From YumaPro SDK version 17.10-6 onwards NETCONF over TLS is supported. To enable Transport Layer Security (TLS) between the server and client you need to setup both the server and the client with appropriate certificates and configuration. The following instructions walk you through the setup process.


Graphical representation of the server, client, and authority certificates and keys for TLS.

Server Setup

On the server create a couple of directories for working with the certificates and copy the generate-keys.sh script to the buildcerts directory that was just created:



    mydir> mkdir $HOME/buildcerts
    mydir> mkdir $HOME/certs
    mydir> cp /usr/share/yumapro/util/generate-keys.sh $HOME/buildcerts


cd to the buildcerts directory, run the key generation script and check the files were created:



    mydir> cd buildcerts
    buildcerts> ./generate-keys.sh

    buildcerts> ls -l

      -rw-rw-r-- 1 andy andy 956 Mar 16 15:05 ca.crt
      -rw-rw-r-- 1 andy andy 883 Mar 16 15:05 ca.csr
      -rw-rw-r-- 1 andy andy 1708 Mar 16 15:05 ca.key
      -rw-rw-r-- 1 andy andy 17 Mar 16 15:05 ca.srl
      -rw-rw-r-- 1 andy andy 969 Mar 16 15:05 client.crt
      -rw-rw-r-- 1 andy andy 891 Mar 16 15:05 client.csr
      -rw-rw-r-- 1 andy andy 1708 Mar 16 15:05 client.key
      -rwxrwxr-x 1 andy andy 1513 Feb 23 16:29 generate-keys.sh
      -rw-rw-r-- 1 andy andy 969 Mar 16 15:05 server.crt
      -rw-rw-r-- 1 andy andy 891 Mar 16 15:05 server.csr
      -rw-rw-r-- 1 andy andy 1704 Mar 16 15:05 server.key


The generate-keys.sh script will generate keys and certs for the “restconf” site. You can use the keys created by this script to setup TLS for your restconf site as described in Section 4 of this document.


Copy the certificates to their proper places:



    buildcerts> sudo cp ca.crt /usr/local/share/ca-certificates/
    buildcerts> cp server.crt $HOME/certs/
    buildcerts> cp server.key $HOME/certs/


Go to the /etc/ssl/certs directory, run updates and check the results:



    buildcerts> cd /etc/ssl/certs
    /etc/ssl/certs> sudo update-ca-certificates

    /etc/ssl/certs> ls -l | grep ca.crt
lrwxrwxrwx 1 root root 39 Mar 16 15:52 ca.pem -> /usr/local/share/cacertificates/ca.crt
   


The script update-ca-certificates uses the ca-certificates package. If you do not have this package on your system, for example if you are building a minimal footprint system, then the following steps, instead of the section above, will create the required certificate links:

buildcerts> mkdir temp
buildcerts> sudo ln -s /usr/local/share/ca-certificates/ca.crt temp/ca.pem
buildcerts> sudo c_rehash temp
Doing temp
buildcerts> sudo mv temp/* /etc/ssl/certs
buildcerts> ls -l /etc/ssl/certs | grep ca.pem
lrwxrwxrwx 1 root root 6 Mar 16 08:00 56c899cd.0 -> ca.pem
lrwxrwxrwx 1 root root 6 Mar 16 08:00 b2457b50.0 -> ca.pem
lrwxrwxrwx 1 root root 39 Mar 16 08:00 ca.pem -> /usr/local/share/ca-certificates/ca.crt
buildcerts>


Generate the client Fingerprint:



    certs> cd $HOME/buildcerts
    buildcerts> openssl x509 -noout -fingerprint -sha1 -inform pem -in client.crt

    SHA1 Fingerprint=4B:A7:05:1E:12:F7:BC:FF:2D:9E:48:66:0A:8B:CC:D7:A5:65:E5:97


Next you need to configure the server with the parameters needed to use TLS by editing the netconfd-pro.conf file. If you have an existing netconfd-pro.conf then add the four parameter lines, within “netconfd-pro {“ and “}”, to the existing file. If you don’t have an existing netconfd-pro.conf file then run your editor as shown and a netconfd-pro.conf file will be created, then add the lines shown.


NOTE: the cert-usermap parameter required for netconfd-pro.conf will be <YOUR_USERNAME>@<first_six_pairs_of_the_SHA1_Fingerprint> from the “Generate the client Fingerprint:” step above.
For example if user=andy creates the SHA1 Fingerprint then the cert-usermap parameter line will be:

    cert-usermap andy@4B:A7:05:1E:12:F7



    buildcerts> <your_editor> /etc/yumapro/netconfd-pro.conf


Replace <your_editor> with the editor of your choice such as vi, vim, emacs, gedit, etc.


Add following four parameters lines, substituting cert-usermap with your version – see above:



    netconfd-pro {
       with-netconf-tls true
       netconf-tls-certificate ~/certs/server.crt
       netconf-tls-key ~/certs/server.key
       cert-usermap <YOUR_USERNAME>@<first_six_pairs_of_the_SHA1_Fingerprint>
}


Client Setup

On the client create a couple of directories for working with the certificates:



    CLIENT:

     mydir> mkdir $HOME/buildcerts
     mydir> mkdir $HOME/certs


On the server copy the files you created to the client machine using sftp:



    SERVER:

     mydir> cd $HOME/buildcerts
     buildcerts> sftp CLIENT_USERNAME@CLIENT
     sftp> cd buildcerts
     sftp> put *
     sftp> bye


Now copy the certificates on the client to their proper places:



    CLIENT:
    
     mydir> cd $HOME/buildcerts
     buildcerts> sudo cp ca.crt /usr/local/share/ca-certificates
     buildcerts> cp client.crt $HOME/certs/
     buildcerts> cp client.key $HOME/certs/


Go to the /etc/ssl/certs directory, run updates and check the results:



    CLIENT:

     buildcerts> cd /etc/ssl/certs
     certs> sudo update-ca-certificates

     certs> ls -l | grep ca.crt
lrwxrwxrwx 1 root root 39 Mar 16 16:25 ca.pem -> /usr/local/share/cacertificates/ca.crt


Similarly, if you do not have the ca-certificates package see the note in the Server Setup section above on using c_rehash.


Next you need to configure the client with the parameters needed to use TLS by editing the yangcli-pro.conf file. If you have an existing yangcli-pro.conf then add the two parameter lines, within “yangcli-pro {“ and “}”, to the existing file. If you don’t have an existing yangcli-pro.conf file then run your editor as shown and a yangcli-pro.conf file will be created, then add the lines shown.



    
     buildcerts> <your_editor> /etc/yumapro/yangcli-pro.conf


Replace <your_editor> with the editor of your choice such as vi, vim, emacs, gedit, etc.


Add the following two parameters:



    yangcli-pro {
      ssl-certificate ~/certs/client.crt
      ssl-key ~/certs/client.key
 }



Test the TLS connection


To test the TLS connection run the server as you would normally, for example:



    SERVER:
      
      mydir> netconfd-pro log-level=debug4 access-control=off


Run yangcli-pro on the client and connect using the command show below:



    CLIENT:

      mydir> yangcli-pro
      ...

      > connect user=<andy> server=<SERVER_HOST> no-password transport=tls


NOTE: replace <andy> with your user name and <SERVER_HOST> with the name or address of the host for the server.



Configure a new Client

On the client create a couple of directories for working with the certificates:



    CLIENT:


  mydir> mkdir $HOME/buildcerts
  mydir> mkdir $HOME/certs



On the server copy the files you created to the client machine using sftp but this time we do not need old client keys and certificates, we will generate a completely new client keys with a new fingerprint.



    SERVER:

    mydir> cd $HOME/buildcerts
    buildcerts> sftp CLIENT_USERNAME@CLIENT
    sftp> cd buildcerts
    sftp> put *
    sftp> bye
    mydir> rm client.*
    mydir> rm server.*


Generate the client keys:



    CLIENT:

    mydir> cd $HOME/buildcerts

    # Generate Client Private Key
    buildcerts> openssl req -newkey rsa:2048 -nodes -keyout client.key -subj \
    /C=cl/ST=cl/L=cl/O=cl/CN=client.com

    # Generate Req
    buildcerts> openssl req -key client.key -new -out client.csr -subj \
    /C=cl/ST=cl/L=cl/O=cl/CN=client.com

    # Generate x509 with signed CA
    buildcerts> openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
    -out client.crt

    buildcerts> ls
    ca.crt  ca.csr  ca.key  ca.srl  client.crt  client.csr  client.key


Now copy the certificates on the client to their proper places:



    CLIENT:

    mydir> cd $HOME/buildcerts
    buildcerts> sudo cp ca.crt /usr/local/share/ca-certificates
    buildcerts> cp client.crt $HOME/certs/
    buildcerts> cp client.key $HOME/certs/


Generate the client Fingerprint:



    certs> cd $HOME/buildcerts
    buildcerts> openssl x509 -noout -fingerprint -sha1 -inform pem -in client.crt

    SHA1 Fingerprint=4B:A7:05:1E:12:F7:BC:FF:2D:9E:48:66:0A:8B:CC:D7:A5:65:E5:97


Add this new fingerprint to the netconfd-pro server configuration file, substituting cert-usermap with your version – see above. Refer to the server setup above for more details:



    netconfd-pro {
      with-netconf-tls true
      netconf-tls-certificate ~/certs/server.crt
      netconf-tls-key ~/certs/server.key
      cert-usermap <FIRST_CLIENT>@4B:A7:05:1E:12:F7
      cert-usermap <NEXT_CLIENT>@4B:A7:05:1E:12:F7
}


Go to the /etc/ssl/certs directory, run updates and check the results:



    CLIENT:
 
     buildcerts> cd /etc/ssl/certs
     certs> sudo update-ca-certificates 

If nothing is updated, try to remove ca.pem first and re-run update command:
     certs> sudo rm ca.pem
     certs> ls -l | grep ca.crt
lrwxrwxrwx 1 root root 39 Mar 16 16:25 ca.pem -> /usr/local/share/cacertificates/ca.crt



Similarly, if you do not have the ca-certificates package see the note in the Server Setup section above on using c_rehash.


Next you need to configure the client with the parameters needed to use TLS by editing the yangcli-pro.conf file. If you have an existing yangcli-pro.conf then add the two parameter lines, within “yangcli-pro {“ and “}”, to the existing file. If you don’t have an existing yangcli-pro.conf file then run your editor as shown and a yangcli-pro.conf file will be created, then add the lines shown.



    buildcerts> <your_editor> /etc/yumapro/yangcli-pro.conf


Replace <your_editor> with the editor of your choice such as vi, vim, emacs, gedit, etc.


Add the following two parameters:



    yangcli-pro {
      ssl-certificate ~/certs/client.crt
      ssl-key ~/certs/client.key
}