Cisco Community
English
Register
Cisco Community Events are getting a new name! LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
341
Views
15
Helpful
6
Replies
Highlighted
ron.whitt
ron.whitt Beginner
Beginner
‎10-16-2018 06:09 AM
‎10-16-2018 06:09 AM

Securing REST API

Aside from the password, what other methods are used to secure NSO's REST API? 

Everyone's tags (3)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
vleijon
vleijon Cisco Employee
Cisco Employee
‎10-19-2018 11:37 AM
‎10-19-2018 11:37 AM

Re: Securing REST API

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

Reply
6 REPLIES 6
rogaglia
rogaglia Cisco Employee
Cisco Employee
‎10-16-2018 10:52 AM
‎10-16-2018 10:52 AM

Re: Securing REST API

Hi Ron,

It is now a best practice to start using RESTCONF API instead of the legacy pre-standard-REST as a lot of new features are only available in RESTCONF.

 

Particularly, for RESTCONF you can support token-based authentication (see attached output from "man ncs.conf"). However, this is not well documented yet.

 

Just in case you were thinking about it, NSO does not support client-certificate based authentication.

 

Regards,

Roque

 

 

/ncs-config/restconf/token-response
           When authenticating via AAA external-authentication or external-validation and a token is returned,
           it is possible to include a header with the token in the response.

       /ncs-config/restconf/token-response/x-auth-token (boolean) [false]
           Either 'true' or 'false'. If 'true', a x-auth-token header is included in the response with any
           token returned from AAA.

       /ncs-config/restconf/token-response/token-cookie
           Configuration of RESTCONF token cookies.

       /ncs-config/restconf/token-response/token-cookie/name (string) []
           The cookie name, exactly as it is to be sent. If configured, a HTTP cookie with that name is
           included in the response with any token returned from AAA as value.

       /ncs-config/restconf/token-response/token-cookie/directives (string) []
           An optional string with directives appended to the cookie, exactly as it is to be sent.

Reply
rogaglia
rogaglia Cisco Employee
Cisco Employee
‎10-16-2018 10:55 AM
‎10-16-2018 10:55 AM

Re: Securing REST API

Hi,

 

I found token authentication documentation in the Administrator Guide, chapter 9: "The AAA infrastructure".

 

Roque

Reply
ron.whitt
ron.whitt Beginner
Beginner
‎10-16-2018 12:17 PM
‎10-16-2018 12:17 PM

Re: Securing REST API

So does this token method provide any encryption?  

0 Helpful
Reply
vleijon
vleijon Cisco Employee
Cisco Employee
‎10-19-2018 11:37 AM
‎10-19-2018 11:37 AM

Re: Securing REST API

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

Reply
ron.whitt
ron.whitt Beginner
Beginner
‎10-22-2018 06:22 AM
‎10-22-2018 06:22 AM

Re: Securing REST API

Thanks so much for the reply, yes this is the answer we were looking for. I'm getting good traction for NSO in the global financial space so I'm bound to run into many more security related questions.
0 Helpful
Reply
rogaglia
rogaglia Cisco Employee
Cisco Employee
‎10-22-2018 06:23 AM
‎10-22-2018 06:23 AM

Re: Securing REST API

Your answer is on RFC8040, section 2.2:

2.2. HTTPS with X.509v3 Certificates

   Given the nearly ubiquitous support for HTTP over TLS [RFC7230],
   RESTCONF implementations MUST support the "https" URI scheme, which
   has the IANA-assigned default port 443.

   RESTCONF servers MUST present an X.509v3-based certificate when
   establishing a TLS connection with a RESTCONF client.  The use of
   X.509v3-based certificates is consistent with NETCONF over TLS
   [RFC7589].

 

HTTS is mandatory for RESTCONF.

 

Roque

0 Helpful
Reply
Latest Contents
Python 2 and 3 packages at the same time and together with v...
Created by hniska on 08-13-2019 06:34 AM
0
10
0
10
Intro Want to run both python2 and python3 packages at the same time? Maybe you don't want to upgrade all your python2 services at the same time? With some small changes to the "ncs-python-start-vm" script you can. While you are at it maybe you would like... view more
ETSI NFV MANO Plugtest Reports
Created by KJ Rossavik on 07-08-2019 01:06 PM
0
0
0
0
The official report from the ETSI Remote NFV API Plugtest as well as the 4th Plugtest events have now been posted: https://portal.etsi.org/Portals/0/TBpages/CTI/Docs/4th_ETSI_NFV_Plugtests_Report_v1.0.0.pdf https://portal.etsi.org/Portals/0/TBpages/CTI/Do... view more
NSO Developer Days 2019 Videos
Created by Jan Lindblad on 07-08-2019 02:49 AM
1
15
1
15
Here is a list of all the NSO Developer Days 2019 presentations. Each video has a link to the respective NSO Developer Hub post with slides and details. Tuesday Welcome Keynote: Dr. Marcus Hacke, Founder & CEO of ngena NSO and the Orange Internationa... view more
How Rakuten is changing the world with network automation
Created by KJ Rossavik on 07-03-2019 10:20 AM
1
5
1
5
Here is a list of links related to Rakuten's new all-virtual mobile network Reimagining the End-to-End Mobile Network in the 5G Era (Cisco whitepaper 2019-06) How the world changed: Cisco CEO on Rakuten's new mobile network (Rakuten.today 2019-06-26) Raku... view more
NSO Developer Days 2019: EXPERIENCE THE THRILL OF FOILING Tw...
Created by Nicklas Wagerth on 07-01-2019 01:16 AM
0
0
0
0
Abstract: Telindus, SURFnet and T-Mobile share their outcomes of different automation strategies. How to go above and beyond the traditional way of networking to experience the thrill of foiling. The thrill to master core and B2B connectivity servic... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Related Content
Blogs
Documents
Events
Videos