Certificate Management for OcNOS and gNMI

Before proceeding with certificate generation, ensure that the date and time on the OcNOS device matches those on the virtual machine (VM) where all certificates are generated. A discrepancy can result in errors such as certificate is expired, which may hinder connection establishment.

Generate CA certificates

To create a Certificate Authority (CA) certificate and its corresponding private key, use the following OpenSSL command:

Copy

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout rootCAKey.pem -out rootCACert.pem

Generate Server Certificates

To generate the server key, server certificate request (CSR), and certificate authority (CA) certificate, follow the below steps at the OcNOS cmlsh prompt:

• Use the following command, replacing <server-ip> with the server’s actual IPv4 address:

Copy

crypto pki generate rsa common-name ipv4 <server-ip>

After generating, view the CSR with:

Copy

show crypto csr

• Copy the output from the show crypto csr command and paste it into a file named ServerCert.csr.

3. Subject Alternative Name Requirement: For the gNMI server, it is important to include the Subject Alternative Name (SAN) in the server certificate. To incorporate SAN into the server certificate, use the san.ext extension file.

Copy

cat san.ext

subjectAltName = @alt_names

[alt_names]
DNS.1 = OcNOS

Utilize the san.ext file and the CSR to generate the server certificate using the following OpenSSL command:

Copy

openssl x509 -req -sha256 -in ServerCert.csr -extfile san.ext -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ServerCert.pem -days 365

Generate Client Certificates

1. Create a configuration file named ClientCertReq.config with the following content:

Copy

[req]
distinguished_name = dn
prompt = no

[dn]
CN = <common-name>
C = IN
L = BNG
O = IPI

The client’s IP address can be used as a common name. Separate client certificates can be generated for more than one client, but it’s important to use the same CA certificate to generate all client certificates.

Generate the client certificate and key with the following commands:

Copy

openssl req -newkey rsa:2048 -keyout ClientKey.pem -out ClientCert.csr -config ./ClientCertReq.config -nodes -days 365

Copy

openssl x509 -req -sha256 -in ClientCert.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out ClientCert.pem -days 365

Rename and Copy Certificates

Rename and prepare the certificates for deployment as follows:

Copy

cp ClientKey.pem client.pem

cp ServerCert.pem cert_gnmid.pem

cp rootCACert.pem ca.pem

cat ClientCert.pem >> client.pem

Copy the server certificate and CA certificate to the OcNOS device using:

Copy

scp cert_gnmid.pem root@<mgmtIP>:/cfg/usr/local/etc/tls/certs/

scp ca.pem root@<mgmtIP>:/cfg/usr/local/etc/tls/certs/

3. Copy Client Certificates where gnmic can access copy ClientCert.pem client.pem and ca.pem

4. Enable TLS for dial-in and dial-out configurations by placing client certificates in the /cfg/usr/local/etc/tls/client/ directory on the OcNOS device.

Create a directory named client within the /cfg/usr/local/etc/tls/ directory on the OcNOS device. Then, copy the client certificates (ClientCert.pem, client.pem, and ca.pem) into the client folder at /cfg/usr/local/etc/tls/client/.

Insecure TLS Configuration

TLS encryption secures the session between the gNMI server and client, with both parties validating the provided certificates. Users can enable TLS with the insecure option but note that the system will only verify client certificates if they are provided. Here is an example for the insecure TLS setup.

gNMI Client

In OcNOS, streaming telemetry over TLS secures incoming packets for dial-in connections. TLS is not supported for dial-out mode subscriptions.

To authenticate a certificate, gnmic utilizes the client certificate, key, and CA certificate. Below are the command syntax and examples for dial-in subscription mode to establish secure and insecure TLS connections using the gNMI client, providing flexibility depending on the user’s security requirements.

Syntax: Secure TLS

Copy

gnmic -a <ipaddress:port> -u <UserName> -p <Password> --mode STREAM --stream-mode sample --sample-interval <sample-interval-value> sub --path <path> --tls-cert ClientCert.pem --tls-key client.pem --tls-ca ca.pem --tls-server-name "<subject-alt-name>"

Example to establish a secure TLS dial-in connection:

Copy

./gnmic -a 10.12.160.33:55545 -u admin -p admin --mode STREAM --stream-mode sample --sample-interval 90s sub  --path "ipi:/interfaces/interface[name=\"eth0\"]/state" --tls-cert ClientCert.pem --tls-key client.pem --tls-ca ca.pem --tls-server-name "OcNOS" --debug

Syntax: Insecure TLS

Copy

./gnmic -a <ipaddress:port> -u <UserName> -p <Password> --mode STREAM --stream-mode sample --sample-interval <sample-interval-value> sub  --path <path> --tls-server-name "<subject-alt-name>" --debug --skip-verify

Example to subscribe using an insecure TLS connection:

Copy

./gnmic -a 10.12.160.33:55545 -u admin -p admin --mode STREAM --stream-mode sample --sample-interval 90s sub  --path "ipi:/interfaces/interface[name=\"eth0\"]/state" --tls-server-name "OcNOS" --debug --skip-verify

./gnmic -a 10.12.160.33 -u admin -p admin --mode STREAM --stream-mode sample --sample-interval 10s sub --path "ipi:/interfaces/interface[name=\"eth0\"]/state/counters" --skip-verify