How do I enable TLS for telemetry and gNMI on_change support?
Purpose
To enable TLS communication between MDM and managed NEs, you must deploy a signed TLS certificate to each MDM-managed device that supports gRPC TLS, and import the corresponding CA certificate to each MDM truststore. While it is possible to have more than one CA certificate added to each MDM truststore, it is generally preferable to limit the number of CA certificates to the minimum required to adequately secure the network.
The following steps describe how to secure the following NSP communication with NEs by importing a TLS certificate:
Note: The TLS certificates for gRPC mediation are separate from the certificates used for internal NSP component communication and NSP client communication.
Note: release-ID in a file path has the following format:
R.r.p-rel.version
where
R.r.p is the NSP release, in the form MAJOR.minor.patch
version is a numeric value
Steps
1 |
Log in as the root or NSP admin user on the NSP deployer host. |
2 |
Open a console window. |
3 |
Transfer the TLS certificate file to the following directory: /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tls/telemetry Note: You must not modify or delete any existing file in the directory. |
4 |
Log in as the root or NSP admin user on the NSP cluster host. |
5 |
Open a console window. |
6 |
Enter the following command for each namespace to delete the nsp-tls Kubernetes secret: # kubectl delete secret nsp-tls -n $(kubectl get secrets -A | awk '/namespace/ {print $1;exit}') ↵ where namespace is the Kubernetes namespace |
7 |
On the NSP deployer host, enter the following: # /opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config –-deploy ↵ The certificate file is made available for import to MDM. |
Import certificate to MDM servers | |
8 |
Perform one of the following to import the TLS certificate to the TLS truststore on each MDM server.
|
9 |
Close the open console windows. End of steps |