I am having a problem with the NX-API nxapi_auth cookie when using certificates to authenticate on a Nexus 9000 switch running NX-OS 9.3(8). The certificates work for authentication, but when I use a certificate to authenticate, I no longer get the nxapi_auth cookie.
I'll illustrate what I'm talking about by first showing how I am able to get a nxapi_auth cookie when using HTTP based username and password authentication. This works fine:
1> When I query a Nexus 9000 switch from the command line using the NX-API I do something like this:
curl --user [switch_username]:[password] -v -X POST -H "Accept: application/json" -H "Content-type: application/json" -d @commandFile -k https://<device-management-ip>/ins -D ~/cookieFile
username, password, and the device management IP are all filled in properly. The above command just shows the kind of syntax I'm using. The @commandFile is actually something like /home/username/commandFile. When passing in a file that contains the JSON command I need to use the full path.
2> The commandFile contains a JSON command that I need to run, something like this:
{"ins_api":{"version": "1.0", "type": "cli_show", "chunk": "0", "sid": "1", "input": "show clock","output_format": "json"}}
3> The cookieFile that is saved contains a number of values, but the one I need is this:
[...]
> Set-cookie: nxapi_auth:[switch_username]:[cookiestring]
[...]
This is normal / good / expected. This is example what I need. I can send that nxapi_auth cookie back for 10 minutes and reduce the load on the Cisco Nexus PAM as it will just re-use the login. I can use -b ~/cookieFile and skip using the --user authentication option. By sending the nxapi_auth cookie back for up to 10 minutes, I can stay logged in.
4> However, when I switch over to using certificate based authentication:
curl --user [username]: --tlsv1.2 --cacert ./ca.pem --cert ./user.crt:[cert_pass] --key ./user.key -v -X POST -H "Accept: application/json" -H "Content-type: application/json" -d @commandFile -k https://<device-management-ip>/ins -D ~/cookieFile
Then Problem: I don't get the nxapi_auth cookie any more. So, I believe that every time I run a query using a certificate, the Cisco Nexus PAM is going to handle it as a new authentication? That is not desirable. The Cisco NX API documentation doesn't state that using certificates gets rid of the nxapi_auth cookie, but it seems to be gone.
It appears that there is no way to get a cached login cookie when using certificates. Am I missing something here?