tls-key ~/certs/server.key
 cert-usermap ch1@49:01:00:8E:97:EB


Using the above callhome-tls.conf configuration, netconfd-pro will attempt to initiate a connection with the server located at 192.0.1.44 as callhome server "ch1". 

Note that netconfd-pro will likely need to run with elevated (root) privileges in order to access the files and keys needed for operation:


user1@device1:~$ sudo netconfd-pro --config=/etc/yumapro/callhome-tls.conf


Now netconfd-pro immediately attempts to connect to 192.0.1.44 over TLS as user ch1 every 20 seconds, and the attempts will cease once 100 attempts have failed, per our callhome-tls.conf configuration above.


Example yangcli-pro configuration for the TLS "home" server


We've already setup our user-cfg above. Now we need to make the home server (192.0.1.44 in this case) aware of the remote server's TLS credentials so that we may complete the Call Home over TLS connection.


To do this we will launch yangcli-pro with three additional parameters: callhome-tls-port, ssl-certificate, and ssl-key.


ch1@192.0.1.44> yangcli-pro --callhome-enabled=true --callhome-user=user1 --callhome-tls-port=4335 --ssl-certificate ~/certs/client.crt --ssl-key ~/certs/client.key


You could instead place all of the configuration parameter values in your configuration file for convenience like this example (yangcli-pro-callhome-tls.conf):


callhome-enabled true
callhome-user user1
callhome-tls-port 4335
ssl-certificate ~/certs/client.crt
ssl-key ~/certs/client.key


and boot yangcli-pro off of the config file:


ch1@192.0.1.44> yangcli-pro --config=/etc/yumapro/yangcli-pro-callhome-tls.conf


For more information on Call Home implementation in YumaPro SDK, please refer to IETF Call Home section of the YumaPro netconfd-pro Manual.