Call Home Reverse SSH for YumaPro SDK
YumaPro SDK 17.10 introduces support for the Call Home protocol defined in IETF RFC 8071.
By default, Call Home is not enabled but must be configured by the developer/user.
Potential use cases for the Call Home protocol include SoHo routers, or any device that connects to a network, which can be configured to "call home" to a remote location to receive a pre-determined config upon first boot, based on location, model number, or any number of criterion. Any device which uses netconfd-pro as its configuration management server can be configured to use Call Home.
In order to enable the Call Home parameter for netconfd-pro, the developer/user must at a minimum configure the with-callhome and calhome-server parameters.
Other Call Home related parameters include callhome-retry-interval, callhome-retry-max, callhome-sshd-config, callhome-sshd-command, callhome-subsys-command, and server-id.
Example netconfd-pro configuration for the "caller"
The following is an example configuration file for netconfd-pro which enables the Call Home protocol. We'll refer to this as callhome.conf and assume it is located in the /etc/yumapro/ directory:
with-callhome true callhome-retry-interval 20 callhome-retry-max 100 callhome-server [email protected]
Using the above callhome.conf configuration, netconfd-pro will attempt to initiate a connection with the server located at 192.0.1.44 as callhome server "ch1".
Note that netconfd-pro will likely need to run with elevated (root) privileges in order for the sshd daemon to access the files and keys needed for operation:
user1@device1:~$ sudo netconfd-pro --config=/etc/yumapro/callhome.conf
Now netconfd-pro immediately attempts to connect to 192.0.1.44 as user ch1 every 20 seconds, and the attempts will cease once 100 attempts have failed, per our callhome.conf configuration above.
Example yangcli-pro configuration for the "home" server
Now we need to make the home server (192.0.1.44 in this case) aware of the remote server's credentials so that we may complete the Call Home connection.
To do this we will first launch yangcli-pro (with the callhome-enabled and callhome-user parameters set) as user ch1 on our home server (192.0.1.44) and then set a user configuration for the remote caller with the "user-cfg" yangcli-pro command. In this case the user name is "user1" and the password is "password":
[email protected]> yangcli-pro --callhome-enabled=true --callhome-user=user1 yangcli-pro version 17.10-3 libssh2 version 1.5.0 Copyright (c) 2008-2012, Andy Bierman, All Rights Reserved. Copyright (c) 2012-2017, YumaWorks, Inc., All Rights Reserved. Type 'help' or 'help <command-name>' to get started Use the <tab> key for command and value completion Use the <enter> key to accept the default value in brackets These escape sequences are available when filling parameter values: ? help ?? full help ?s skip current parameter ?se skip rest of optional parameters ?c cancel current command These assignment statements are available when entering commands: $<varname> = <expr> Local user variable assignment $$<varname> = <expr> Global user variable assignment @<filespec> = <expr> File assignment > user-cfg create=user1 user-name=user1 password=password A new user is created: user-id=user1 name=user1 password=password >
At this point a Call Home connection will be established between the remote caller and home manager. After receiving the <hello> message from the remote netconfd-pro server, the home manager can now configure the remote caller as needed:
NETCONF 1.1 session established for user1 on 192.168.0.18 Client Session Id: 1 Server Session Id: 3 Server Protocol Capabilities base:1.0 base:1.1 candidate:1.0 confirmed-commit:1.0 confirmed-commit:1.1 interleave:1.0 notification:1.0 partial-lock:1.0 rollback-on-error:1.0 url:1.0 validate:1.0 validate:1.1 with-defaults:1.0 xpath:1.0 yang-library:1.0 Server Module Capabilities ietf-netconf@2011-06-01 Features: candidate confirmed-commit rollback-on-error validate url xpath iana-crypt-hash@2014-08-06 Features: crypt-hash-md5 crypt-hash-sha-256 crypt-hash-sha-512 ietf-inet-types@2013-07-15 ietf-netconf-acm@2012-02-22 ietf-netconf-monitoring@2010-10-04 ietf-netconf-notifications@2012-02-06 ietf-netconf-partial-lock@2009-10-19 ietf-netconf-with-defaults@2011-06-01 ietf-restconf@2017-01-26 ietf-restconf-monitoring@2017-01-26 ietf-yang-library@2016-06-21 ietf-yang-patch@2017-02-22 ietf-yang-types@2013-07-15 nc-notifications@2008-07-14 notifications@2013-03-15 yang-data-ext@2017-07-03 yuma-app-common@2017-07-25 yuma-ncx@2015-10-16 yuma-system@2013-07-15 yuma-time-filter@2012-11-15 yuma-types@2015-09-25 yumaworks-app-common@2018-01-07 yumaworks-event-filter@2014-02-09 yumaworks-extensions@2018-01-08 yumaworks-getbulk@2016-05-10 yumaworks-ids@2014-07-12 yumaworks-restconf@2017-07-03 yumaworks-support-save@2017-07-27 yumaworks-system@2017-12-22 yumaworks-templates@2017-02-20 yumaworks-types@2015-10-04 Server Enterprise Capabilities urn:yumaworks:params:xml:ns:netconf:config-id?id=56810 Protocol version set to: RFC 6241 (base:1.1) Default target set to: <candidate> Save operation mapped to: commit Default with-defaults behavior: explicit Additional with-defaults behavior: trim,report-all,report-all-tagged YANG library set to: RFC 7895 module-set-id: 3515 user1-callhome-1>
Call Home over TLS
To use Call Home with TLS encryption there are some additional steps.
First, please follow all the steps outlined in our Solution Article Configure TLS.
Once you have correctly setup your TLS certificates and keys as described in the article you can proceed to configure Call Home over TLS.
Example netconfd-pro configuration for the TLS "caller"
The following is an example configuration file for netconfd-pro which enables the Call Home protocol over TLS. Note we are using five additional parameters than the previous Call Home over SSH setup (callhome-tls-server, with-netconf-tls, netconf-tls-certificate, netconf-tls-key, cert-usermap). We'll refer to this configuration as callhome-tls.conf and assume it is located in the /etc/yumapro/ directory:
with-callhome true callhome-retry-interval 20 callhome-retry-max 100 callhome-server [email protected] callhome-tls-server [email protected] with-netconf-tls true netconf-tls-certificate ~/certs/server.crt netconf-tls-key ~/certs/server.key cert-usermap ch1@49:01:00:8E:97:EB
Using the above callhome-tls.conf configuration, netconfd-pro will attempt to initiate a connection with the server located at 192.0.1.44 as callhome server "ch1".
Note that netconfd-pro will likely need to run with elevated (root) privileges in order to access the files and keys needed for operation:
user1@device1:~$ sudo netconfd-pro --config=/etc/yumapro/callhome-tls.conf
Now netconfd-pro immediately attempts to connect to 192.0.1.44 over TLS as user ch1 every 20 seconds, and the attempts will cease once 100 attempts have failed, per our callhome-tls.conf configuration above.
Example yangcli-pro configuration for the TLS "home" server
We've already setup our user-cfg above. Now we need to make the home server (192.0.1.44 in this case) aware of the remote server's TLS credentials so that we may complete the Call Home over TLS connection.
To do this we will launch yangcli-pro with three additional parameters: callhome-tls-port, ssl-certificate, and ssl-key.
[email protected]> yangcli-pro --callhome-enabled=true --callhome-user=user1 --callhome-tls-port=4335 --ssl-certificate ~/certs/client.crt --ssl-key ~/certs/client.key
You could instead place all of the configuration parameter values in your configuration file for convenience like this example (yangcli-pro-callhome-tls.conf):
callhome-enabled true callhome-user user1 callhome-tls-port 4335 ssl-certificate ~/certs/client.crt ssl-key ~/certs/client.key
and boot yangcli-pro off of the config file:
[email protected]> yangcli-pro --config=/etc/yumapro/yangcli-pro-callhome-tls.conf
For more information on Call Home implementation in YumaPro SDK, please refer to IETF Call Home section of the YumaPro netconfd-pro Manual.