Solved: Re: How to create NSO service with one of the parameters being a password or a secret

nsoftic · ‎12-04-2018

Hi,

I would like to create a service to configure SNMP user on devices and would like to pass the username and it's auth and priv passwords.

However, I do not want those password to be displayed in clear text when I list the configuration of the service. Also, the encrypted or hidden value should be passed to the template in clear text to be configured on the devices to which I am deploying this service.

I tried using type tailf:aes-cfb-128-encrypted-string, and the values configured are encrypted, but they are also passed to the template as encrypted and therefore use the encrypted string as a password for the user.

Is there a way to specify in the template file that the parameter value needs to be decrypted. Or, how would you go about doing something like this?

Thanks

pmarcais · ‎01-22-2019

Thank you guys! It works now.

In [3]: m = maapi.Maapi()
In [4]: m.install_crypto_keys()
In [5]: m.start_user_session('admin', 'mycontext')
...: t = m.start_write_trans()
...: root = maagic.get_root(t)

In [6]: key = root.oti_role['PARTR0'].isisKey
In [7]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=

In [8]: password = _ncs.decrypt(key)

In [10]: password = _ncs.decrypt(key)

In [12]: print password
whatever

View solution in original post

vleijon · ‎12-05-2018

Hi.

As far as I know there is no way of doing this in the template. I would sort this out in python or java code. For python, look at _ncs.decrypt() to get decrypted value.

pmarcais · ‎01-16-2019

Hi,

Would you mind to tell me where to find _ncs.decypt() documentation?

Thanks

lmanor · ‎01-16-2019

Hello,

You can find the API documentation in the NSO release:

<nso-release>/doc/api/python (similar for java api)

Open the index.html file here in a browser:

example: file:///tmp/NCS/releases/nso-4.7.2/doc/api/python/index.html

Navigate to _ncs and find decrypt() in Functions section...

-Larry

pmarcais · ‎01-17-2019

Hi Larry,

Thanks for the pointer. But I can't make it work. Can you spot a mistake? I don't think I'm using this function properly.

YANG:

    leaf isisKey {
      type tailf:aes-cfb-128-encrypted-string;
    }

Python:

In [16]: key = root.oti_role['PARTR0'].isisKey
In [17]: print key
$8$nPpUdtBv3FYx9O3HWL540OYdr5YnP1UqZF/Dd/hXLFI=
In [18]: password = _ncs.decrypt(key)
---------------------------------------------------------------------------
Error Traceback (most recent call last)
<ipython-input-18-490f24f44398> in <module>()
----> 1 password = _ncs.decrypt(key)
Error: item does not exist (1): No AES key installed
In [19]:

rogaglia · ‎01-18-2019

Hi,
Have you checked your ncs.conf file?
You would need to setup your symmetrical key to use, depending on your algorithm. These keys should be different for every install.

Roque

/ncs-config/encrypted-strings/AESCFB128
In the AESCFB128 case one 128 bits (16 bytes) key and a random initial vector are used to encrypt the string. The initVector leaf is only used when upgrading from versions
before NCS-4.2, but it is kept for backward compatibility reasons.

/ncs-config/encrypted-strings/AESCFB128/key (hex16-value-type)
This parameter is mandatory.

/ncs-config/encrypted-strings/AESCFB128/initVector (hex16-value-type)

tbjurman · ‎01-20-2019

Hi,

You'll need to make the client library (the Python API) aware of which keys to use for encryption/decryption.

A good way to do that is to add initialization code in you main setup() method, like this:

class Main(ncs.application.Application):
    def setup(self):
        with ncs.maapi.Maapi() as m:
            m.install_crypto_keys()
        ...
        ...

/Tomas

pmarcais · ‎01-22-2019