NETCONF Over TLS

The NETCONF over TLS protocol is defined in RFC 7589

If the server image is built with the WITH_OPENSSL=1 parameter (or EVERYTHING=1 parameter) then NETCONF over TLS support will be available.

TLS Configuration

The following CLI and configuration parameters are available to support NETCONF over TLS sessions:

CLI Parameters for NETCONF over TLS

Parameter

Description

--cert-default-user

DEBUG only default user-name to use if no user-certmap found for an incoming NETCONF over TLS session

--cert-usermap

Map a client user-name to a X.509 fingerprint for the client certificate. Required for each user name to be used with NETCONF over TLS. Use yumaworks-cert-usermap.yang to configure X.509 cert-to-name entries at runtime.

--insecure-ok

DEBUG only option to accept client certificates that cannot be verified in the local truststore

--netconf-tls-address

The IP address to listen for NETCONF over TLS sessions. The default is 0.0.0.0

--netconf-tls-certificate

The public certificate file that must be provided to use NETCONF over TLS

--netconf-tls-key

The private certificate file that must be provided to use NETCONF over TLS

--netconf-tls-port

The TCP port to listen for NETCONF over TLS sessions. The default is 6513

--netconf-tls-trust-store

The file or directory to look for client certificates to determine if they are trusted

--with-netconf-tls

This flag must be set to true to enable NETCONF over TLS

--tls-cipherlist

Specifies advanced OpenSSL cipher configuration settings.

--tls-crl-missing-ok

Specifies whether missing CRL Distribution Point is an error

--tls-crl-mode

Specifies how Certificate Revocation List processing is done

--tls-debug

Enable extended NETCONF over TLS logging information

YANG Module for NETCONF over TLS

The yumaworks-cert-usermap.yang module provides YANG configuration of the certificate to user name mappings. This YANG module implements the Client Identity procedures defined in section 6 of RFC 7589.

The 'cert-to-name' grouping defined in the ietf-x509-cert-to-name.yang module is adapted for use with NETCONF over TLS, even though RFC 7407 is defined for SNMP over TLS configuration. The TLS usage is the same in both protocols.

The Subject Alternate Name (SAN) fields described in RFC 7589 are supported. The Common Name (CN) field is supported but it is deprecated and SAN fields should be used instead.

Note

When checking a client X.509 certificate for a username mapping:

  • The server will check all --cert-usermap parameters first.

  • The server will then check all 'cert-to-name' list entries.