10-16-2018 06:09 AM
Aside from the password, what other methods are used to secure NSO's REST API?
Solved! Go to Solution.
10-19-2018 11:37 AM
No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf.
10-16-2018 10:52 AM
Hi Ron,
It is now a best practice to start using RESTCONF API instead of the legacy pre-standard-REST as a lot of new features are only available in RESTCONF.
Particularly, for RESTCONF you can support token-based authentication (see attached output from "man ncs.conf"). However, this is not well documented yet.
Just in case you were thinking about it, NSO does not support client-certificate based authentication.
Regards,
Roque
/ncs-config/restconf/token-response
When authenticating via AAA external-authentication or external-validation and a token is returned,
it is possible to include a header with the token in the response.
/ncs-config/restconf/token-response/x-auth-token (boolean) [false]
Either 'true' or 'false'. If 'true', a x-auth-token header is included in the response with any
token returned from AAA.
/ncs-config/restconf/token-response/token-cookie
Configuration of RESTCONF token cookies.
/ncs-config/restconf/token-response/token-cookie/name (string) []
The cookie name, exactly as it is to be sent. If configured, a HTTP cookie with that name is
included in the response with any token returned from AAA as value.
/ncs-config/restconf/token-response/token-cookie/directives (string) []
An optional string with directives appended to the cookie, exactly as it is to be sent.
10-16-2018 10:55 AM
Hi,
I found token authentication documentation in the Administrator Guide, chapter 9: "The AAA infrastructure".
Roque
10-16-2018 12:17 PM
So does this token method provide any encryption?
10-19-2018 11:37 AM
No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf.
10-22-2018 06:22 AM
10-22-2018 06:23 AM
Your answer is on RFC8040, section 2.2:
Given the nearly ubiquitous support for HTTP over TLS [RFC7230], RESTCONF implementations MUST support the "https" URI scheme, which has the IANA-assigned default port 443. RESTCONF servers MUST present an X.509v3-based certificate when establishing a TLS connection with a RESTCONF client. The use of X.509v3-based certificates is consistent with NETCONF over TLS [RFC7589].
HTTS is mandatory for RESTCONF.
Roque
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide