Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
1241
Views
15
Helpful
6
Replies
Highlighted
ron.whitt
Beginner
Beginner
‎10-16-2018 06:09 AM
‎10-16-2018 06:09 AM

Securing REST API

Aside from the password, what other methods are used to secure NSO's REST API? 

1 person had this problem
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
vleijon
Cisco Employee
Cisco Employee
In response to ron.whitt
‎10-19-2018 11:37 AM
‎10-19-2018 11:37 AM

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

View solution in original post

Reply
6 REPLIES 6
Highlighted
rogaglia
Cisco Employee
Cisco Employee
‎10-16-2018 10:52 AM
‎10-16-2018 10:52 AM

Hi Ron,

It is now a best practice to start using RESTCONF API instead of the legacy pre-standard-REST as a lot of new features are only available in RESTCONF.

 

Particularly, for RESTCONF you can support token-based authentication (see attached output from "man ncs.conf"). However, this is not well documented yet.

 

Just in case you were thinking about it, NSO does not support client-certificate based authentication.

 

Regards,

Roque

 

 

/ncs-config/restconf/token-response
           When authenticating via AAA external-authentication or external-validation and a token is returned,
           it is possible to include a header with the token in the response.

       /ncs-config/restconf/token-response/x-auth-token (boolean) [false]
           Either 'true' or 'false'. If 'true', a x-auth-token header is included in the response with any
           token returned from AAA.

       /ncs-config/restconf/token-response/token-cookie
           Configuration of RESTCONF token cookies.

       /ncs-config/restconf/token-response/token-cookie/name (string) []
           The cookie name, exactly as it is to be sent. If configured, a HTTP cookie with that name is
           included in the response with any token returned from AAA as value.

       /ncs-config/restconf/token-response/token-cookie/directives (string) []
           An optional string with directives appended to the cookie, exactly as it is to be sent.

Reply
Highlighted
rogaglia
Cisco Employee
Cisco Employee
In response to rogaglia
‎10-16-2018 10:55 AM
‎10-16-2018 10:55 AM

Hi,

 

I found token authentication documentation in the Administrator Guide, chapter 9: "The AAA infrastructure".

 

Roque

Reply
Highlighted
ron.whitt
Beginner
Beginner
In response to rogaglia
‎10-16-2018 12:17 PM
‎10-16-2018 12:17 PM

So does this token method provide any encryption?  

0 Helpful
Reply
Highlighted
vleijon
Cisco Employee
Cisco Employee
In response to ron.whitt
‎10-19-2018 11:37 AM
‎10-19-2018 11:37 AM

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

View solution in original post

Reply
Highlighted
ron.whitt
Beginner
Beginner
In response to vleijon
‎10-22-2018 06:22 AM
‎10-22-2018 06:22 AM

Thanks so much for the reply, yes this is the answer we were looking for. I'm getting good traction for NSO in the global financial space so I'm bound to run into many more security related questions.
0 Helpful
Reply
Highlighted
rogaglia
Cisco Employee
Cisco Employee
In response to ron.whitt
‎10-22-2018 06:23 AM
‎10-22-2018 06:23 AM

Your answer is on RFC8040, section 2.2:

2.2. HTTPS with X.509v3 Certificates

   Given the nearly ubiquitous support for HTTP over TLS [RFC7230],
   RESTCONF implementations MUST support the "https" URI scheme, which
   has the IANA-assigned default port 443.

   RESTCONF servers MUST present an X.509v3-based certificate when
   establishing a TLS connection with a RESTCONF client.  The use of
   X.509v3-based certificates is consistent with NETCONF over TLS
   [RFC7589].

 

HTTS is mandatory for RESTCONF.

 

Roque

0 Helpful
Reply
Latest Contents
Links to individual sessions: NSO Developer Days - APJC, 20...
Created by Nicklas Wagerth on 03-04-2021 02:09 AM
0
0
0
0
Live Event & Video On-Demand    Individual Live Sessions Telstra Network Transformation with AutomationRoss Manariti, Technical Product Owner - Resource Domain & Element Management, Telstra Customer services across thousands of network a... view more
Webinar - Feb 18th - 10am PST - The Integrated NSO and ConfD...
Created by Nabil_Michraf on 02-15-2021 11:39 AM
0
0
0
0
If you are an NSO user, you are probably aware that when you write and read data from any of the NSO northbound interface agents, such as NETCONF, RESTCONF, CLI, MAAPI, etc., those agents are going through the NSO transaction manager before reaching the C... view more
Join us for NSO Developer Days APJC on March 3
Created by Kelli Glass on 02-05-2021 03:49 PM
0
5
0
5
NSO Developer Days is an opportunity for both new and experienced customers to come together and network, share best practices, meet engineering and learn more about what is coming next for NSO. Join service provider and enterprise network automation pro... view more
How to make sure IP is unique in a simple service to config...
Created by Chandra L on 02-03-2021 04:48 AM
2
0
2
0
Hi,   I have a simple service to configure an IP under loopback interface, but how do I delete the IP, if the one I am going to configure is pre-existing on another interface or at least give a warning that this IP is already in use?   Here is m... view more
pyang error: bad value "1.1" (should be version)
Created by BasharAziz on 01-28-2021 05:35 AM
1
0
1
0
Hi, As I understand, when I source ncsrc then it inserts pyang version 1.5 in my path and won't be the use the one I had installed on my system. I'm still facing the same errors every time when executing pyang  :   ❯ pyang test01.... view more