Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3116
Views
15
Helpful
6
Replies

Securing REST API

Go to solution
ron.whitt
Level 1
Level 1

‎10-16-2018 06:09 AM

Aside from the password, what other methods are used to secure NSO's REST API? 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to ron.whitt

‎10-19-2018 11:37 AM

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

View solution in original post

6 Replies 6

Go to solution
rogaglia
Cisco Employee
Cisco Employee

‎10-16-2018 10:52 AM

Hi Ron,

It is now a best practice to start using RESTCONF API instead of the legacy pre-standard-REST as a lot of new features are only available in RESTCONF.

 

Particularly, for RESTCONF you can support token-based authentication (see attached output from "man ncs.conf"). However, this is not well documented yet.

 

Just in case you were thinking about it, NSO does not support client-certificate based authentication.

 

Regards,

Roque

 

 

/ncs-config/restconf/token-response
           When authenticating via AAA external-authentication or external-validation and a token is returned,
           it is possible to include a header with the token in the response.

       /ncs-config/restconf/token-response/x-auth-token (boolean) [false]
           Either 'true' or 'false'. If 'true', a x-auth-token header is included in the response with any
           token returned from AAA.

       /ncs-config/restconf/token-response/token-cookie
           Configuration of RESTCONF token cookies.

       /ncs-config/restconf/token-response/token-cookie/name (string) []
           The cookie name, exactly as it is to be sent. If configured, a HTTP cookie with that name is
           included in the response with any token returned from AAA as value.

       /ncs-config/restconf/token-response/token-cookie/directives (string) []
           An optional string with directives appended to the cookie, exactly as it is to be sent.

Go to solution
rogaglia
Cisco Employee
Cisco Employee
In response to rogaglia

‎10-16-2018 10:55 AM

Hi,

 

I found token authentication documentation in the Administrator Guide, chapter 9: "The AAA infrastructure".

 

Roque

Go to solution
ron.whitt
Level 1
Level 1
In response to rogaglia

‎10-16-2018 12:17 PM

So does this token method provide any encryption?  

0 Helpful

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to ron.whitt

‎10-19-2018 11:37 AM

No, but you can run the REST api over HTTPS for encryption. You enable this under ssl in the webui part of ncs.conf. 

Go to solution
ron.whitt
Level 1
Level 1
In response to vleijon

‎10-22-2018 06:22 AM

Thanks so much for the reply, yes this is the answer we were looking for. I'm getting good traction for NSO in the global financial space so I'm bound to run into many more security related questions.
0 Helpful

Go to solution
rogaglia
Cisco Employee
Cisco Employee
In response to ron.whitt

‎10-22-2018 06:23 AM

Your answer is on RFC8040, section 2.2:

2.2. HTTPS with X.509v3 Certificates

   Given the nearly ubiquitous support for HTTP over TLS [RFC7230],
   RESTCONF implementations MUST support the "https" URI scheme, which
   has the IANA-assigned default port 443.

   RESTCONF servers MUST present an X.509v3-based certificate when
   establishing a TLS connection with a RESTCONF client.  The use of
   X.509v3-based certificates is consistent with NETCONF over TLS
   [RFC7589].

 

HTTS is mandatory for RESTCONF.

 

Roque

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community:

Customers Also Viewed These Support Documents