User Authentication and Certificate Loading for gNMI TLS Connections

OcNOS enhances gNMI TLS connection support by additional authentication and certificate management capabilities.

The gNMI client-server communication continues to use TLS for secure transport. In addition to validating the client X.509 certificate’s Common Name (CN) for authentication, OcNOS supports gRPC-contained user and password–based authentication. This enhancement addresses customer requirements for flexible authentication methods during secure telemetry sessions.

TLS-based Connection Security: TLS provides encryption and integrity for all gNMI communication between the client and the OcNOS server.

Client Authentication Options

X.509 Certificate Validation: The device validates the client certificate’s Common Name (CN) to authenticate the client identity.
User and Password Authentication: gRPC-contained credentials (username and password) are supported in addition to certificate-based validation.

Loading X.509 Certificates on OcNOS

To simplify certificate handling and enable seamless Zero Touch Provisioning (ZTP) workflows, crypto pki load source-interface command is used to load X.509 server and CA certificates directly from an external source.

Updated the port and tls tls-port commands port range from <32768-60999> to <1024–65535> to support flexible TLS deployment with the default port configuration.

gNMI TLS Authentication Command

Use the gnmic client to initiate a TLS-secured gNMI connection using both X.509 certificate authentication and gRPC-contained user credentials.

Copy 
gnmic -a <device_address:port> -u <username> -p <password> get  \

--path "ipi:/components/component[name=\"HARD-DISK\"]/storage/state" \

--tls-cert ClientCert.pem --tls-key client.pem --tls-ca ca.pem \

--tls-server-name "OcNOS" --encoding "JSON_IETF" --debug

This command:

Connects securely to the OcNOS gNMI server using TLS.
Authenticates the client with both user credentials and certificates.
Retrieves the specified sensor path data in JSON_IETF encoding format.

Configuration

The following steps illustrate an example use case for configuring and validating a secure gNMI TLS connection with user authentication and X.509 certificates.

Step 1: Load Server and CA Certificates

Use the crypto pki load source-interface command to copy the required server and CA certificates from an external source to OcNOS. This enables TLS authentication for gNMI sessions.

Copy 
OcNOS#crypto pki load http://root:sysmgmt123@10.16.99.115/cert.pem
OcNOS#crypto pki load http://root:sysmgmt123@10.16.99.115/ca.pem

The above commands load the server certificate (cert.pem) and CA certificate (ca.pem) from an HTTP server into the device certificate store.

Step 2: Enable Streaming Telemetry and Configure TLS Port

Enter configuration mode and enable the Streaming Telemetry feature under the management VRF. Specify a TLS port in the supported range (1024–65535).

Copy 
OcNOS(config)#feature streaming-telemetry vrf management
OcNOS(feature-telemetry-config)#tls tls-port 55545
OcNOS(feature-telemetry-config)#commit
2025 Aug 23 04:09:51.461 : OcNOS : CML : CRITI : Commit Progress: 100% [||||||||||||||||||||||||||||||||||||||||||||||||||]                    ETA: --:--:--

OcNOS(feature-telemetry-config)#exit

Step 3: Verify Telemetry Configuration

Use the show running-config streaming-telemetry command to verify the telemetry configuration.

Copy 
OcNOS#show running-config streaming-telemetry
!
feature streaming-telemetry vrf management
tls tls-port 55545
!

Check the operational status using the show streaming-telemetry command.

Copy 
OcNOS#show streaming-telemetry

 Number of telemetry instances : 1 (management)
 Platform type                 : High range
 Maximum sensor-paths          : 100
 Minimum sample-interval       : 10
 CPU monitoring                : ENABLED (NORMAL)
 CPU monitoring threshold      : 40
 Number of active sensor-paths : 1 (Dial-In : 1, Dial-out : 0)

 SI           : Sampling Interval in seconds
 Enc-Type     : Encoding type
 Origin:Path  : Sensor Path


 1. Subscription Details (VRF-Name: management):
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   Port         : 55545
   TLS          : Enabled
   insecure-tls : False

 Dial-In STREAM Mode Subscription Details:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 ClientIP:Port          ID      SI      Enc-Type      Origin:Path
 -------------        ------   ----     --------      ------------
 10.14.105.105:45210    53937    90     JSON_IETF    ipi:/interfaces/interface[n
ame="eth0"]/state/counters

Step 4: Establish Secure gNMI Connection from Client

From the gNMI client system, initiate a secure TLS-based connection using both user credentials and certificates.

Use the following sample gnmic command:

Copy 
./gnmic -a 10.16.179.118:55545 -u ocnos -p ocnos -e json_ietf  --mode STREAM --stream-mode sample --sample-interval 90s sub --path "ipi:/interfaces/interface[name=\"eth0\"]/state/counters" --tls-ca ca.pem --tls-cert ClientCert.pem --tls-key client.pem --tls-server-name "OcNOS" --log

This command authenticates using the provided username and password, validates the TLS certificates, and streams telemetry data for the specified sensor path.

Step 5: Observe Streaming Output

When the connection is successfully established, the gNMI client receives periodic telemetry updates.

Copy 
{
  "source": "10.16.179.118:55545",
  "subscription-name": "default-1755922991",
  "timestamp": 1755922360262334487,
  "time": "2025-08-23T04:12:40.262334487Z",
  "updates": [
    {
      "Path": "ipi:interfaces/interface[name=\"eth0\"]/state/counters",
      "values": {
        "interfaces/interface/state/counters": {
          "in-broadcast-pkts": "0",
          "in-discards": "0",
          "in-errors": "0",
          "in-multicast-pkts": "19886",
          "in-octets": "48551882",
          "in-pkts": "57036",
          "in-unicast-pkts": "0",
          "last-clear": "Never",
          "out-broadcast-pkts": "0",
          "out-discards": "0",
          "out-errors": "0",
          "out-multicast-pkts": "0",
          "out-octets": "1369239",
          "out-pkts": "8408",
          "out-unicast-pkts": "0"
        }
      }
    }
  ]
}





{
  "source": "10.16.179.118:55545",
  "subscription-name": "default-1755922991",
  "timestamp": 1755922449267968226,
  "time": "2025-08-23T04:14:09.267968226Z",
  "updates": [
    {
      "Path": "ipi:interfaces/interface[name=\"eth0\"]/state/counters",
      "values": {
        "interfaces/interface/state/counters": {
          "in-broadcast-pkts": "0",
          "in-discards": "0",
          "in-errors": "0",
          "in-multicast-pkts": "19961",
          "in-octets": "48557417",
          "in-pkts": "57108",
          "in-unicast-pkts": "0",
          "last-clear": "Never",
          "out-broadcast-pkts": "0",
          "out-discards": "0",
          "out-errors": "0",
          "out-multicast-pkts": "0",
          "out-octets": "1370733",
          "out-pkts": "8423",
          "out-unicast-pkts": "0"
        }
      }
    }
  ]
}