gRPC Operations
The following are the defined manageability service gRPC operations for Cisco IOS XR:
gRPC Operation |
Description |
---|---|
GetConfig |
Retrieves the configuration from the router. |
GetModels |
Gets the supported Yang models on the router |
MergeConfig |
Merges the input config with the existing device configuration. |
DeleteConfig |
Deletes one or more subtrees or leaves of configuration. |
ReplaceConfig |
Replaces part of the existing configuration with the input configuration. |
CommitReplace |
Replaces all existing configuration with the new configuration provided. |
GetOper |
Retrieves operational data. |
CliConfig |
Invokes the input CLI configuration. |
ShowCmdTextOutput |
Returns the output of a show command in the text form |
ShowCmdJSONOutput |
Returns the output of a show command in JSON form. |
gRPC Operation to Get Configuration
This example shows how a gRPC GetConfig request works for LLDP feature.
The client initiates a message to get the current configuration of LLDP running on the router. The router responds with the current LLDP configuration.
gRPC Request (Client to Router) |
gRPC Response (Router to Client) |
---|---|
|
|
gRPC Authentication Modes
gRPC supports the following authentication modes to secure communication between clients and servers. These authentication modes help ensure that only authorized entities can access the gRPC services, like gNOI, gRIBI, and P4RT. Upon receiving a gRPC request, the device will authenticate the user and perform various authorization checks to validate the user.
The following table lists the authentication type and configuration requirements:
Type |
Authentication Method |
Authorization Method |
Configuration Requirement |
Requirement From Client |
---|---|---|---|---|
Metadata with TLS |
username, password |
username |
grpc |
username, password, and CA |
Metadata without TLS |
username, password |
username |
grpc no-tls |
username, password |
Metadata with Mutual TLS |
username, password |
username |
grpc tls-mutual |
username, password, client certificate, client key, and CA |
Certificate based Authentication |
client certificate's common name field |
username from client certificate's common name field |
grpc tls-mutual and grpc certificate authentication |
client certificate, client key, and CA |
Certificate based Authentication
/misc/config/grpc/ems.pem
/misc/config/grpc/ems.key
/misc/config/grpc/ca.cert
Note |
For clients to use the certificates, ensure to copy the certificates from /misc/config/grpc/ |
Generation of Certificates
These certificates are typically generated using a Certificate Authority (CA) by the device. The EMS certificates, including the server certificate (ems.pem ), public key (ems.key ), and CA certificate (ca.cert ), are generated with specific parameters like the common name ems.cisco.com to uniquely identify the EMS server and placed in the /misc/config/grpc/ location.
The default certificates that are generated by the server are Server-only TLS certificates and by using these certificates you can authenticate the identity of the server.
Usage of Certificates
These certificates are used for enabling secure communication through Transport Layer Security (TLS) between gRPC clients and the EMS server. The client should use ems.pem and ca.cert to initiate the TLS authentication.
To update the certificates, ensure to copy the new certificates that has been generated earlier to the location and restart the server.
Custom Certificates
If you want to use your own certificates for EMS gRPC communication, then you can follow a workflow to generate a custom certificates with the required parameters and then configure the EMS server to use these custom certificates. This process involves replacing the default EMS certificates with the custom ones and ensuring that the gRPC clients also trust the custom CA certificate. For more information on how to customize the common-name , see Certificate Common-Name For Dial-in Using gRPC Protocol.
Authenticate gRPC Services
Note |
Typically, gRPC clients include the username and password in the gRPC metadata fields. |
Procedure
Use any one of the following configuration type to authenticate any gRPC service.
|