ConfD User Community

Mutual Authentication TLS in RESTCONF

I am looking for an option where querying confd DB using RESTCONF without using basic authentication. How can I use mutual authentication for RESTCONF using TLS and not passing user and password in the query? Thanks in advance.

There is an App note on the Tail-f home page that describes how to do Mutual Authentication and RESTCONF.
https://info.tail-f.com/x509-authentication-with-netconf-restconf

Thanks for the example. I followed it. Here is confd.conf:
webui
enabled true /enabled
docroot . /docroot
transport
tcp
enabled true /enabled
ip 0.0.0.0 /ip
port 8008 /port
extraIpPorts [::] /extraIpPorts
/tcp
ssl
enabled true /enabled
ip 0.0.0.0 /ip
port 8888 /port
readFromDb true /readFromDb
protocols tlsv1.2 /protocols
verify 3 /verify
/ssl
/transport
/webui

I copied setup.sh file on the box and executed it. I modified the paths accordingly. Then restarted confd.
Following is the input and output:
curl -kivu admin:admin --cacert ./root-ca-cert-1.pem --key ./client.key.pem --cert ./client.cert.pem https://localhost:8888/restconf/

  • Trying 127.0.0.1:8888…
  • connect to 127.0.0.1 port 8888 failed: Connection refused
  • Failed to connect to localhost port 8888: Connection refused
  • Closing connection 0
    curl: (7) Failed to connect to localhost port 8888: Connection refused

Any suggested fix? Thanks in advance.

This means that either confd failed to start, or that it is reading a different configuration file. You can check what ports ConfD tries to open and with what results in confd.log - you should see something like this:

<INFO> 2-Jun-2021::09:46:26.294 box confd[211882]: - Starting to listen for WebUI TCP on 0.0.0.0:8008
<INFO> 2-Jun-2021::09:46:26.294 box confd[211882]: - Starting to listen for WebUI SSL on 0.0.0.0:8888
<CRIT> 2-Jun-2021::09:46:26.294 box confd[211882]: - Cannot bind to WebUI socket 0.0.0.0:8888 : unknown reason

The last line appears if something else occupies the port.

Btw., if you want to use RESTCONF, you also should enable that in your configuration file too.

Thanks for reference log messages. I noticed last line in the log. It is:
Cannot bind to WebUI socket 0.0.0.0:8888 : unknown reason
Also, RESTCONF is enabled in configuration and we are already using it. Only requirement is to add TLS auth to it.
How can I debug “unknown reason” in the above log? Also, I am looking for restconf command without passing username and password in curl command. Is it possible?

I updated and simplified the Dockerfile and setup.sh script for the demo to run with ConfD 7.4 or later.

To debug what programs are using ports in the system you can for example run the netstat command:

$ netstat -anp | more

Running netstat with the demo Docker container right after completing the demo:

$ apt install net-tools
...
$ netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:2022            0.0.0.0:*               LISTEN      129/confd.smp       
tcp        0      0 0.0.0.0:2024            0.0.0.0:*               LISTEN      129/confd.smp       
tcp        0      0 127.0.0.1:4565          0.0.0.0:*               LISTEN      129/confd.smp       
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      129/confd.smp       
tcp        0      0 127.0.0.1:50070         127.0.0.1:4565          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:36228         127.0.0.1:8888          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:50080         127.0.0.1:4565          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:4565          127.0.0.1:50072         ESTABLISHED 129/confd.smp       
tcp        0      0 127.0.0.1:50074         127.0.0.1:4565          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:50072         127.0.0.1:4565          ESTABLISHED 155/./dhcpd_conf    
tcp        0      0 127.0.0.1:50076         127.0.0.1:4565          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:36224         127.0.0.1:8888          TIME_WAIT   -                   
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  3      [ ]         STREAM     CONNECTED     30321    133/erl_child_setup  
unix  3      [ ]         STREAM     CONNECTED     30320    129/confd.smp 

Thanks. I am following the example mentioned in the previous link, my concern is to use curl command without user and password as I am using certs in the command. For example in command:
curl -kivu admin:admin --cacert ./root-ca-cert-1.pem --key ./client.key.pem --cert ./client.cert.pem https://localhost:8888/restconf/

Can I get it work without user and password? Thanks in advance.

User and password are still required, for now. Although the X.509 certificates for TLS mutual authentication must succeed for the authentication to succeed. The reason why the user/password is still required is for mapping the certificate to a user.

An IETF draft exists that will likely soon be published, https://datatracker.ietf.org/doc/html/draft-ietf-netconf-restconf-client-server#section-3.1.2.1, which, among other things, standardize how the mapping from a certificate to a username is done.

ConfD rarely implements drafts, but once the draft becomes an RFC ConfD will likely implement the “client-identity-mappings” node mechanism to remove the requirement for username/password when using X.509 certificates for TLS mutual authentication.