cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
675
Views
0
Helpful
7
Replies
Highlighted
Beginner

How to create NSO service with one of the parameters being a password or a secret

Hi,

 

I would like to create a service to configure SNMP user on devices and would like to pass the username and it's auth and priv passwords. 

 

However, I do not want those password to be displayed in clear text when I list the configuration of the service. Also, the encrypted or hidden value should be passed to the template in clear text to be configured on the devices to which I am deploying this service.

 

I tried using type tailf:aes-cfb-128-encrypted-string, and the values configured are encrypted, but they are also passed to the template as encrypted and therefore use the encrypted string as a password for the user.

 

Is there a way to specify in the template file that the parameter value needs to be decrypted. Or, how would you go about doing something like this?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: How to create NSO service with one of the parameters being a password or a secret

Thank you guys! It works now.

 

In [3]: m = maapi.Maapi()
In [4]: m.install_crypto_keys()
In [5]: m.start_user_session('admin', 'mycontext')
   ...: t = m.start_write_trans()
   ...: root = maagic.get_root(t)


In [6]: key = root.oti_role['PARTR0'].isisKey
In [7]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=

In [8]: password =  _ncs.decrypt(key)

In [10]: password =  _ncs.decrypt(key)

In [12]: print password
whatever

 

7 REPLIES 7
Cisco Employee

Re: How to create NSO service with one of the parameters being a password or a secret

Hi.

 

As far as I know there is no way of doing this in the template. I would sort this out in python or java code. For python, look at _ncs.decrypt() to get decrypted value.

 

 

Beginner

Re: How to create NSO service with one of the parameters being a password or a secret

Hi,

 

Would you mind to tell me where to find  _ncs.decypt() documentation?

 

Thanks

 

Cisco Employee

Re: How to create NSO service with one of the parameters being a password or a secret

Hello,

 

You can find the API documentation in the NSO release: 

<nso-release>/doc/api/python  (similar for java api)

 

Open the index.html file here in a browser:

example: file:///tmp/NCS/releases/nso-4.7.2/doc/api/python/index.html

 

Navigate to _ncs and find decrypt() in Functions section...

 

-Larry

 

 

Beginner

Re: How to create NSO service with one of the parameters being a password or a secret

Hi Larry,

Thanks for the pointer. But I can't make it work. Can you spot a mistake? I don't think I'm using this function properly.

 

YANG:

    leaf isisKey {
      type tailf:aes-cfb-128-encrypted-string;
    }

 

Python:

In [16]: key = root.oti_role['PARTR0'].isisKey
In [17]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=
In [18]: password =  _ncs.decrypt(key)
---------------------------------------------------------------------------
Error                                     Traceback (most recent call last)
<ipython-input-18-490f24f44398> in <module>()
----> 1 password =  _ncs.decrypt(key)
Error: item does not exist (1): No AES key installed
In [19]:

 

Cisco Employee

Re: How to create NSO service with one of the parameters being a password or a secret

Hi,
Have you checked your ncs.conf file?
You would need to setup your symmetrical key to use, depending on your algorithm. These keys should be different for every install.

Roque

/ncs-config/encrypted-strings/AESCFB128
In the AESCFB128 case one 128 bits (16 bytes) key and a random initial vector are used to encrypt the string. The initVector leaf is only used when upgrading from versions
before NCS-4.2, but it is kept for backward compatibility reasons.

/ncs-config/encrypted-strings/AESCFB128/key (hex16-value-type)
This parameter is mandatory.

/ncs-config/encrypted-strings/AESCFB128/initVector (hex16-value-type)
Cisco Employee

Re: How to create NSO service with one of the parameters being a password or a secret

Hi,

You'll need to make the client library (the Python API) aware of which keys to use for encryption/decryption.

A good way to do that is to add initialization code in you main setup() method, like this:

class Main(ncs.application.Application):
    def setup(self):
        with ncs.maapi.Maapi() as m:
            m.install_crypto_keys()
        ...
        ...

/Tomas

Beginner

Re: How to create NSO service with one of the parameters being a password or a secret

Thank you guys! It works now.

 

In [3]: m = maapi.Maapi()
In [4]: m.install_crypto_keys()
In [5]: m.start_user_session('admin', 'mycontext')
   ...: t = m.start_write_trans()
   ...: root = maagic.get_root(t)


In [6]: key = root.oti_role['PARTR0'].isisKey
In [7]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=

In [8]: password =  _ncs.decrypt(key)

In [10]: password =  _ncs.decrypt(key)

In [12]: print password
whatever