Enabling restapi on cisco XE

sachin30720041 · ‎04-01-2022

Hello All,

I am trying to enable rest API on the cisco XE router. I used the following command to enable rest API.

remote-management

restful-api

But when I execute the following command from a Linux box I get the following error.

curl -i -k -X "OPTIONS" "https://192.168.0.55/api/v1/l2interfaces" -H 'Accept:application/json' -u 'username:password'

curl: (35) error:14004438:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert internal error

what does this error mean? And how can I confirm if the rest API is configured correctly?

Thanks,

Sachin

balaji.bandi · ‎04-02-2022

Looks like TLS handshake issue :

https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/restapi/restapi/RESTAPIintro.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sachin30720041 · ‎04-02-2022

Thanks for responding.

I followed the tutorial that you forwarded.

According to the tutorial to deploy the restapi use the following command.

curl -v -X POST https://192.168.0.57/api/v1/auth/token-services -H "Accept:application/json" -u "sachin:123456" -d "" --insecure -3

But when I used it I still get the same error. How can I make sure if the rest API is enabled on Cisco XE? Is there any show command to check if rest api is enabled?

Thanks,

Sachin

balaji.bandi · ‎04-03-2022

provide more information now, what model of the device and code is running and full show run for us to understand the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

sachin30720041 · ‎04-12-2022

Hello Balaji,

I am following the above-mentioned tutorial. I used the following command to deploy rest api but I received 404 response. Command

curl -v -X POST https://192.168.0.15/api/v2/auth/token-services -H "Accept:application/json" -u "sachin:123456" -d "" --insecure -3

Warning: Ignores instruction to use SSLv3

Note: Unnecessary use of -X or --request, POST is already inferred.

* Trying 192.168.0.15:443...

* Connected to 192.168.0.15 (192.168.0.15) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

* CAfile: /etc/ssl/cert.pem

* CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server accepted to use http/1.1

* Server certificate:

* subject: CN=IOS-Self-Signed-Certificate-1335733482

* start date: Apr 12 18:15:25 2022 GMT

* expire date: Apr 11 18:15:25 2032 GMT

* issuer: CN=IOS-Self-Signed-Certificate-1335733482

* SSL certificate verify result: self signed certificate (18), continuing anyway.

* Server auth using Basic with user 'sachin'

> POST /api/v2/auth/token-services HTTP/1.1

> Host: 192.168.0.15

> Authorization: Basic c2FjaGluOjEyMzQ1Ng==

> User-Agent: curl/7.77.0

> Accept:application/json

> Content-Length: 0

> Content-Type: application/x-www-form-urlencoded

>

* Mark bundle as not supporting multiuse

< HTTP/1.1 404 Not Found

< Server: openresty

< Date: Tue, 12 Apr 2022 18:40:33 GMT

< Transfer-Encoding: chunked

< Connection: keep-alive

< Accept-Ranges: none

< X-XSS-Protection: 1; mode=block

< X-Content-Type-Options: nosniff

< X-Frame-Options: SAMEORIGIN

< Strict-Transport-Security: max-age=7884000

<

404 Not Found

Below is the configuration of the CSR.

R1#show running-config

Building configuration...

hostname r1

!

boot-start-marker

boot-end-marker

!

no logging console

enable password 123456

!

transport-map type persistent webui map1

secure-server

!

aaa new-model

!

aaa session-id common

!

ip domain name r1.example.com

!

login on-success log

!

subscriber templating

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1335733482

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1335733482

revocation-check none

rsakeypair TP-self-signed-1335733482

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

license udi pid CSR1000V sn 9DKYG2RHNPT

diagnostic bootup level minimal

memory free low-watermark processor 71507

!

spanning-tree extend system-id

!

username sachin privilege 15 password 0 123456

!

redundancy

!

interface GigabitEthernet1

ip dhcp client client-id ascii cisco-5000.0001.0000-Gi1

ip address 192.168.0.17 255.255.255.0

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet2

no ip address

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet3

no ip address

negotiation auto

no mop enabled

no mop sysid

!

interface GigabitEthernet4

no ip address

negotiation auto

no mop enabled

no mop sysid

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http client source-interface GigabitEthernet1

!

ip ssh version 2

!

control-plane

!

line con 0

stopbits 1

line vty 0 4

transport input ssh

line vty 5 15

transport input ssh

transport type persistent webui input map1

call-home

email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

active

destination transport-method http

end

sachin30720041 · ‎04-03-2022

I am trying to enable restapi on CSR routers.

Router#show version
Cisco IOS XE Software, Version 17.03.02
Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVER SALK9-M), Version 17.3.2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2020 by Cisco Systems, Inc.
Compiled Sat 31-Oct-20 13:16 by mcpre