Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
583
Views
15
Helpful
6
Replies
ron.whitt
ron.whitt Beginner
Beginner
‎10-16-2018 06:09 AM
‎10-16-2018 06:09 AM

Securing REST API

Aside from the password, what other methods are used to secure NSO's REST API? 

Everyone's tags (3)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
vleijon
vleijon Cisco Employee
Cisco Employee
‎10-19-2018 11:37 AM
‎10-19-2018 11:37 AM

Re: Securing REST API

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

View solution in original post

Reply
6 REPLIES 6
Highlighted
rogaglia
rogaglia Cisco Employee
Cisco Employee
‎10-16-2018 10:52 AM
‎10-16-2018 10:52 AM

Re: Securing REST API

Hi Ron,

It is now a best practice to start using RESTCONF API instead of the legacy pre-standard-REST as a lot of new features are only available in RESTCONF.

 

Particularly, for RESTCONF you can support token-based authentication (see attached output from "man ncs.conf"). However, this is not well documented yet.

 

Just in case you were thinking about it, NSO does not support client-certificate based authentication.

 

Regards,

Roque

 

 

/ncs-config/restconf/token-response
           When authenticating via AAA external-authentication or external-validation and a token is returned,
           it is possible to include a header with the token in the response.

       /ncs-config/restconf/token-response/x-auth-token (boolean) [false]
           Either 'true' or 'false'. If 'true', a x-auth-token header is included in the response with any
           token returned from AAA.

       /ncs-config/restconf/token-response/token-cookie
           Configuration of RESTCONF token cookies.

       /ncs-config/restconf/token-response/token-cookie/name (string) []
           The cookie name, exactly as it is to be sent. If configured, a HTTP cookie with that name is
           included in the response with any token returned from AAA as value.

       /ncs-config/restconf/token-response/token-cookie/directives (string) []
           An optional string with directives appended to the cookie, exactly as it is to be sent.

Reply
Highlighted
rogaglia
rogaglia Cisco Employee
Cisco Employee
‎10-16-2018 10:55 AM
‎10-16-2018 10:55 AM

Re: Securing REST API

Hi,

 

I found token authentication documentation in the Administrator Guide, chapter 9: "The AAA infrastructure".

 

Roque

Reply
Highlighted
ron.whitt
ron.whitt Beginner
Beginner
‎10-16-2018 12:17 PM
‎10-16-2018 12:17 PM

Re: Securing REST API

So does this token method provide any encryption?  

0 Helpful
Reply
Highlighted
vleijon
vleijon Cisco Employee
Cisco Employee
‎10-19-2018 11:37 AM
‎10-19-2018 11:37 AM

Re: Securing REST API

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

View solution in original post

Reply
Highlighted
ron.whitt
ron.whitt Beginner
Beginner
‎10-22-2018 06:22 AM
‎10-22-2018 06:22 AM

Re: Securing REST API

Thanks so much for the reply, yes this is the answer we were looking for. I'm getting good traction for NSO in the global financial space so I'm bound to run into many more security related questions.
0 Helpful
Reply
Highlighted
rogaglia
rogaglia Cisco Employee
Cisco Employee
‎10-22-2018 06:23 AM
‎10-22-2018 06:23 AM

Re: Securing REST API

Your answer is on RFC8040, section 2.2:

2.2. HTTPS with X.509v3 Certificates

   Given the nearly ubiquitous support for HTTP over TLS [RFC7230],
   RESTCONF implementations MUST support the "https" URI scheme, which
   has the IANA-assigned default port 443.

   RESTCONF servers MUST present an X.509v3-based certificate when
   establishing a TLS connection with a RESTCONF client.  The use of
   X.509v3-based certificates is consistent with NETCONF over TLS
   [RFC7589].

 

HTTS is mandatory for RESTCONF.

 

Roque

0 Helpful
Reply
Latest Contents
NSO Developer Days Stockholm moving to digital
Created by Nicklas Wagerth on 03-17-2020 06:13 AM
0
0
0
0
NSO Users, As you may have seen, we have made the decision to shift NSO Developer Days scheduled for Monday 15th June -Thursday 18th June in Stockholm to an online experience due to concerns about the current outbreak of COVID-19 (Coronavirus). While we a... view more
New NFVO GUI
Created by KJ Rossavik on 03-06-2020 06:29 AM
4
5
4
5
Did you ever have a look at the NSO NFVO package, for managing VNFs? It's been around for about five years, and is deployed at a lot of our customers. In the last couple of releases (4.1 and 4.2), we have been working on a GUI, so here is a brief demo: ht... view more
The Power of Your Knowledge – Certified and Multiplied!
Created by Nicklas Wagerth on 02-28-2020 05:29 AM
0
5
0
5
You need to come to NSO Developer Days this year!   This is not just an event where presenters share about NSO, but a community event - where you can connect with people in a different place than you in their automation journ... view more
NSO Developer Days Call for Papers!
Created by Nicklas Wagerth on 02-14-2020 06:20 AM
0
0
0
0
Do you have experiences that you think will benefit the NSO developer community? Take the opportunity to give a talk at Developer Days in June while joining industry peers from around the world for our days of learning and collaboration.   Call for P... view more
Using a for loop in python to go through a list of devices i...
Created by Andrew Melsom on 02-11-2020 10:16 AM
1
0
1
0
Hi All I am new to developing as you will see from my code :P, I am a network engineer trying to learn Devops, and I am struggling a bit with create services that apply configs to multiple devices.I am trying to create my own code to create a l3vpn s... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Related Content
Blogs
Documents
Events
Videos