gRPC Operations
The following are the defined manageability service gRPC operations for Cisco IOS XR:
gRPC Operation |
Description |
---|---|
GetConfig |
Retrieves the configuration from the router. |
GetModels |
Gets the supported Yang models on the router |
MergeConfig |
Merges the input config with the existing device configuration. |
DeleteConfig |
Deletes one or more subtrees or leaves of configuration. |
ReplaceConfig |
Replaces part of the existing configuration with the input configuration. |
CommitReplace |
Replaces all existing configuration with the new configuration provided. |
GetOper |
Retrieves operational data. |
CliConfig |
Invokes the input CLI configuration. |
ShowCmdTextOutput |
Returns the output of a show command in the text form |
ShowCmdJSONOutput |
Returns the output of a show command in JSON form. |
gRPC Operation to Get Configuration
This example shows how a gRPC GetConfig request works for CDP feature.
The client initiates a message to get the current configuration of CDP running on the router. The router responds with the current CDP configuration.
gRPC Request (Client to Router) |
gRPC Response (Router to Client) |
---|---|
|
|
gRPC Authentication Modes
gRPC supports the following authentication modes to secure communication between clients and servers. These authentication modes help ensure that only authorized entities can access the gRPC services, like gNOI, gRIBI, and P4RT. Upon receiving a gRPC request, the device will authenticate the user and perform various authorization checks to validate the user.
The following table lists the authentication type and configuration requirements:
Type |
Authentication Method |
Authorization Method |
Configuration Requirement |
Requirement From Client |
---|---|---|---|---|
Metadata with TLS |
username, password |
username |
grpc |
username, password, and CA |
Metadata without TLS |
username, password |
username |
grpc no-tls |
username, password |
Metadata with Mutual TLS |
username, password |
username |
grpc tls-mutual |
username, password, client certificate, client key, and CA |
Certificate based Authentication |
client certificate's common name field |
username from client certificate's common name field |
grpc tls-mutual and grpc certificate authentication |
client certificate, client key, and CA |
Certificate based Authentication
/misc/config/grpc/ems.pem
/misc/config/grpc/ems.key
/misc/config/grpc/ca.cert
Note |
For clients to use the certificates, ensure to copy the certificates from /misc/config/grpc/ |
Generation of Certificates
These certificates are typically generated using a Certificate Authority (CA) by the device. The EMS certificates, including the server certificate (ems.pem ), public key (ems.key ), and CA certificate (ca.cert ), are generated with specific parameters like the common name ems.cisco.com to uniquely identify the EMS server and placed in the /misc/config/grpc/ location.
The default certificates that are generated by the server are Server-only TLS certificates and by using these certificates you can authenticate the identity of the server.
Usage of Certificates
These certificates are used for enabling secure communication through Transport Layer Security (TLS) between gRPC clients and the EMS server. The client should use ems.pem and ca.cert to initiate the TLS authentication.
To update the certificates, ensure to copy the new certificates that has been generated earlier to the location and restart the server.
Custom Certificates
If you want to use your own certificates for EMS gRPC communication, then you can follow a workflow to generate a custom certificates with the required parameters and then configure the EMS server to use these custom certificates. This process involves replacing the default EMS certificates with the custom ones and ensuring that the gRPC clients also trust the custom CA certificate. For more information on how to customize the common-name , see Certificate Common-Name For Dial-in Using gRPC Protocol.
Authenticate gRPC Services
Note |
Typically, gRPC clients include the username and password in the gRPC metadata fields. |
Procedure
Use any one of the following configuration type to authenticate any gRPC service.
|
gRPC server TLS version 1.3 support
Feature Name |
Release Information |
Description |
---|---|---|
gRPC server TLS version 1.3 support |
Release 24.4.1 |
Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can now enhance your network security by enabling TLS 1.3 support for gRPC services. This update provides stronger protection against vulnerabilities, improves performance with faster connection times and reduced latency, and removes outdated ciphers. Additionally, it complies with internal security mandates, offering a more robust and future-proof solution for your network management needs. Previously, gRPC server supported TLS version 1.2. The feature introduces these changes: CLI: |
The gRPC Remote Procedure Calls (gRPC) server Transport Layer Security (TLS) version 1.3 support is a security feature that
-
provides end-to-end communications security over networks,
-
prevents unauthorized access and eavesdropping, and
-
protects against tampering and message forgery.
The TLS private key is encrypted before being stored on the disk. For more details on SSL or TLS version certificates, keys, and communication parameters, see certz profile ID.
Configure gRPC TLS version
You can configure the minimum and maximum TLS versions for gRPC, and view the TLS cipher suites.
Procedure
Step 1 |
Configure gRPC TLS minimum, maximum, or both versions. Example:
|
||
Step 2 |
Verify the gRPC TLS minimum and maximum versions. Example:
The TLS 1.3 ciphers are not configurable, they are either fixed or static. |
Certificate Common-Name For Dial-in Using gRPC Protocol
Feature Name |
Release Information |
Description |
---|---|---|
Certificate Common-Name For Dial-in Using gRPC Protocol |
Release 24.1.1 |
Introduced in this release on: NCS 5500 fixed port routers; NCS 5700 fixed port routers; NCS 5500 modular routers (NCS 5500 line cards; NCS 5700 line cards [Mode: Compatibility; Native]) You can now specify a common-name for the certificate generated by the router while using gRPC dial-in. Earlier, the common-name in the certificate was fixed as ems.cisco.com and was not configurable. Using a specified common-name avoids potential certification failures where you may specify a hostname different from the fixed common name to connect to the router. The feature introduces these changes: CLI: YANG Data Model:
(see GitHub, YANG Data Models Navigator) |
When using gRPC dial-in on Cisco IOS-XR router, the common-name associated with the certificate generated by the router is fixed as ems.cisco.com and this caused failure during certificate verification.
From Cisco IOS XR Release 24.1.1, you can now have the flexibility of specifying the common-name in the certificate using the grpc certifcate common-name command. This allows gRPC clients to verify if the domain name in the certificate matches the domain name of the gRPC server being accessed.
Configure Certificate Common Name For Dial-in
Configure a common name to be used in EMSD certificates for gRPC dial-in.
Procedure
Step 1 |
Configure a common name. Example:
Use the show command to verify the common name:
To regenerate the self-signed certificate, perform the following steps. |
||
Step 2 |
Remove the certificates: Example:
|
||
Step 3 |
Restart gRPC server by toggling the TLS configuration. Configure gRPC with non TLS and then re-configure with TLS. Example:
Copy the newly generated |