Closed tlovenspclsauce closed 2 years ago
akarneliuk
commented
2 years ago Hello @instantioc ,
we don't have example of the mTLS, because we so far haven't seen the usecases, where it is needed. Could you please elaborate more on what is yours one?
Best, Anton
tlovenspclsauce
commented
2 years ago The use case is for more security conscious users that do not want to rely only on a username and password. The client authenticates to the server with a certificate and the client also verifies the server cert. Both certs would be issued by and verified by an enterprise CA. The gNMI implementation/spec supports mTLS already and is supported in many server/appliances from various manufacturers (Cisco, Arista, Juniper). The gNXI GO based client published by Google already supports this but I'm interested in the existing python based clients already in place and programmed around.
https://github.com/openconfig/reference/blob/master/rpc/gnmi/gnmi-authentication.md
tlovenspclsauce
commented
2 years ago I got this working finally. Here's a sample of what I did for others needing help. Maybe some additions to the docs would help too. The override should match a SAN in the server side certificate.
with gNMIclient(target=host, path_root='/Users/someuser/certs/ca.crt', path_key='/Users/someuser/certs/client.key', path_cert='/Users/someuser/certs/client.crt', override='10.10.10.10') as gc:
akarneliuk
commented
2 years ago Thanks @instantioc ,
we'll create update docs.
Best, Anton
Do you support mTLS and do you have any working examples using both client and server certs? I've tried various combinations of this without success.
with gNMIclient(target=host, username='admin', password='password', path_root='/certs/ca.cert.pem', path_key='/certs/ca.nopass.key', path_cert='/certs/client.crt', override='theSubject') as gc: