NETCONF Over TLS

The NETCONF over TLS protocol is defined in RFC 7589

https://www.ietf.org/rfc/rfc7589.txt

If the server image is built with the WITH_OPENSSL=1 parameter (or EVERYTHING=1 parameter) then NETCONF over TLS support will be available.

TLS Configuration

The following CLI and configuration parameters are available to support NETCONF over TLS sessions:

CLI Parameters for NETCONF over TLS

Parameter	Description
--cert-default-user	DEBUG only default user-name to use if no user-certmap found for an incoming NETCONF over TLS session
--cert-usermap	Map a client user-name to a X.509 fingerprint for the client certificate. Required for each user name to be used with NETCONF over TLS. Use yumaworks-cert-usermap.yang to configure X.509 cert-to-name entries at runtime.
--insecure-ok	DEBUG only option to accept client certificates that cannot be verified in the local truststore
--netconf-tls-address	The IP address to listen for NETCONF over TLS sessions. The default is 0.0.0.0
--netconf-tls-certificate	The public certificate file that must be provided to use NETCONF over TLS
--netconf-tls-key	The private certificate file that must be provided to use NETCONF over TLS
--netconf-tls-port	The TCP port to listen for NETCONF over TLS sessions. The default is 6513
--netconf-tls-trust-store	The file or directory to look for client certificates to determine if they are trusted
--with-netconf-tls	This flag must be set to true to enable NETCONF over TLS
--tls-cipherlist	Specifies advanced OpenSSL cipher configuration settings.
--tls-crl-missing-ok	Specifies whether missing CRL Distribution Point is an error
--tls-crl-mode	Specifies how Certificate Revocation List processing is done
--tls-debug	Enable extended NETCONF over TLS logging information
--tls-deprecated-ok	Allow deprecated versions of TLS to be used

YANG Module for NETCONF over TLS

The yumaworks-cert-usermap.yang module provides YANG configuration of the certificate to user name mappings. This YANG module implements the Client Identity procedures defined in section 6 of RFC 7589.

The 'cert-to-name' grouping defined in the ietf-x509-cert-to-name.yang module is adapted for use with NETCONF over TLS, even though RFC 7407 is defined for SNMP over TLS configuration. The TLS usage is the same in both protocols.

The Subject Alternate Name (SAN) fields described in RFC 7589 are supported. The Common Name (CN) field is supported but it is deprecated and SAN fields should be used instead.

Note

When checking a client X.509 certificate for a username mapping:

The server will check all --cert-usermap parameters first.
The server will then check all 'cert-to-name' list entries.