How do I enable TLS for telemetry and gNMI on_change support?

Purpose

To enable TLS communication between MDM and managed NEs after an NSP system deployment, you must deploy a signed TLS server certificate to each MDM-managed device that supports gRPC TLS, and import the corresponding CA certificate to each MDM truststore.  While it is possible to have more than one CA certificate added to each MDM truststore, it is generally preferable to limit the number of CA certificates to the minimum required to adequately secure the network.

The following steps describe how to secure the following NSP communication with NEs by importing a TLS certificate:

  • telemetry

  • gNMI on_change notifications

Note: TLS certificates used for nodal mediation (gRPC) are separate from the certificates used for secure communication between the NSP components and NBI-related certificates.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Log in as the root user on the NSP deployer host.

Transfer the CA certificate to the following directory:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tls/telemetry

Note: You must not modify or delete any existing file in the directory.

Log in as the root user on the NSP cluster host.

Open a console window.

Enter the following commands to delete the nsp-tls Kubernetes secret:

kubectl delete secret nsp-tls -n $(kubectl get secrets -A | awk '/nsp-tls-psa-privileged/ {print $1;exit}') ↵

kubectl delete secret nsp-tls -n $(kubectl get secrets -A | awk '/nsp-tls-psa-baseline/ {print $1;exit}') ↵

kubectl delete secret nsp-tls -n $(kubectl get secrets -A | awk '/nsp-tls-psa-restricted/ {print $1;exit}') ↵

Open a console window on the NSP deployer host.

Enter the following:

Note: If the NSP cluster VMs do not have the required SSH key, you must include the --ask-pass argument in the command, as shown in the following examples, and are subsequently prompted for the root password of each cluster member:

nspdeployerctl --ask-pass install --config –-deploy

/opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config –-deploy ↵

The certificate file is made available to each MDM instance, but not yet imported.

Import certificate to MDM servers
 

Perform one of the following to import the TLS certificate to the TLS truststore on each MDM server.

  1. Manually import the certificate; perform the following steps for each MDM server to activate the gRPC certificate file.

    Note: A manual import is not service-affecting, and is the recommended option.

    1. Transfer the certificate file in the /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tls/telemetry directory on the NSP deployer host to an empty temporary directory on the NSP cluster host.

    2. On the NSP cluster host, navigate to the temporary directory that holds the transferred file.

    3. Enter the following to copy the certificate file to the MDM server:

      kubectl cp -n nsp-psa-privileged certificate_file mdm-server-n:/opt/nsp/os/ssl/certs/telemetry ↵

      where

      n is the mdm-server pod number

      certificate_file is the name of the certificate file

    4. Enter the following:

      kubectl exec -n $(kubectl get pods -A | awk '/mdm-server/ {print $1;exit}') -it mdm-server-n -- /opt/nsp/os/jre/bin/keytool -alias alias -file /opt/nsp/os/ssl/certs/telemetry/certificate_file -import -keystore /opt/nsp/os/ssl/nsp.truststore -storepass password

      where

      n is the mdm-server pod number

      alias is the TLS keystore alias of the certificate

      certificate_file is the gRPC certificate file

      password is the TLS keystore password

      You are prompted to import the certificate.

    5. Enter yes ↵.

      The MDM server imports the certificate to the local TLS truststore.

  2. Restart the MDM server pod; perform How do I restart an MDM server? for each MDM server pod.

    Note: Restarting an MDM server pod is service-affecting, and must be performed only during a scheduled maintenance period.

Close the open console windows.

End of steps