Receiving access-denied as reply for edit-config rpc query

Hi ,
I am running confd-7.3 on centos.
I am getting the same error for any edit-config rpc .
whenever i try to send to edit-config rpc query,i am getting reply as access-denied.
netconf-console-tcp --host= -port=2023 cmd-set-supervision.xml

    <?xml version="1.0" encoding="UTF-8"?>
  <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">

content of cmd-set-supervision.xml

<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <supervision xmlns="urn:o-ran:supervision:1.0"
    <configured-cu-monitoring-interval nc:operation="merge">
<?xml version="1.0" encoding="UTF-8"?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">

when i checked in devel.log,there is no message available.
Only netconf.trace shows the rpc received and rpc reply.
If you can figure out the root cause or any clue will really helpful in debugging.


The error is most likely result of a access authorization failure, either due to a NACM rule or an external authorization callback. Such failures should be logged in devel.log, but you need to have /confdConfig/developerLogLevel set to trace.

Hi mvf,
Thanks alot for your input.
I have enabled it and then devel.log shows:
“devel-aaa User: admin[] rejected data access path /o-ran-supervision:supervision op write due to no rule matched and /nacm/write-default is ‘deny’”

Now when i search write-default in /etc/confd/aaa_init.xml, it is showing : permit
I have provided complete nacm as below.
I haven’t modified this file.If you can help me how to fix this issue will really helpful.

 <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
    <access-operations>read update</access-operations>
    <access-operations>create read update delete</access-operations>
    <access-operations>create read update delete</access-operations>


Then it means that the configuration changed since ConfD read this file. Do something like

$ netconf-console --get-config -x /nacm/write-default
<?xml version="1.0" encoding="UTF-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
    <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">

I have tried as you suggested.But i didn’t receive any data.
netconf-console-tcp --host= -port=2023 --get-config -x /nacm/write-default

  <?xml version="1.0" encoding="UTF-8"?>
  <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">


This most likely means that you (i.e. the user admin, the default netconf-console user) does not have read access there. Can you use another username, or can you access ConfD’s CLI directly?

aaa_init.xml has four users as below.I have tried all but the output is same.
on confd,i am getting the error as below
"devel-aaa User: public[] rejected data access path /nacm:nacm op read due to no rule matched and node has nacm:default-deny-all"

<aaa xmlns="">

i can execute confd_cli --user=admin --groups=admin --interactive -C on the board.If you want me to access any specific then let me know.


Apparently your NACM or AAA or both configurations have been changed. You have following options:

  • If you have access to local confd_cli (which most probably requires that you have a shell access on the machine), you can run it with confd_cli --noaaa and verify or fix the configuration - such as extract NACM and AAA from your initial configuration and use it for load merge.

  • If you do not have important data in the configuration and can access files on the machine (which you obviously can, if you can change confd.conf and read devel.log), you can remove all .cdb files in ConfD’s CDB directory and restart ConfD. This makes ConfD reload the initial configuration which seems to be ok, as far as NACM/AAA is concerned.

As it is initial phase of confd bringup ,we don’t have any important data.So i have removed all the *.cdb files from /var/confd/cdb directory.
but when i start the confd without --ignore-initial-validation option(confd -c /etc/confd.conf --verbose --foreground) then i am getting error as:
8-Feb-2022::16:07:28.283 kontronbng18 confd[29145]: - no registration found for callpoint system_tz/validate of type=external
8-Feb-2022::16:07:28.283 kontronbng18 confd[29145]: devel-c no registration found for callpoint system_tz/validate of type=external path /sys:system/clock

CDB boot error: Init transaction failed to validate: application communication failure
Hint: Try using staged start using ConfD start-phases or the --ignore-initial-validation option
“CDB boot error: Init transaction failed to validate: application communication failure\nHint: Try using staged start using ConfD start-phases or the --ignore-initial-validation option\n”

So when again i removed the cdb files and restarted the confd with --ignore-initial-validation then the same issue is getting reproduced.
I just built the confd and installed on the system.without any changes with respect to NACM/AAA

Can you please help me now how to proceed further.


You should use the same procedure that you used to bring up the system for the first time. But in either case, you write that “I again removed the cdb files” - if the files appeared, that means that ConfD somehow started anyway, despite the error messages; can you check whether it is running (using pgrep -f confd or confd --status etc.)?

if i start the confd using --ignore-initial-validation and --foreground option,then it runs and if i execute confd --status in another shell then i can see the output
I have provided the output as below:

confd --status
vsn: 7.3
SMP support: yes, using 1 thread
Using epoll: no
available modules: backplane,netconf,cdb,cli
running modules: backplane,netconf,cdb,cli
status: started
namespaces: Index of /ns/aaa/1.1 prefix:aaa exported to: all prefix:tfcq exported to: all prefix:kicker exported to: all prefix:INET-ADDRESS-MIB exported to: all prefix:SNMPv2_TC exported to: all prefix:tfnce exported to: netconf prefix:fwd exported to: netconf prefix:in exported to: netconf prefix:tfncq exported to: netconf prefix:netconf-rollback exported to: netconf prefix:tr exported to: netconf prefix:wtxid exported to: netconf prefix:progress exported to: all prefix:rollback exported to: rest,netconf,maapi prefix:tls exported to: all
WebUI Development using ConfD’s JSON-RPC API | Tail-f Systems prefix:webui exported to: all prefix:tacm exported to: all prefix:tailf exported to: all prefix:tfcg exported to: all prefix:tfcm exported to: all prefix:tfcp exported to: all prefix:tncm exported to: all prefix:xs exported to: all
urn:altiostar:1.0 prefix:altiostar exported to: all
urn:ietf:params:xml:ns:netconf:base:1.0 prefix:nc exported to: netconf
urn:ietf:params:xml:ns:netconf:partial-lock:1.0 prefix:pl exported to: netconf
urn:ietf:params:xml:ns:netmod:notification prefix:nm exported to: netconf
urn:ietf:params:xml:ns:yang:iana-crypt-hash prefix:ianach exported to: all
urn:ietf:params:xml:ns:yang:iana-hardware prefix:ianahw exported to: all
urn:ietf:params:xml:ns:yang:iana-if-type prefix:ianaift exported to: all
urn:ietf:params:xml:ns:yang:ietf-crypto-types prefix:ct exported to: all
urn:ietf:params:xml:ns:yang:ietf-datastores prefix:ds exported to: all
urn:ietf:params:xml:ns:yang:ietf-dhcpv6-types prefix:dhcpv6-types exported to: all
urn:ietf:params:xml:ns:yang:ietf-hardware prefix:hw exported to: all
urn:ietf:params:xml:ns:yang:ietf-inet-types prefix:inet exported to: all
urn:ietf:params:xml:ns:yang:ietf-interfaces prefix:if exported to: all
urn:ietf:params:xml:ns:yang:ietf-ip prefix:ip exported to: all
urn:ietf:params:xml:ns:yang:ietf-ipv4-unicast-routing prefix:v4ur exported to: all
urn:ietf:params:xml:ns:yang:ietf-ipv6-unicast-routing prefix:v6ur exported to: all
urn:ietf:params:xml:ns:yang:ietf-netconf-acm prefix:nacm exported to: all
urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring prefix:ncm exported to: all
urn:ietf:params:xml:ns:yang:ietf-netconf-nmda prefix:ncds exported to: netconf
urn:ietf:params:xml:ns:yang:ietf-netconf-notifications prefix:ncn exported to: all
urn:ietf:params:xml:ns:yang:ietf-netconf-with-defaults prefix:ncwd exported to: netconf
urn:ietf:params:xml:ns:yang:ietf-network-instance prefix:tfni exported to: all
urn:ietf:params:xml:ns:yang:ietf-origin prefix:or exported to: all
urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring prefix:rcmon exported to: all
urn:ietf:params:xml:ns:yang:ietf-routing prefix:rt exported to: all
urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications prefix:sn exported to: netconf
urn:ietf:params:xml:ns:yang:ietf-system prefix:sys exported to: all
urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name prefix:x509c2n exported to: all
urn:ietf:params:xml:ns:yang:ietf-yang-library prefix:yanglib exported to: netconf,rest
urn:ietf:params:xml:ns:yang:ietf-yang-types prefix:yang exported to: all
urn:ietf:params:xml:ns:yang:smiv2:IANAifType-MIB prefix:ianaiftype-mib exported to: all
urn:ietf:params:xml:ns:yang:smiv2:IF-MIB prefix:if-mib exported to: all
urn:ietf:params:xml:ns:yang:smiv2:IP-MIB prefix:ip-mib exported to: all
urn:ietf:params:xml:ns:yang:smiv2:TCP-MIB prefix:tcp-mib exported to: all
urn:ietf:params:xml:ns:yang:smiv2:UDP-MIB prefix:udp-mib exported to: all
urn:o-ran:ald-port:1.0 prefix:o-ran-ald-port exported to: all
urn:o-ran:ald:1.0 prefix:o-ran-ald exported to: all
urn:o-ran:altiostar-augment:1.0 prefix:altiostar-augment exported to: all
urn:o-ran:beamforming:1.0 prefix:o-ran-bf exported to: all
urn:o-ran:compression-factors:1.0 prefix:o-ran-compression-factors exported to: all
urn:o-ran:delay:1.0 prefix:o-ran-delay exported to: all
urn:o-ran:external-io:1.0 prefix:o-ran-io exported to: all
urn:o-ran:file-management:1.0 prefix:o-ran-file-mgmt exported to: all
urn:o-ran:fm:1.0 prefix:o-ran-fm exported to: all
urn:o-ran:hardware:1.0 prefix:o-ran-hw exported to: all
urn:o-ran:interfaces:1.0 prefix:o-ran-int exported to: all
urn:o-ran:lbm:1.0 prefix:o-ran-lbm exported to: all
urn:o-ran:module-cap:1.0 prefix:o-ran-module-cap exported to: all
urn:o-ran:mplane-interfaces:1.0 prefix:o-ran-mplane-int exported to: all
urn:o-ran:operations:1.0 prefix:o-ran-ops exported to: all
urn:o-ran:performance-management:1.0 prefix:o-ran-pm exported to: all
urn:o-ran:processing-element:1.0 prefix:o-ran-elements exported to: all
urn:o-ran:software-management:1.0 prefix:o-ran-swm exported to: all
urn:o-ran:supervision:1.0 prefix:o-ran-supervision exported to: all
urn:o-ran:sync:1.0 prefix:o-ran-sync exported to: all
urn:o-ran:transceiver:1.0 prefix:o-ran-transceiver exported to: all
urn:o-ran:troubleshooting:1.0 prefix:o-ran-trblsht exported to: all
urn:o-ran:uplane-conf:1.0 prefix:o-ran-uplane-conf exported to: all
urn:o-ran:wg4feat:1.0 prefix:o-ran-feat exported to: all

YANG data models:
module: IANAifType-MIB revision: 2009-05-06
namespace: urn:ietf:params:xml:ns:yang:smiv2:IANAifType-MIB
prefix: ianaiftype-mib
exported to: all
module: IF-MIB revision: 2000-06-14
namespace: urn:ietf:params:xml:ns:yang:smiv2:IF-MIB
prefix: if-mib
exported to: all
module: INET-ADDRESS-MIB revision: 2005-02-04
exported to: all
module: IP-MIB revision: 2006-02-02
namespace: urn:ietf:params:xml:ns:yang:smiv2:IP-MIB
prefix: ip-mib
exported to: all
module: SNMPv2-TC
prefix: SNMPv2_TC
exported to: all
module: TCP-MIB revision: 2005-02-18
namespace: urn:ietf:params:xml:ns:yang:smiv2:TCP-MIB
prefix: tcp-mib
exported to: all
module: UDP-MIB revision: 2005-05-20
namespace: urn:ietf:params:xml:ns:yang:smiv2:UDP-MIB
prefix: udp-mib
exported to: all
module: altiostar revision: 2021-02-09
namespace: urn:altiostar:1.0
prefix: altiostar
exported to: all
module: altiostar-augment
namespace: urn:o-ran:altiostar-augment:1.0
prefix: altiostar-augment
exported to: all
module: iana-crypt-hash revision: 2014-08-06
namespace: urn:ietf:params:xml:ns:yang:iana-crypt-hash
prefix: ianach
exported to: all
module: iana-hardware revision: 2018-03-13
namespace: urn:ietf:params:xml:ns:yang:iana-hardware
prefix: ianahw
exported to: all
module: iana-if-type revision: 2017-01-19
namespace: urn:ietf:params:xml:ns:yang:iana-if-type
prefix: ianaift
exported to: all
module: ietf-crypto-types revision: 2019-04-29
namespace: urn:ietf:params:xml:ns:yang:ietf-crypto-types
prefix: ct
exported to: all
module: ietf-datastores revision: 2018-02-14
namespace: urn:ietf:params:xml:ns:yang:ietf-datastores
prefix: ds
exported to: all
module: ietf-dhcpv6-types revision: 2018-01-30
namespace: urn:ietf:params:xml:ns:yang:ietf-dhcpv6-types
prefix: dhcpv6-types
exported to: all
module: ietf-hardware revision: 2018-03-13
namespace: urn:ietf:params:xml:ns:yang:ietf-hardware
prefix: hw
exported to: all
module: ietf-inet-types revision: 2013-07-15
namespace: urn:ietf:params:xml:ns:yang:ietf-inet-types
prefix: inet
exported to: all
module: ietf-interfaces revision: 2018-02-20
namespace: urn:ietf:params:xml:ns:yang:ietf-interfaces
prefix: if
exported to: all
module: ietf-ip revision: 2018-02-22
namespace: urn:ietf:params:xml:ns:yang:ietf-ip
prefix: ip
exported to: all
module: ietf-ipv4-unicast-routing revision: 2016-11-04
namespace: urn:ietf:params:xml:ns:yang:ietf-ipv4-unicast-routing
prefix: v4ur
exported to: all
module: ietf-ipv6-unicast-routing revision: 2016-11-04
namespace: urn:ietf:params:xml:ns:yang:ietf-ipv6-unicast-routing
prefix: v6ur
exported to: all
module: ietf-netconf revision: 2011-06-01
namespace: urn:ietf:params:xml:ns:netconf:base:1.0
prefix: nc
exported to: netconf
module: ietf-netconf-acm revision: 2018-02-14
namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-acm
prefix: nacm
exported to: all
module: ietf-netconf-monitoring revision: 2010-10-04
namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring
prefix: ncm
exported to: all
module: ietf-netconf-nmda revision: 2019-01-07
namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-nmda
prefix: ncds
exported to: netconf
module: ietf-netconf-notifications revision: 2012-02-06
namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-notifications
prefix: ncn
exported to: all
module: ietf-netconf-partial-lock revision: 2009-10-19
namespace: urn:ietf:params:xml:ns:netconf:partial-lock:1.0
prefix: pl
exported to: netconf
module: ietf-netconf-with-defaults revision: 2011-06-01
namespace: urn:ietf:params:xml:ns:yang:ietf-netconf-with-defaults
prefix: ncwd
exported to: netconf
module: ietf-network-instance revision: 2019-01-21
namespace: urn:ietf:params:xml:ns:yang:ietf-network-instance
prefix: tfni
exported to: all
module: ietf-origin revision: 2018-02-14
namespace: urn:ietf:params:xml:ns:yang:ietf-origin
prefix: or
exported to: all
module: ietf-restconf-monitoring revision: 2017-01-26
namespace: urn:ietf:params:xml:ns:yang:ietf-restconf-monitoring
prefix: rcmon
exported to: all
module: ietf-routing revision: 2016-11-04
namespace: urn:ietf:params:xml:ns:yang:ietf-routing
prefix: rt
exported to: all
module: ietf-subscribed-notifications revision: 2019-09-09
namespace: urn:ietf:params:xml:ns:yang:ietf-subscribed-notifications
prefix: sn
exported to: netconf
module: ietf-system revision: 2014-08-06
namespace: urn:ietf:params:xml:ns:yang:ietf-system
prefix: sys
exported to: all
module: ietf-x509-cert-to-name revision: 2014-12-10
namespace: urn:ietf:params:xml:ns:yang:ietf-x509-cert-to-name
prefix: x509c2n
exported to: all
module: ietf-yang-library revision: 2019-01-04
namespace: urn:ietf:params:xml:ns:yang:ietf-yang-library
prefix: yanglib
exported to: netconf,rest
module: ietf-yang-types revision: 2013-07-15
namespace: urn:ietf:params:xml:ns:yang:ietf-yang-types
prefix: yang
exported to: all
module: netconf_netmod
namespace: urn:ietf:params:xml:ns:netmod:notification
prefix: nm
exported to: netconf
module: o-ran-ald revision: 2019-07-03
namespace: urn:o-ran:ald:1.0
prefix: o-ran-ald
exported to: all
module: o-ran-ald-port revision: 2019-07-03
namespace: urn:o-ran:ald-port:1.0
prefix: o-ran-ald-port
exported to: all
module: o-ran-beamforming revision: 2020-04-17
namespace: urn:o-ran:beamforming:1.0
prefix: o-ran-bf
exported to: all
module: o-ran-compression-factors revision: 2020-08-10
namespace: urn:o-ran:compression-factors:1.0
prefix: o-ran-compression-factors
exported to: all
module: o-ran-delay-management revision: 2020-08-10
namespace: urn:o-ran:delay:1.0
prefix: o-ran-delay
exported to: all
module: o-ran-externalio revision: 2019-07-03
namespace: urn:o-ran:external-io:1.0
prefix: o-ran-io
exported to: all
module: o-ran-file-management revision: 2019-07-03
namespace: urn:o-ran:file-management:1.0
prefix: o-ran-file-mgmt
exported to: all
module: o-ran-fm revision: 2019-02-04
namespace: urn:o-ran:fm:1.0
prefix: o-ran-fm
exported to: all
module: o-ran-hardware revision: 2020-12-10
namespace: urn:o-ran:hardware:1.0
prefix: o-ran-hw
exported to: all
module: o-ran-interfaces revision: 2019-07-03
namespace: urn:o-ran:interfaces:1.0
prefix: o-ran-int
exported to: all
module: o-ran-lbm revision: 2019-02-04
namespace: urn:o-ran:lbm:1.0
prefix: o-ran-lbm
exported to: all
module: o-ran-module-cap revision: 2020-12-10
namespace: urn:o-ran:module-cap:1.0
prefix: o-ran-module-cap
exported to: all
module: o-ran-mplane-int revision: 2019-07-03
namespace: urn:o-ran:mplane-interfaces:1.0
prefix: o-ran-mplane-int
exported to: all
module: o-ran-operations revision: 2020-12-10
namespace: urn:o-ran:operations:1.0
prefix: o-ran-ops
exported to: all
module: o-ran-performance-management revision: 2020-12-10
namespace: urn:o-ran:performance-management:1.0
prefix: o-ran-pm
exported to: all
module: o-ran-processing-element revision: 2020-04-17
namespace: urn:o-ran:processing-element:1.0
prefix: o-ran-elements
exported to: all
module: o-ran-software-management revision: 2019-07-03
namespace: urn:o-ran:software-management:1.0
prefix: o-ran-swm
exported to: all
module: o-ran-supervision revision: 2020-12-10
namespace: urn:o-ran:supervision:1.0
prefix: o-ran-supervision
exported to: all
module: o-ran-sync revision: 2020-08-10
namespace: urn:o-ran:sync:1.0
prefix: o-ran-sync
exported to: all
module: o-ran-transceiver revision: 2019-07-03
namespace: urn:o-ran:transceiver:1.0
prefix: o-ran-transceiver
exported to: all
module: o-ran-troubleshooting revision: 2019-02-04
namespace: urn:o-ran:troubleshooting:1.0
prefix: o-ran-trblsht
exported to: all
module: o-ran-uplane-conf revision: 2020-12-10
namespace: urn:o-ran:uplane-conf:1.0
prefix: o-ran-uplane-conf
exported to: all
module: o-ran-wg4-features revision: 2020-12-10
namespace: urn:o-ran:wg4feat:1.0
prefix: o-ran-feat
exported to: all
module: tailf-aaa revision: 2018-09-12
namespace: Index of /ns/aaa/1.1
prefix: aaa
exported to: all
module: tailf-acm revision: 2013-03-07
prefix: tacm
exported to: all
module: tailf-common revision: 2019-11-30
prefix: tailf
exported to: all
module: tailf-common-monitoring revision: 2019-04-09
prefix: tfcg
exported to: all
module: tailf-common-query revision: 2017-12-15
prefix: tfcq
exported to: all
module: tailf-confd-monitoring revision: 2019-10-30
prefix: tfcm
exported to: all
module: tailf-configuration-policy revision: 2010-11-04
prefix: tfcp
exported to: all
module: tailf-kicker revision: 2017-09-28
prefix: kicker
exported to: all
module: tailf-netconf-extensions revision: 2019-04-09
prefix: tfnce
exported to: netconf
module: tailf-netconf-forward
prefix: fwd
exported to: netconf
module: tailf-netconf-inactive
prefix: in
exported to: netconf
module: tailf-netconf-monitoring revision: 2019-03-28
prefix: tncm
exported to: all
module: tailf-netconf-query revision: 2017-01-06
prefix: tfncq
exported to: netconf
module: tailf-netconf-rollback revision: 2018-01-12
prefix: netconf-rollback
exported to: netconf
module: tailf-netconf-transactions
prefix: tr
exported to: netconf
module: tailf-netconf-with-transaction-id revision: 2018-11-23
prefix: wtxid
exported to: netconf
module: tailf-progress revision: 2018-06-14
prefix: progress
exported to: all
module: tailf-rollback revision: 2018-01-12
prefix: rollback
exported to: rest,netconf,maapi
module: tailf-tls revision: 2019-06-13
prefix: tls
exported to: all
module: tailf-webui revision: 2013-03-07
namespace: WebUI Development using ConfD’s JSON-RPC API | Tail-f Systems
prefix: webui
exported to: all
module: tailf-xsd-types revision: 2017-11-20
prefix: xs
exported to: all

user sessions:

system sessions:
sessionId=1 2022-02-08 18:23:25 system@ system/system
no locks set
no transactions
sessionId=10 2022-02-08 18:23:26 system@ system/system
no locks set
no transactions
sessionId=11 2022-02-08 18:23:26 system@ system/system
no locks set
no transactions
sessionId=12 2022-02-08 18:23:26 system@ system/system
no locks set
tid=656 db=running mode=read

id=cb_op_ald_cs ** not registered
id=cb_op_ald_ports ** not registered
id=cb_op_bc ** not registered
id=cb_op_delay ** not registered
id=cb_op_fm ** not registered
id=cb_op_hw_component ** not registered
id=cb_op_io ** not registered
id=cb_op_mplane_int ** not registered
id=cb_op_ptp ** not registered
id=cb_op_rx_array ** not registered
id=cb_op_rx_carrier ** not registered
id=cb_op_sfp ** not registered
id=cb_op_sw_inv ** not registered
id=cb_op_sync ** not registered
id=cb_op_tx_array ** not registered
id=cb_op_tx_carrier ** not registered
id=icmp_msg_status ** not registered
id=icmp_stat_status ** not registered
id=icmp_status ** not registered
id=if_state_dp ** not registered
id=if_status ** not registered
id=ip-net-to-physical-stats ** not registered
id=ip6_scope_zone_idx ** not registered
id=ip_address_prefix_status ** not registered
id=ip_address_status ** not registered
id=ip_def_router ** not registered
id=ip_state_ipv4 ** not registered
id=ip_state_ipv6 ** not registered
id=ip_status ** not registered
id=ip_traf_if_stats ** not registered
id=ip_traf_status ** not registered
id=ip_traf_system_stats ** not registered
id=ipv4_if_status ** not registered
id=ipv6_if_status ** not registered
id=ipv6_router_status ** not registered
id=routing_state_dp ** not registered
id=system_dp ** not registered
id=tcp_status ** not registered
id=transcontact ** not registered
id=udp_status ** not registered

validation points:
id=system_tz ** not registered

id=cb_rpc ** not registered
id=cb_rpc_activate_beam_config ** not registered
id=cb_rpc_activate_beam_config_cap ** not registered
id=cb_rpc_ald ** not registered
id=cb_rpc_file_download ** not registered
id=cb_rpc_file_upload ** not registered
id=cb_rpc_modify_predef_tilt ** not registered
id=cb_rpc_reset ** not registered
id=cb_rpc_ret_file_list ** not registered
id=cb_rpc_software_activate ** not registered
id=cb_rpc_software_download ** not registered
id=cb_rpc_software_install ** not registered
id=cb_rpc_start_trouble ** not registered
id=comp_if_name ** not registered
id=comp_sys_tz ** not registered
id=routing_state_active_route ** not registered
id=system_restart ** not registered
id=system_setdt ** not registered
id=system_shutdown ** not registered

id=tls-mgmt-ca-certificate file=/usr/lib/confd/lib/core/confd.ez/confd/ebin/confd_tls_mgmt.beam
id=tls-mgmt-certificate file=/usr/lib/confd/lib/core/confd.ez/confd/ebin/confd_tls_mgmt.beam
id=tls-mgmt-private-key file=/usr/lib/confd/lib/core/confd.ez/confd/ebin/confd_tls_mgmt.beam

notification stream replay support:

SNMP inform delivery callbacks:

SNMP notification subscriptions:

authentication callback:
not enabled

authorization callbacks:
not enabled

error formatting callbacks:

partial running locks:

partial candidate locks:

partial startup locks:

current transaction id: 1644-344606-134747
filename: /var/confd/cdb/A.cdb
disk size: 32 bytes
ram size: 242 bytes
read locks: 0
write lock: unset
filename: /var/confd/cdb/O.cdb
disk size: 4 bytes
ram size: 136 bytes
subscription lock: unset
no pending subscription notifications
no registered cdb clients

tts alloc:
72733 40:0:5 64:520:0 72:52:0 120:27:0 176:56:0

fxs store:
memory: 2.7854 MB
size: 5927
reuse: 1.63

In other words, ConfD is up and running; you might want to start your daemons too since there are many unregistered callbacks, but that’s not the issue right now. Can you check whether AAA/NACM is configured according to what you need, i.e. can you e.g. get the value of /nacm/write-default?

When i did get-config of /nacm/write-default(netconf-console-tcp --host= -port=2023 --get-config -x /nacm/write-default) i am not getting any data.

netconf-console-tcp --host= -port=2023 --get-config -x /nacm/write-default

     <?xml version="1.0" encoding="UTF-8"?>
     <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">


Can you use the CLI access then? Run something like confd_cli -C --noaaa either locally, from the host, or reconfigure ConfD to accept remote management connections - something like this needs to be in your confd.conf:


This says that ConfD should listen for management connections on all interfaces, the default is to listen only on loopback. You can fine-tune it to restrict the set of interfaces if needed, see man confd.conf.

Once ConfD reloads the configuration, you can do something like

$ CONFD_IPC_ADDR=<host-address> confd_cli -C --noaaa

from anywhere (where the host-address can be reached, obviously).

I have executed the confd_cli locally on the system.It shows there is no entries as below.

confd_cli -C --noaaa

root connected from using ssh on kontronbng18
kontronbng18# show running-config nacm
% No entries found.
kontronbng18# show running-config aaa
% No entries found.


I forgot to mention that i have also tried to find write-default and it gave deny as output.

kontronbng18# show running-config nacm write-default
nacm write-default deny


This means the configuration is indeed broken, I’m not sure why the restart did not help. In either case, I think you can safely load the initial configuration, like this:

$ confd_cli -C --noaaa
# config
# load merge /etc/confd/aaa_init.xml
# commit

If all that works, it should fix the AAA and NACM configuration.

Hi ,
I have loaded and commited as you suggested.Then when i did show running-config nacm write-default it gave
permit .

Then when i try to perform the edit-config rpc(netconf-console-tcp --host= -port=2023 cmd-set-supervision.xml) it worked.
So now my doubt is this the final solution ie through confd_cli we need to load the aaa_init.xml and then after we can perform the edit-config rpc or confd can load automatically while start because earlier when worked for arm we didn’t face this issue.


Then there is something wrong with your installation, this problem can hardly be related to the architecture. The init files need to be in ConfD’s CDB directory, it does not look like /etc/confd is supposed to store CDB files.

the cdb files are present in /var/confd/cdb.
aaa_init.xml was present in /etc/confd/ and the fxs are also present in /etc/confd/. Later even if i moved to /var/confd/cdb still the same error.
To run confd i have created /var/confd/rollback /var/confd/cdb /var/confd/candidate /var/confd/log /var/confd/state /etc/confd/ssh directories.
I have shared the complete confd.conf. Let me know if you can figure out the issue with installation or configuration.

 -*- nxml -*- -->
  <!-- Example configuration file for confd. -->

   <confdConfig xmlns="">
  The loadPath is searched for .fxs files etc.

  NOTE: if you change the loadPath, the daemon must be restarted,
  or the "In-service Data Model Upgrade" procedure described in
  the User Guide can be used - 'confd - -reload' is not enough.

  This is where ConfD writes persistent state data.  Currently the
  only state files are 'running.invalid' which exists only if the
  running database status is invalid, which it will be if one of
  the database implementation fails during the two-phase commit
  protocol, and '' which is used to store some data
  that needs to be retained across reboots.

  A hide group cannot be unhidden unless it has been listed
  here. A missing or empty password indicates that no password
  needs to be given when unhiding the group.

  If the group is not listed below then it cannot be unhidden
  at all.

  Multiple hideGroups can be specified in the file.

    During development it can be useful to set a low timeout to
    catch programming errors. In a production system use
    "infinity" (default) or a high timeout so as not to timeout
    during high CPU load.

    The operational datastore is used when operational data is to be
    stored in CDB.


  These keys are used to encrypt values adhering to the types
  tailf:des3-cbc-encrypted-string, tailf:aes-cfb-128-encrypted-string
  and tailf:aes-256-cfb-128-encrypted-string as defined in the tailf-common
  YANG module. These types are described in confd_types(3).



    Shared settings for how to log to syslog.
    Each log can be configured to log to file and/or syslog.  If a
    log is configured to log to syslog, the settings below are used.
  <!-- facility can be 'daemon', 'local0' ... 'local7' or an integer -->
  <!-- if udp is not enabled, messages will be sent to local syslog -->

    'confdlog' is a normal daemon log.  Check this log for
    startup problems of confd itself.
    By default, it logs directly to a local file, but it can be
    configured to send to a local or remote syslog as well.

    The developer logs are supposed to be used as debug logs
    for troubleshooting user-written C code.  Enable
    and check these logs for problems with validation code, etc.

    The netconf log can be used to troubleshoot NETCONF operations,
    such as checking why e.g. a filter operation didn't return the
    data requested.





    The error log is used for internal logging from the confd
    daemon.  It is used for troubleshooting the confd daemon
    itself, and should normally be disabled.

    Progress tracing must be enabled here and then configured
    according to tailf-progress.yang.

<!-- Defines which datastores confd will handle. -->
    'startup' means that the system keeps separate running and
    startup configuration databases.  When the system reboots for
    whatever reason, the running config database is lost, and the
    startup is read.
    Enable this only if your system uses a separate startup and
    running database.

    The 'candidate' is a shared, named alternative configuration
    database which can be modified without impacting the running
    configuration.  Changes in the candidate can be commit to running,
    or discarded.
    Enable this if you want your users to use this feature from
    NETCONF, CLI or Web UI, or other agents.
      By default, confd implements the candidate configuration
      without impacting the application.  But if your system
      already implements the candidate itself, set 'implementation' to

    By default, the running configuration is writable.  This means
    that the application must be prepared to handle changes to
    the configuration dynamically.  If this is not the case, set
    'access' to 'read-only'.  If running is read-only, 'startup'
    must be enabled, and 'candidate' must be disabled.  This means that
    the application reads the configuration at startup, and then
    the box must reboot in order for the application to re-read its

    NOTE: this is not the same as the NETCONF capability
          :writable-running, which merely controls which NETCONF
          operations are allowed to write to the running configuration.
      This parameter controls if ConfD's attribute feature should
      be enabled or not.  Currently there are two attributes,
      annotations and tags.  These are available in northbound
      interfaces (e.g. the annotate command in the CLI, and
      annotation XML attribute in NETCONF), but in order to be
      useful they need support from the underlying configuration
      data provider.  CDB supports attributes, but if an external
      data provider is used for configuration data, and it does
      not support the attribute callbacks, this parameter should
      be set to 'false'.

    These parameters controls the maximum number of concurrent
    sessions towards ConfD. 'context' is 'cli' or 'netconf'.


<!-- See man page confd_aaa_bridge(1) for a description of this -->

      If pam is enabled and we want to use pam for login
      confd must typically run as root. This depends on how
      pam is configured locally. However the default "system-auth"
      will typically require root since the pam libs then read



     To enable rollback file creation set enabled to true.
     You also have to configure a directory for the rollback files.
     A rollback file (rollback0-rollback<historySize>) will be
     created whenever a new configuration is committed
    <!-- If "full" is specified, then a full configuration dump is
     stored in each rollback file.  Rollback file 0 will always
     contain the running configuration.  If "delta" is used, then
     only the changes are stored in the rollback file. Rollback
     file 0 will contain the changes from the last configuration.

     Using deltas is more space and time efficient for large
     configurations.  Full rollback files are more robust when
     multiple external databases are used. If the external
     databases becomes inconsistent a previous configuration can
     always be restored using a full rollback file.

   <!-- If a table is too wide to fit in the terminal it will
     instead be shown as a path - value list. When table
     overflow is allowed it will be displayed as a table
     even when the table is to wide to fit on the screen
<!-- If showAllNs is true then all elem names will be prefixed
     with the namespace prefix in the CLI. This is visible
     when setting values and when showing the configuratin
<!-- To log all CLI activity use 'all', to only log
     attempts to execute unauthorized commands, use denied,
     for only logging actually executed commands use allowed,
     and for no logging use 'none'
<!-- Controls if transactions should be used in the CLI or not.
     Old style Cisco IOS does not use transactions, Juniper and
     Cisco XR does. The commit command is disabled if transactions
     are disabled. All modifications are applied immediately.
     NOTE: this requires that you have default values for ALL
     settings and no complex validation rules.
<!-- Prompt1 is used in operational mode and prompt2 in
     configuration mode. The string may contain a number of
     backslash-escaped special characters that are decoded
     as follows:

          \d     the date in YYYY-MM-DD format (e.g., "2006-01-18")
          \h     the hostname up to the first `.'
          \H     the hostname
          \t     the current time in 24-hour HH:MM:SS format
          \T     the current time in 12-hour HH:MM:SS format
          \@     the current time in 12-hour am/pm format
          \A     the current time in 24-hour HH:MM format
          \u     the username of the current user
          \m     mode name in the Cisco-style CLI
          \M     mode name inside parenthesis if set
<prompt1>\u@\h\M \t> </prompt1>
<prompt2>\u@\h\M \t% </prompt2>
<cPrompt1>\h\M# </cPrompt1>
<cPrompt2>\h(\m)# </cPrompt2>
<!-- Mode name style is only used by the Cisco style CLIs.
     It controls how to calculate the mode name when entering
     a submode. If set to 'full' then the entire path will be
     used in the mode name, if set to 'short' then only the
     last element + dynamic key will be used. If 'two' then
     the two last modes will be displayed.


    <!-- Note that the standard port for NETCONF over SSH is 830 -->

      NETCONF over TCP is not standardized, but it can be useful
      during development in order to use e.g. netcat for scripting.

  <!-- enable only if /confdConfig/datastores/startup is enabled -->

  <!-- enable only if /confdConfig/datastores/candidate is enabled -->


       enable only if /confdConfig/datastores/running is read-write


  <!-- Turn on the URL capability options you want to support -->


      Enable this to turn on NETCONF Notifications support.
        Enable this to make the agent handle RPCs while sending


     If extendedSessions are enabled, all ConfD sessions can be
     terminated using <kill-session>, i.e. not only can other
     NETCONF session be terminated, but also CLI sessions, WebUI
     sessions etc.  If such a session holds a lock, its session
     id will be returned in the <lock-denied>, instead of "0".

     Strictly speaking, this extension is not covered by the
     NETCONF specification; therefore it's false by default.

<description>Example notifications</description>
  <!-- enableBuiltinReplayStore -->

<!-- Enable only if snmp agent should be started -->
    Configure the IP address and port that the SNMP Agent
    should listen to
<!-- Differentiated Services Code Point, 6 bits -->
    List mibs that should be loaded into the SNMP Agent
    at startup.
    With no mibs loaded, the SNMP agent will start with the built-in
    standard mibs only.  See the User's Guide for details.
     The SNMP Engine ID is a hexList and can be constructed
     in many ways. See the SNMP-FRAMEWORK-MIB for more
     information about this.
     The MaxMessageSize can be set, but should normally not be
  <sysDescr>Tail-f ConfD agent</sysDescr>
  <!--  The sysORTable stores capabilities that this agent supports -->
       Example of a capability:
         <sysORDescr>Example capability</sysORDescr>