Using Restconf with HTTPS

By default the RestconfServiceProvider initializes to support HTTP non-secure protocol. But YDK also provides partial support for HTTPS protocol. Here ‘partial’ means that YDK is capable communicate over secure protocol, provides data encryption, checks Restconf server CA certificate, but the peer and host name verifications are permanently disabled. This limitation should be addressed in future YDK releases.

CA Certificate Installation

In order to enable HTTPS protocol, the user must obtain and install the Restconf server CA certificate on application server. On Ubuntu the installation procedure is as followed:

cd /usr/local/share/ca-certificates/
sudo mkdir ydk
cp ~/myrestconf.crt ydk/
# Make sure the permissions are OK (755 for the folder, 644 for the file)
sudo update-ca-certificates
# In the output of the last command check that the certificate was added

The installation procedure on CentOS-7:

sudo cp ~/myrestconf.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust

Getting MacOS to trust self-signed SSL Certificates:

  1. Locate your CA certificate file.

  2. Open up Keychain Access.

  3. Drag your certificate into Keychain Access.

  4. Go into the Certificates section and locate the certificate you just added.

  5. Double click on it, enter the trust section and under “When using this certificate” select “Always Trust”.

Code Snippet

In the application the user must explicitly specify HTTPS protocol in the host address. The following example shows, how the RestconfServiceProvider is used to read names of all interfaces from secure Restconf server:

 1#!/usr/bin/env python
 2#
 3from ydk.services import CRUDService
 4from ydk.providers import RestconfServiceProvider
 5from ydk.types import EncodingFormat
 6from ydk.path import Repository
 7
 8from ydk.models.openconfig import openconfig_interfaces
 9
10if __name__ == '__main__':
11
12   repo = Repository('/Users/ygorelik/.ydk/sbx-iosxr-mgmt.cisco.com')
13   provider = RestconfServiceProvider(
14       repo,
15       'https://ios-xe-mgmt.cisco.com',   # Add 'https://' prefix to the host name or address
16       'developer',
17       'C1sco12345',
18       9443,    # HTTPS port
19       EncodingFormat.JSON)
20
21   interfaces = openconfig_interfaces.Interfaces()
22
23   crud = CRUDService()
24   all_interfaces = crud.read(provider, interfaces)
25
26   for intf in all_interfaces.interface:
27       print(intf.name)