Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1421
Views
0
Helpful
0
Replies

NX API - Certificate Based Authentication - nxapi_auth cookie missing

quarky42
Level 1
Level 1

‎11-18-2021 01:42 PM - edited ‎11-18-2021 01:42 PM

I am having a problem with the NX-API nxapi_auth cookie when using certificates to authenticate on a Nexus 9000 switch running NX-OS 9.3(8).   The certificates work for authentication, but when I use a certificate to authenticate, I no longer get the nxapi_auth cookie.

 

I'll illustrate what I'm talking about by first showing how I am able to get a nxapi_auth cookie when using HTTP based username and password authentication.  This works fine:

 

1> When I query a Nexus 9000 switch from the command line using the NX-API I do something like this:

curl --user [switch_username]:[password] -v -X POST -H "Accept: application/json" -H "Content-type: application/json" -d @commandFile -k https://<device-management-ip>/ins -D ~/cookieFile

username, password, and the device management IP are all filled in properly.  The above command just shows the kind of syntax I'm using.    The @commandFile is actually something like /home/username/commandFile.   When passing in a file that contains the JSON command I need to use the full path.

 

2> The commandFile contains a JSON command that I need to run, something like this:

{"ins_api":{"version": "1.0", "type": "cli_show", "chunk": "0", "sid": "1", "input": "show clock","output_format": "json"}}

 

3> The cookieFile that is saved contains a number of values, but the one I need is this: 

[...]
> Set-cookie: nxapi_auth:[switch_username]:[cookiestring]
[...]

This is normal / good / expected.  This is example what I need.  I can send that nxapi_auth cookie back for 10 minutes and reduce the load on the Cisco Nexus PAM as it will just re-use the login.   I can use -b ~/cookieFile and skip using the --user authentication option.   By sending the nxapi_auth cookie back for up to 10 minutes, I can stay logged in.

 

4> However, when I switch over to using certificate based authentication:

curl --user [username]: --tlsv1.2 --cacert ./ca.pem --cert ./user.crt:[cert_pass] --key ./user.key -v -X POST -H "Accept: application/json" -H "Content-type: application/json" -d @commandFile -k https://<device-management-ip>/ins -D ~/cookieFile

Then Problem: I don't get the nxapi_auth cookie any more.  So, I believe that every time I run a query using a certificate, the Cisco Nexus PAM is going to handle it as a new authentication?   That is not desirable.  The Cisco NX API documentation doesn't state that using certificates gets rid of the nxapi_auth cookie, but it seems to be gone.

 

It appears that there is no way to get a cached login cookie when using certificates.  Am I missing something here?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents