search

CESNET / netopeer2

NETCONF toolset
BSD 3-Clause "New" or "Revised" License
291 stars 186 forks source link

Can someone help me on how to establish TLS connection over the netconf server and client? #1483

Open amal-k-ajay opened 8 months ago

amal-k-ajay commented 8 months ago

Specifically I wanna know how to merge the xml files into the yang modules necessary to configure TLS. Also where to add the certificate and keys for TLS.

michalvasko commented 8 months ago

In short, you must merge them into sysrepo. You can use sysrepocfg, such as sysrepocfg -E <file>.

amal-k-ajay commented 8 months ago

I tried the commands "sysrepocfg -e ietf-netconf-server -i tls_listen.xml" , "sysrepocfg -e ietf-keystore -i tls_keystore.xml" , "sysrepocfg -e ietf-truststore -i tls_truststore.xml" but I'm getting error "invalid default mode" for all the cases. But I could locate all the modules by using command "sysrepoctl -l". Can you please let me know what I'm doing wrong and how to fix it?

P.S: I'm a university student and very new to this.

michalvasko commented 8 months ago

Well, -e does not equal -E. So please just run sysrepocfg -E tls_listen.xml and so on and it will work. You do not even have to specify the YANG modules because the data will simply be merged keeping all the previous data intact.

amal-k-ajay commented 8 months ago

Thank you. I tried the above commands and I got the below output on server side

[INF]: SR: Triggering "ietf-keystore" "done" event on enabled data. [INF]: SR: Triggering "ietf-truststore" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: EV LISTEN: "ietf-keystore" "done" ID 1 priority 0 processing (remaining 1 subscribers). [INF]: SR: EV LISTEN: "ietf-keystore" "done" ID 1 priority 0 success (remaining 0 subscribers). [INF]: SR: EV LISTEN: "ietf-truststore" "done" ID 1 priority 0 processing (remaining 1 subscribers). [INF]: SR: EV LISTEN: "ietf-truststore" "done" ID 1 priority 0 success (remaining 0 subscribers). [INF]: SR: EV LISTEN: "ietf-netconf-server" "done" ID 1 priority 0 processing (remaining 23 subscribers). [INF]: LN: Listening on 0.0.0.0:6513 for TLS connections.

but when I connect to the server using netopeer2-cli , it's still an SSH connection. I tried to add the key and certificate to the edit-config file using the command "edit-config --target running --config" and by copying the certificate and key data (from example configurations folder) into the following code and to save it.

client

but the file is not getting saved and tls connection is not working. Can you please guide me through the detailed procedure and let me know what mistakes I'm making. Thanks in advance.

michalvasko commented 8 months ago

Can you please guide me through the detailed procedure

It will be much more helpful to give you some tips and you figure out the rest, these are really basic questions.

Firstly, you must tell the CLI you want it to connect using TLS instead of SSH. Run connect -h to see all the options that you can use. Also, you will have to set the client certificate and the CA certificate for the CLI, naturally, the command cert (again use -h to see the options) will help you with that.

amal-k-ajay commented 8 months ago

Thank you. I have set the cert, key and CA certificate for the client using the commands "cert add " and "cert replaceown". But when I try to connect to the server over TLS using the command "connect --tls" I get the below error.


> cert display
-----ca----- serial: 45ce2c8a91ef25294dad0221461662941bd5e11a
Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Issuer:  C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Valid until: Sep  1 10:21:01 2031 GMT

-----client----- serial: 47f82c15c5f3457a6d35a7ea427f46e71ca49fc0
Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=client/emailAddress=client@example.org
Issuer:  C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Valid until: Sep  1 10:28:18 2031 GMT

> cert displayown
OK: Using *.pem client certificate with the included private key.
-----PEM----- serial: 47f82c15c5f3457a6d35a7ea427f46e71ca49fc0
Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=client/emailAddress=client@example.org
Issuer:  C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Valid until: Sep  1 10:28:18 2031 GMT

> connect --tls
nc ERROR: Loading the client private key from '/home/amal/.netopeer2-cli/client.pem' failed (PEM lib).
cmd_connect: Connecting to the localhost:6513 failed.

can you please help me understand what's the issue here?

amal-k-ajay commented 8 months ago

I also tried to enable tls_callhome by importing the tls_truststore.xml , tls_keystore.xml and tls_callhome.xml using netopeer2-cli with the command "edit-config --target running --config". It works for truststore and keystore but for callhome i get the below error

edit-config --target running --config=/home/amal/Desktop/workspace/netopeer2/example_configuration/tls_callhome.xml ERROR type: protocol tag: data-missing severity: error app-tag: instance-required path: /ietf-netconf-server:netconf-server/call-home/netconf-client[name='default-client']/endpoints/endpoint[name='default-tls']/tls/tls-server-parameters/client-authentication/client-certs message: Required leafref target with value "clientcerts" missing.

What am I missing here?

PS. I was also getting an access denied error previously for the same file and I disabled NACM by making a config-acm.xml file 

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
     <enable-nacm>false</enable-nacm>
</nacm>

and loading the file into sysrepo with the commands,

sysrepocfg --import=config-acm.xml --datastore startup --module ietf-netconf-acm sysrepocfg --import=config-acm.xml --datastore running --module ietf-netconf-acm sysrepocfg --import=config-acm.xml --datastore candidate --module ietf-netconf-acm

michalvasko commented 8 months ago

can you please help me understand what's the issue here?

No, I have never seen the error so I must assume you are doing something very wrong.

What am I missing here?

I do not know but I am pretty sure there is a problem in the steps you did because we have tested the example configuration many times successfully. Verify that the leafref target exists. If not, you have removed the previously set data somehow.