gRPC Operations
The following are the defined manageability service gRPC operations for Cisco IOS XR:
gRPC Operation |
Description |
---|---|
GetConfig |
Retrieves the configuration from the router. |
GetModels |
Gets the supported Yang models on the router |
MergeConfig |
Merges the input config with the existing device configuration. |
DeleteConfig |
Deletes one or more subtrees or leaves of configuration. |
ReplaceConfig |
Replaces part of the existing configuration with the input configuration. |
CommitReplace |
Replaces all existing configuration with the new configuration provided. |
GetOper |
Retrieves operational data. |
CliConfig |
Invokes the input CLI configuration. |
ShowCmdTextOutput |
Returns the output of a show command in the text form |
ShowCmdJSONOutput |
Returns the output of a show command in JSON form. |
gRPC Operation to Get Configuration
This example shows how a gRPC GetConfig request works for LLDP feature.
The client initiates a message to get the current configuration of LLDP running on the router. The router responds with the current LLDP configuration.
gRPC Request (Client to Router) |
gRPC Response (Router to Client) |
---|---|
|
|
gRPC Authentication Modes
gRPC supports the following authentication modes to secure communication between clients and servers. These authentication modes help ensure that only authorized entities can access the gRPC services, like gNOI, gRIBI, and P4RT. Upon receiving a gRPC request, the device will authenticate the user and perform various authorization checks to validate the user.
The following table lists the authentication type and configuration requirements:
Type |
Authentication Method |
Authorization Method |
Configuration Requirement |
Requirement From Client |
---|---|---|---|---|
Metadata with TLS |
username, password |
username |
grpc |
username, password, and CA |
Metadata without TLS |
username, password |
username |
grpc no-tls |
username, password |
Metadata with Mutual TLS |
username, password |
username |
grpc tls-mutual |
username, password, client certificate, client key, and CA |
Certificate based Authentication |
client certificate's common name field |
username from client certificate's common name field |
grpc tls-mutual and grpc certificate authentication |
client certificate, client key, and CA |
Certificate based Authentication
/misc/config/grpc/ems.pem
/misc/config/grpc/ems.key
/misc/config/grpc/ca.cert
Note |
For clients to use the certificates, ensure to copy the certificates from /misc/config/grpc/ The gRPC server advertises TLS 1.2 as the maximum TLS version when using a SUDI-based SSL profile. |
Generation of Certificates
These certificates are typically generated using a Certificate Authority (CA) by the device. The EMS certificates, including the server certificate (ems.pem ), public key (ems.key ), and CA certificate (ca.cert ), are generated with specific parameters like the common name ems.cisco.com to uniquely identify the EMS server and placed in the /misc/config/grpc/ location.
The default certificates that are generated by the server are Server-only TLS certificates and by using these certificates you can authenticate the identity of the server.
Usage of Certificates
These certificates are used for enabling secure communication through Transport Layer Security (TLS) between gRPC clients and the EMS server. The client should use ems.pem and ca.cert to initiate the TLS authentication.
To update the certificates, ensure to copy the new certificates that has been generated earlier to the location and restart the server.
Custom Certificates
If you want to use your own certificates for EMS gRPC communication, then you can follow a workflow to generate a custom certificates with the required parameters and then configure the EMS server to use these custom certificates. This process involves replacing the default EMS certificates with the custom ones and ensuring that the gRPC clients also trust the custom CA certificate. For more information on how to customize the common-name , see Certificate Common-Name For Dial-in Using gRPC Protocol.
Authenticate gRPC Services
Note |
Typically, gRPC clients include the username and password in the gRPC metadata fields. |
Procedure
Use any one of the following configuration type to authenticate any gRPC service.
|
gRPC server TLS version 1.3 support
Feature Name |
Release Information |
Description |
---|---|---|
gRPC server TLS version 1.3 support |
Release 24.4.1 |
Introduced in this release on: Fixed Systems (8200 [ASIC: Q200, P100], 8700 [ASIC: P100, K100]); Centralized Systems (8600 [ASIC:Q200]); Modular Systems (8800 [LC ASIC: Q100, Q200, P100]) You can now enhance your network security by enabling TLS 1.3 support for gRPC services. This update provides stronger protection against vulnerabilities, improves performance with faster connection times and reduced latency, and removes outdated ciphers. Additionally, it complies with internal security mandates, offering a more robust and future-proof solution for your network management needs. Previously, gRPC server supported TLS version 1.2. The feature introduces these changes: CLI: |
The gRPC Remote Procedure Calls (gRPC) server Transport Layer Security (TLS) version 1.3 support is a security feature that
-
provides end-to-end communications security over networks,
-
prevents unauthorized access and eavesdropping, and
-
protects against tampering and message forgery.
The TLS private key is encrypted before being stored on the disk. For more details on SSL or TLS version certificates, keys, and communication parameters, see certz profile ID.
Configure gRPC TLS version
You can configure the minimum and maximum TLS versions for gRPC, and view the TLS cipher suites.
Procedure
Step 1 |
Configure gRPC TLS minimum, maximum, or both versions. Example:
|
||
Step 2 |
Verify the gRPC TLS minimum and maximum versions. Example:
The TLS 1.3 ciphers are not configurable, they are either fixed or static. |
SPIFFE ID-Based Authentication and Authorization Services for gRPC Services
Feature Name |
Release Information |
Description |
---|---|---|
SPIFFE ID-Based Authentication and Authorization Services for gRPC Services |
Release 24.2.11 |
You can now securely manage service identities for workloads that communicate over gRPC. This capability is critical for environments such as distributed systems, where workloads move across different platforms. This security measure is feasible because workloads can use the Secure Production Identity Framework for Everyone (SPIFFE) ID and SPIFFE Verifiable Identity Document (SVID) to encrypt and authenticate gRPC traffic. This feature introduces the following changes: CLI: Yang Data Models:
(see GitHub, YANG Data Models Navigator) |
The SPIFFE standard specifies a framework that can bootstrap and issue identities to services across diverse environments and organizational boundaries. SPIFFE assigns a unique identity to each workload with a SPIFFE ID and securely encapsulates it within a SPIFFE Verifiable Identity Document (SVID). The SVID, which is short-lived, corresponds exclusively to its SPIFFE ID and can be encoded either as an X.509 certificate or as a JSON Web Token (JWT). This dual-format capability facilitates robust identity verification.
This feature provides a mechanism for mapping a SPIFFE ID to an XR user for authorization purposes. This feature enables Extensible Manageability Services (EMS) to use the SVID, which are certificates that essentially contain SPIFFE IDs, to perform the following operations:
-
Authentication via mTLS
-
AuthZ authorization using the SVID
The XR authorization occurs with the XR user which is mapped to the SPIFFE ID. Mapping the SPIFFE ID to a username is required for gRPC services to perform IOS XR authentication and authorization before executing any operations on the device. If the authz evaluation is successful then only the connection request is processed; otherwise, access is denied.
Workflow for SPIFFE ID-Based Authentication and Authorization for gRPC Services
The high-level workflow of SPIFFE ID-based authentication and authorization for gRPC services involves the following steps:
-
The EMS starts searching for the spiffe-user-map.json file at the location /misc/config/grpc/gnsi/credentialz/spiffe-user-map.json.
-
If the file exists, it is parsed, and the mapping is stored globally in the aaa/auth package.
-
If the file does not exist or parsing is unsuccessful, the mapping will be empty.
-
The EMS registers with the configuration manager to receive updates for the
aaa
configuration. -
When processing requests in the Authentication interceptor, the spiffe-user mapping API checks for the SPIFFE ID mapping in the map created in step 2.
-
If the mapping exists, the API responds with the corresponding username.
-
If the mapping does not exist but the
aaa
configuration exists, the API responds with the configured username. -
If neither the mapping nor the
aaa
configuration is present, the API responds with an empty string. -
Upon a client connecting to the server, the server interceptor extracts the SPIFFE ID from the client's certificate and uses the mapping stored in the aaa/auth package to find the corresponding username.
-
The username identifies it and then includes the metadata into the context.
-
gRPC services that require XR Authorization will later verify the access rights for the username identified in the previous step when handling the request.
-
If the mapping is unsuccessful, the request is passed to the relevant service, such as gNMI, which then decides whether to grant or deny access based on its authorization requirements.
Authenticate and Authorize gRPC Service Requests Using the SPIFFE Standard
Before you begin
Before authenticating and authorizing gRPC service requests using the SPIFFE standard, ensure the following prerequisites are met:
-
Enable mutual TLS authentication with the
tls-mutual
command. -
Enable certificate authentication with the
certificate-authentication
command to facilitate SPIFFE ID recognition. For more information, see Authenticate gRPC Services. -
Configure the gNSI Authz policy by setting the principal to the SPIFFE-ID for service-level authorization (gNSI AuthZ).
After establishing the connection, the gRPC server extracts the SPIFFE ID from the client's certificate.
To authenticate and authorize gRPC service requests using the SPIFFE standard, follow these steps:
Procedure
Step 1 |
Configure the username in the system. Example:
|
||
Step 2 |
Map the SPIFFE ID to a username using the aaa map-to username command. This command assigns a default username to any SPIFFE ID.
|
||
Step 3 |
Evaluate the client's SPIFFE ID against the service-level authorization policy (gNSI AuthZ). For more information about gNSI authz policies, see gRPC Network Security Interface. |
Certificate Common-Name For Dial-in Using gRPC Protocol
Feature Name |
Release Information |
Description |
---|---|---|
Certificate Common-Name For Dial-in Using gRPC Protocol |
Release 24.1.1 |
You can now specify a common-name for the certificate generated by the router while using gRPC dial-in. Earlier, the common-name in the certificate was fixed as ems.cisco.com and was not configurable. Using a specified common-name avoids potential certification failures where you may specify a hostname different from the fixed common name to connect to the router. The feature introduces these changes: CLI: YANG Data Model:
(see GitHub, YANG Data Models Navigator) |
When using gRPC dial-in on Cisco IOS-XR router, the common-name associated with the certificate generated by the router is fixed as ems.cisco.com and this caused failure during certificate verification.
From Cisco IOS XR Release 24.1.1, you can now have the flexibility of specifying the common-name in the certificate using the grpc certifcate common-name command. This allows gRPC clients to verify if the domain name in the certificate matches the domain name of the gRPC server being accessed.
Configure Certificate Common Name For Dial-in
Configure a common name to be used in EMSD certificates for gRPC dial-in.
Procedure
Step 1 |
Configure a common name. Example:
Use the show command to verify the common name:
To regenerate the self-signed certificate, perform the following steps. |
||
Step 2 |
Remove the certificates: Example:
|
||
Step 3 |
Restart gRPC server by toggling the TLS configuration. Configure gRPC with non TLS and then re-configure with TLS. Example:
Copy the newly generated |