How do I enable TLS and mTLS for telemetry and gNMI on_change support?

Purpose

To enable TLS communication between MDM and managed NEs, you must deploy a signed TLS certificate to each MDM-managed device that supports gRPC TLS, and import the corresponding CA certificate to each MDM truststore. While it is possible to have more than one CA certificate added to each MDM truststore, to maintain network security it is preferable to limit the number of CA certificates to the minimum required.

You can also enable mutual TLS authentication (mTLS) on the network mediation interface of the NSP clusters.

The following steps describe how to secure the following NSP communication with NEs by importing a TLS certificate:

  • telemetry

  • gNMI on_change notifications

Note: You must perform the procedure on each NSP cluster in a DR deployment.

Note: The TLS certificates for gRPC mediation are separate from the certificates used for internal NSP component communication and NSP client communication.

Note: release-ID in a file path has the following format:

R.r.p-rel.version

where

R.r.p is the NSP release, in the form MAJOR.minor.patch

version is a numeric value

Steps
 

Open a terminal session to the NSP deployer VM.

Log in as the root or NSP admin user.

Transfer the TLS certificate file to the following directory:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tls/telemetry

Note: You must not modify or delete any existing file in the directory.

Log in as the root or NSP admin user on the NSP cluster host.

Open a console window.

Enter the following command for each namespace to delete the nsp-tls Kubernetes secret:

kubectl delete secret nsp-tls -n $(kubectl get secrets -A | awk '/namespace/ {print $1;exit}') ↵

where namespace is the Kubernetes namespace

Generate a truststore password.

# kubectl get secret -o jsonpath='{.data.truststore-pass}' -n nsp-psa-restricted nsp-tls-truststore-pass-nspdeployer | base64 -d; echo

On the NSP deployer VM, enter the following:

/opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config –-deploy ↵

The certificate file is made available for import to MDM.

Import certificate to MDM servers
 

Perform one of the following to import the TLS certificate to the TLS truststore on each MDM server.

  1. Manually import the certificate; perform the following steps for each MDM server to activate the gRPC certificate file.

    Note: A manual import is not service-affecting, and is the recommended option.

    1. Transfer the certificate file in the /opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tls/telemetry directory on the NSP deployer VM to an empty temporary directory on the NSP cluster host.

    2. On the NSP cluster host, navigate to the temporary directory that holds the transferred file.

    3. Enter the following to copy the certificate file to the MDM server:

      kubectl cp -n namespace certificate_file mdm-server-n:/opt/nsp/os/ssl/certs/telemetry ↵

      where

      namespace is the Kubernetes namespace

      n is the mdm-server pod number

      certificate_file is the name of the certificate file

    4. Enter the following:

      kubectl exec -n $(kubectl get pods -A | awk '/mdm-server/ {print $1;exit}') -it mdm-server-n -- keytool -alias alias -file /opt/nsp/os/ssl/certs/telemetry/certificate_file -import -truststore /opt/nsp/os/ssl/nsp.truststore -storepass password

      where

      n is the mdm-server pod number

      alias is the TLS keystore alias of the certificate

      certificate_file is the gRPC certificate file

      password is the TLS truststore password

      You are prompted to import the certificate.

    5. Enter yes ↵.

      The MDM server imports the certificate to the local TLS truststore.

  2. Restart the MDM server pod; perform How do I restart an MDM server? for each MDM server pod.

    Note: Restarting an MDM server pod is service-affecting, and must be performed only during a scheduled maintenance period.

10 

Close the console windows.

(Optional) Enable mTLS on the mediation interface
 
11 

Open the following file using a plain-text editor such as vi:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

12 

Configure the following parameters in the nspmodulesmdm section of the file:

  mtls:

    enabled: true

    mtlsKeyAlgorithm: "RSA"

13 

Save and close the file.

14 

Open a console window.

15 

Enter the following:

cd /opt/nsp/NSP-CN-DEP-release-ID/bin ↵

16 

Enter the following to update the mTLS Kubernetes server secret:

./nspdeployerctl secret -s mediation-mtls-key -n "*" -f tls.key=mtlsKey -f tls.crt=mtlsClientCert -f ca.crt=mtlsCACert update

where

mtlsKey is the full path of the client private key file

mtlsClientCert is the full path of the client public certificate file

mtlsCACert is the full path of the CA public certificate file

Messages like the following are displayed as the server secret is updated:

secret/mediation-mtls-key patched

The following files may contain sensitive information. They are no longer required by NSP and may be removed.

  customKey

  customCert

  customCaCert

17 

Enter the following to put the configuration change into effect:

Note: The command causes a restart of each MDM pod in the cluster, but is not service-affecting.

./nspdeployerctl install --config --deploy ↵

mTLS is enabled on the cluster mediation interface.

18 

Close the console window.

End of steps