Open amal-k-ajay opened 8 months ago
In short, you must merge them into sysrepo. You can use sysrepocfg
, such as sysrepocfg -E <file>
.
I tried the commands "sysrepocfg -e ietf-netconf-server -i tls_listen.xml" , "sysrepocfg -e ietf-keystore -i tls_keystore.xml" , "sysrepocfg -e ietf-truststore -i tls_truststore.xml" but I'm getting error "invalid default mode" for all the cases. But I could locate all the modules by using command "sysrepoctl -l". Can you please let me know what I'm doing wrong and how to fix it?
P.S: I'm a university student and very new to this.
Well, -e
does not equal -E
. So please just run sysrepocfg -E tls_listen.xml
and so on and it will work. You do not even have to specify the YANG modules because the data will simply be merged keeping all the previous data intact.
Thank you. I tried the above commands and I got the below output on server side
[INF]: SR: Triggering "ietf-keystore" "done" event on enabled data. [INF]: SR: Triggering "ietf-truststore" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: Triggering "ietf-netconf-acm" "done" event on enabled data. [INF]: SR: EV LISTEN: "ietf-keystore" "done" ID 1 priority 0 processing (remaining 1 subscribers). [INF]: SR: EV LISTEN: "ietf-keystore" "done" ID 1 priority 0 success (remaining 0 subscribers). [INF]: SR: EV LISTEN: "ietf-truststore" "done" ID 1 priority 0 processing (remaining 1 subscribers). [INF]: SR: EV LISTEN: "ietf-truststore" "done" ID 1 priority 0 success (remaining 0 subscribers). [INF]: SR: EV LISTEN: "ietf-netconf-server" "done" ID 1 priority 0 processing (remaining 23 subscribers). [INF]: LN: Listening on 0.0.0.0:6513 for TLS connections.
but when I connect to the server using netopeer2-cli , it's still an SSH connection. I tried to add the key and certificate to the edit-config file using the command "edit-config --target running --config" and by copying the certificate and key data (from example configurations folder) into the following code and to save it.
but the file is not getting saved and tls connection is not working. Can you please guide me through the detailed procedure and let me know what mistakes I'm making. Thanks in advance.
Can you please guide me through the detailed procedure
It will be much more helpful to give you some tips and you figure out the rest, these are really basic questions.
Firstly, you must tell the CLI you want it to connect using TLS instead of SSH. Run connect -h
to see all the options that you can use. Also, you will have to set the client certificate and the CA certificate for the CLI, naturally, the command cert
(again use -h
to see the options) will help you with that.
Thank you. I have set the cert, key and CA certificate for the client using the commands "cert add " and "cert replaceown". But when I try to connect to the server over TLS using the command "connect --tls" I get the below error.
> cert display
-----ca----- serial: 45ce2c8a91ef25294dad0221461662941bd5e11a
Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Issuer: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Valid until: Sep 1 10:21:01 2031 GMT
-----client----- serial: 47f82c15c5f3457a6d35a7ea427f46e71ca49fc0
Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=client/emailAddress=client@example.org
Issuer: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Valid until: Sep 1 10:28:18 2031 GMT
> cert displayown
OK: Using *.pem client certificate with the included private key.
-----PEM----- serial: 47f82c15c5f3457a6d35a7ea427f46e71ca49fc0
Subject: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=client/emailAddress=client@example.org
Issuer: C=CZ, ST=South Moravia, L=Brno, O=CESNET z.s.p.o., OU=TMC, CN=example CA/emailAddress=ca@example.org
Valid until: Sep 1 10:28:18 2031 GMT
> connect --tls
nc ERROR: Loading the client private key from '/home/amal/.netopeer2-cli/client.pem' failed (PEM lib).
cmd_connect: Connecting to the localhost:6513 failed.
can you please help me understand what's the issue here?
I also tried to enable tls_callhome by importing the tls_truststore.xml , tls_keystore.xml and tls_callhome.xml using netopeer2-cli with the command "edit-config --target running --config". It works for truststore and keystore but for callhome i get the below error
edit-config --target running --config=/home/amal/Desktop/workspace/netopeer2/example_configuration/tls_callhome.xml ERROR type: protocol tag: data-missing severity: error app-tag: instance-required path: /ietf-netconf-server:netconf-server/call-home/netconf-client[name='default-client']/endpoints/endpoint[name='default-tls']/tls/tls-server-parameters/client-authentication/client-certs message: Required leafref target with value "clientcerts" missing.
What am I missing here?
PS. I was also getting an access denied error previously for the same file and I disabled NACM by making a config-acm.xml file
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-nacm>false</enable-nacm>
</nacm>
and loading the file into sysrepo with the commands,
sysrepocfg --import=config-acm.xml --datastore startup --module ietf-netconf-acm sysrepocfg --import=config-acm.xml --datastore running --module ietf-netconf-acm sysrepocfg --import=config-acm.xml --datastore candidate --module ietf-netconf-acm
can you please help me understand what's the issue here?
No, I have never seen the error so I must assume you are doing something very wrong.
What am I missing here?
I do not know but I am pretty sure there is a problem in the steps you did because we have tested the example configuration many times successfully. Verify that the leafref target exists. If not, you have removed the previously set data somehow.
Specifically I wanna know how to merge the xml files into the yang modules necessary to configure TLS. Also where to add the certificate and keys for TLS.