Trying to use SSL
mnanduri opened this issue · comments
Trying to use ssl cert mechanism to talk to the device and its not working? did anyone get it working?
telegraf.tmpl settings for input-oc.
servers = ["192.168.1.139:50051"]
ssl_cert = "/source/jti.pem"
I was using the below mechanism to create one.
http://ipengineer.net/2018/05/configuring-ssl-grpc-junos/
Looks like it tries and fails. never attempts to connect again.
root@Jumphost2:/home/mohan/open-nti# tcpdump -i eth0 port 50051
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:07:49.788309 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [S], seq 2391356311, win 29200, options [mss 1460,sackOK,TS val 118401606 ecr 0,nop,wscale 7], length 0
13:07:49.794368 IP 192.168.1.139.50051 > 192.168.1.133.54626: Flags [S.], seq 3392765012, ack 2391356312, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 2620523829 ecr 118401606,sackOK,eol], length 0
13:07:49.794451 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [.], ack 1, win 229, options [nop,nop,TS val 118401607 ecr 2620523829], length 0
13:07:49.794703 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [P.], seq 1:152, ack 1, win 229, options [nop,nop,TS val 118401607 ecr 2620523829], length 151
13:07:49.817000 IP 192.168.1.139.50051 > 192.168.1.133.54626: Flags [P.], seq 1:1327, ack 152, win 33304, options [nop,nop,TS val 2620523851 ecr 118401607], length 1326
13:07:49.817078 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [.], ack 1327, win 251, options [nop,nop,TS val 118401613 ecr 2620523851], length 0
13:07:49.817496 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [P.], seq 152:159, ack 1327, win 251, options [nop,nop,TS val 118401613 ecr 2620523851], length 7
13:07:49.817596 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [R.], seq 159, ack 1327, win 251, options [nop,nop,TS val 118401613 ecr 2620523851], length 0
13:07:49.818633 IP 192.168.1.139.50051 > 192.168.1.133.54626: Flags [F.], seq 1327, ack 159, win 33300, options [nop,nop,TS val 2620523854 ecr 118401613], length 0
13:07:49.818673 IP 192.168.1.133.54626 > 192.168.1.139.50051: Flags [R], seq 2391356470, win 0, length 0
Hi
is /source/jti.pem file inside the container ?
Regards
Hi,
Try this:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
openssl genrsa -out mx1_re.key 2048
openssl req -new -key mx1_re.key -out mx1_re.csr
openssl x509 -req -in mx1_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx1_re.crt
cat mx1_re.key mx1_re.crt > mx1_re.pem
scp mx1_re.pem "user@router:/var/tmp"
set security certificates local router_mx load-key-file /var/tmp/mx1_re.pem
set system services extension-service request-response grpc ssl port 50051
set system services extension-service request-response grpc ssl local-certificate router_mx
set system services extension-service request-response grpc skip-authentication
set system services extension-service notification allow-clients address 0.0.0.0/0
logs from the router:
Aug 14 00:34:11 readGrpcConfig Restarting Grpc server as there is a change in parameters Old/new: address: ::/::, port: 50051/50051, session: 5/5, SSL enabled: 1/1, skip-authentication: 0/1, buffer size: 1048576/1048576, tcp maximum segment size: 0/0, retry_count: 15/15, retry_interval: 1/1, RequestResponse grpc knob status: 1/1
logs from telegraf (running a debugging version) :
2018-08-14T08:18:25Z I! Tags enabled: host=ubuntu
2018-08-14T08:18:25Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"ubuntu", Flush Interval:5s
2018-08-14T08:18:30Z I! Transport credentials &{%!s(*tls.Config=&{<nil> <nil> [] map[] <nil> <nil> <nil> <nil> 0xc420011950 [h2] 0 <nil> false [] false false [130 97 114 66 255 149 209 160 114 53 133 177 76 61 142 84 106 70 91 51 78 95 5 236 219 92 102 193 219 63 136 199] <nil> 0 0 [] false 0 <nil> {{0 0} 0} {{0 0} 0 0 0 0} [{[15 236 112 160 210 126 118 101 39 196 242 85 109 29 197 239] [154 107 17 78 35 216 211 56 19 120 89 182 107 126 131 198] [46 176 98 10 125 222 125 213 174 64 2 164 158 252 229 44]}]})}
2018-08-14T08:18:30Z I! Transport credentials set
2018-08-14T08:18:30Z D! Opened a new gRPC session to mx1_re on port 50051
2018-08-14T08:18:35Z D! Output [file] buffer fullness: 0 / 10000 metrics.
2018-08-14T08:18:36Z D! Received from mx1_re: system_id:"mx1_re" path:"sensor_1002:/junos/system/linecard/packet/usage/:/junos/system/linecard /packet/usage/:PFE" timestamp:1534234716137 kv:<key:"__timestamp__" uint_value:1534234716140 > kv:<key:"__prefix__" str_value:"/components/ component[name='FPC0:CPU0']/" > kv:<key:"properties/property[name='lts-input-packets']/state/value" uint_value:555819 > kv:<key:"properties/ property[name='lts-output-packets']/state/value" uint_value:947824 >
telegraf file config:
[........]
[[inputs.jti_openconfig_telemetry]]
servers = ["mx1_re:50051"]
#username = "root"
#password = "Embe1mpls"
#client_id = "telegraf"
sensors = [
"junos-cpu /junos/system/cpu/memory/",
"junos-linecard-packet /junos/system/linecard/packet/usage/",
"junos-linecard-fabric /junos/system/linecard/fabric/",
"oc-bgp /bgp",
"oc-interfaces /interfaces/interface/[name='fxp0'] /interfaces/interface/[name='ge-0/0/0'] /interfaces/interface/[name='ge-0/0/1'] / interfaces/interface/[name='gr-0/0/0']",
"oc-components /components/",
"junos-kernel-ifstate /junos/kernel-ifstate/",
"oc-bgp-neighbors /bgp/neighbors/neighbor/"
]
ssl_cert = "mx1_re.pem"
[.......]
Like that :
set system services extension-service traceoptions file extension-service.log
set system services extension-service traceoptions file size 5m
set system services extension-service traceoptions file files 2
set system services extension-service traceoptions flag all
Hi,
That's what I've done :
On the server
############
1) openssl genrsa -out ca.key 2048
2) openssl req -new -x509 -key ca.key -out ca.crt (all answers in blank except FQDN:mx1_re)
3) openssl genrsa -out mx1_re.key 2048
4) openssl req -new -key mx1_re.key -out mx1_re.csr (all answers in blank except FQDN:mx1_re)
5) openssl x509 -req -in mx1_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx1_re.crt
6) cat mx1_re.key mx1_re.crt > mx1_re.pem
On the router
#############
7) delete security
delete system services
commit
8) file delete /var/tmp/mx1_re.pem
9) scp mx1_re.pem "user@router:/var/tmp"
10) set security certificates local router_mx load-key-file /var/tmp/mx1_re.pem
11)
set system services extension-service request-response grpc ssl port 50051
set system services extension-service request-response grpc ssl local-certificate router_mx
set system services extension-service request-response grpc skip-authentication
set system services extension-service notification allow-clients address 0.0.0.0/0
Telegraf file (the hostname of the router I'm using is mx1_re junos version: 18.1R2-S1):
##############
[[inputs.jti_openconfig_telemetry]]
servers = ["mx1_re:50051"]
#username = "lab"
#password = "lab123"
#client_id = "mx1_re"
......
ssl_cert = "mx1_re.pem"
.......
Well, another thing I did :
in the file /etc/ssl/openssl.cnf I added the following in the v3_ca section:
[ v3_ca ]
..........
subjectAltName = IP:10.102.186.0 --> mx IP
.........
If you modify that file, you'll have to recreate the certifcate again and follow the steps described above in the thread.
Regards
Please turn debug on in the telegraf config file (agent section)
..........
[agent]
...........
debug = true
and share logs
Thanks
I was trying to do mutual authentication on Junipers and open-nti. Does open-nti send cert? The router is expecting the cert and it fails with bad cert error.
When we use gnmi_client to connect to the router, we dont see that error but a diff one.
Here's the config:
set system services ssh
set system services extension-service request-response grpc ssl port 50051
set system services extension-service request-response grpc ssl local-certificate nqa3-mx-d12-12
set system services extension-service request-response grpc ssl mutual-authentication certificate-authority JTI
set system services extension-service request-response grpc ssl mutual-authentication client-certificate-request require-certificate
set system services extension-service traceoptions file ext.log
set system services extension-service traceoptions flag all
Error with bad cert -
Aug 28 02:10:30 server_secure_chttp2.c:119: Secure transport failed with error 1
Aug 28 02:12:28 ssl_transport_security.c:947: Handshake failed with fatal error SSL_ERROR_SSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate.
Aug 28 02:12:28 handshake.c:128: Security handshake failed: {"created":"@1535422348.938953752","description":"Handshake failed","file":"../../../../../../../../src/dist/grpc/src/core/lib/security/transport/handshake.c","file_line":264,"tsi_code":10,"tsi_error":"TSI_PROTOCOL_FAILURE"}
When using gnmi_cli client
Aug 28 03:12:23 server_secure_chttp2.c:119: Secure transport failed with error 1
Aug 28 03:12:34 TerminateClientThreads: Number of grpc clients connected: 0
Aug 28 03:12:34 JGrpcServerStart: Proto Desriptor object not found in proto map for RPC /grpc.reflection.v1alpha.ServerReflection/ServerReflectionInfo for peer ipv6:::ffff:10.144.96.34:35556
Aug 28 03:12:34 AllocCallMem:GRPC Server Call Completion queue created successfully
Aug 28 03:12:34 AllocCallMem:GRPC Server Call Details initialized successfully
Aug 28 03:12:35 TerminateClientThreads: Number of grpc clients connected: 0
Aug 28 03:12:35 JGrpcServerStart: Proto Desriptor object not found in proto map for RPC /gnmi.gNMI/Subscribe for peer ipv6:::ffff:10.144.96.34:35556
Aug 28 03:12:35 AllocCallMem:GRPC Server Call Completion queue created successfully
Aug 28 03:12:35 AllocCallMem:GRPC Server Call Details initialized successfully
Aug 28 03:12:35 ssl_transport_security.c:439: SSL_read returned 0 unexpectedly.
Aug 28 03:12:35 secure_endpoint.c:176: Decryption error: TSI_INTERNAL_ERROR
./gnmi_cli -a mx-d12-12:50051 -qt s -q "/lldp/" --ca_crt /home/mnanduri/ca.crt --client_crt /home/mnanduri/pivo.crt --client_key /home/mnanduri/pivo.key -logtostderr
E0828 09:43:38.684796 23426 gnmi_cli.go:190] cli.QueryDisplay:
sendQueryAndDisplay(ctx, {Addrs:[nqa3-mx10003-d12-12:50051] Target: Replica:0 UpdatesOnly:false Queries:[[lldp]] Type:stream Timeout:30s NotificationHandler: ProtoHandler: Credentials: TLS:0xc7ef80 Extra:map[]}, &{PollingInterval:30s StreamingDuration:0s Count:0 countExhausted:false Delimiter:/ Display:0x83db90 DisplayPrefix: DisplayIndent: DisplayType:group DisplayPeer:false Timestamp: DisplaySize:false Latency:false ClientTypes:[gnmi]}):
unknown response : %!s()
Hi
The current implementation of open NTI it doesn't support mutual authentication, I did a quick test modifying the code of the telegraf plugin and it works ok, so probably mutual authentication be supported in the future.
Hi,
Follow those steps in order to test mutual-auth in open NTI (bear in mind that is only for testing/demo purposes at the moment).
1 ) clone my personal repo of openNTI
git clone https://github.com/psagrera/open-nti.git
2 ) Modify the following files:
2.1 ) Under ~/open-nti/plugins/input-oc --> telegraf.tmpl
[[inputs.jti_openconfig_telemetry]]
servers = ["mx2_re:50051"] <-- your vMX / MX hostname
username = "lab"
password = "lab123"
client_id = "telegraf"
Keep debug flag to true to verify easily if it's working or not
You can add/modify sensors from the original file
2.2 ) Under ~/open-nti/plugins/input-oc --> cert_files dierctory
Put there all files related to the certificate (follow the process you mentioned above in the thread )
2.2.1 That's what I did
SERVER SIDE
###########
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt
openssl genrsa -out mx2_re.key 2048
openssl req -new -key mx2_re.key -out mx2_re.csr
openssl genrsa -out oc.key 2048
openssl req -new -key oc.key -out oc.csr
openssl x509 -req -in mx2_re.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mx2_re.crt
openssl x509 -req -in oc.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out oc.crt
cat mx2_re.key mx2_re.crt > mx2_re.pem
ROUTER
######
set security pki ca-profile OC ca-identity OC
request security pki ca-certificate load ca-profile OC filename /var/tmp/ca.crt
set security certificates certification-authority OC ca-name OC
set security certificates local mx2_re load-key-file /var/tmp/mx2_re.pem
set system services extension-service request-response grpc ssl port 50051
set system services extension-service request-response grpc ssl local-certificate mx2_re
set system services extension-service request-response grpc ssl mutual-authentication certificate-authority OC
set system services extension-service request-response grpc ssl mutual-authentication client-certificate-request require-certificate
set system services extension-service notification allow-clients address 0.0.0.0/0
set system services extension-service traceoptions file extension-service.log
set system services extension-service traceoptions file size 5m
set system services extension-service traceoptions file files 2
set system services extension-service traceoptions flag all
2.3 ) Under ~/open-nti --> docker-compose.yml
input-oc:
#image: telegraf:1.5
build: $INPUT_OC_DIR
extra_hosts:
mx2_re: 10.102.183.150 <-- put here your hostname/IP mapping
container_name: $INPUT_OC_CONTAINER_NAME
volumes:
- /etc/localtime:/etc/localtime:ro
- ./$INPUT_OC_DIR/telegraf.tmpl:/source/telegraf.tmpl
ports:
- "$LOCAL_PORT_OC:50051/udp"
links:
- opennti
2.4 ) make build
2.5 ) make start
2.6 ) docker logs opennti_input_oc (If it's working you will see something like:)
[...]
2018-09-05T11:55:18Z I! Agent Config: Interval:10s, Quiet:false, Hostname:"c7fb8b1cd83c", Flush Interval:5s
2018-09-05T11:55:20Z D! Opened a new gRPC session to mx2_re on port 50051
2018-09-05T11:55:25Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics.
2018-09-05T11:55:27Z D! Received from mx2_re: system_id:"mx2_re" component_id:1 path:
[...]
P.S : I'm using vMX (18.1R2-S1)
I have tried the steps you provided with the same names you have, getting this error.
mnanduri-mac:open-nti mnanduri$ docker logs opennti_input_oc
2018/09/07 09:16:33 E! Error parsing /opt/telegraf/config/telegraf.conf, line 136: field corresponding to client_crt' is not defined in *jti_openconfig_telemetry.OpenConfigTelemetry'
2018/09/07 09:17:46 E! Error parsing /opt/telegraf/config/telegraf.conf, line 138: field corresponding to ca_crt' is not defined in *jti_openconfig_telemetry.OpenConfigTelemetry'
mnanduri-mac:open-nti mnanduri$ ls -latr plugins/input-oc/cert_files/
total 80
-rw-r--r-- 1 mnanduri staff 1273 Sep 6 18:52 ca.crt
-rw-r--r-- 1 mnanduri staff 1679 Sep 6 18:52 ca.key
-rw-r--r-- 1 mnanduri staff 17 Sep 6 18:52 ca.srl
-rw-r--r-- 1 mnanduri staff 1155 Sep 6 18:52 mx2_re.crt
-rw-r--r-- 1 mnanduri staff 980 Sep 6 18:52 mx2_re.csr
-rw-r--r-- 1 mnanduri staff 1679 Sep 6 18:52 mx2_re.key
-rw-r--r-- 1 mnanduri staff 2834 Sep 6 18:52 mx2_re.pem
-rw-r--r-- 1 mnanduri staff 1155 Sep 6 18:52 oc.crt
-rw-r--r-- 1 mnanduri staff 980 Sep 6 18:52 oc.csr
drwxr-xr-x 12 mnanduri staff 384 Sep 6 18:52 .
-rw-r--r-- 1 mnanduri staff 1675 Sep 6 18:52 oc.key
drwxr-xr-x 7 mnanduri staff 224 Sep 7 05:16 ..
input-oc:
#image: telegraf:1.5
build: $INPUT_OC_DIR
extra_hosts:
mx2_re: 10.133.85.41
container_name: $INPUT_OC_CONTAINER_NAME
volumes:
- ./$INPUT_OC_DIR/telegraf.tmpl:/source/telegraf.tmpl
ports:
- "$LOCAL_PORT_OC:50051/udp"
links:
- opennti
Hi,
Did you remove old image of OC ? Maybe it's using old image with new plugin.
oh i did not. Let me remove the old image.
you are right, it was using the old image. That error is gone. I am getting a cert error, will try to regenerate again.
One question i wanted to ask and forgot earlier, i see you generated oc.key and crt but i dont see any reference in your telegraf.tmpl file. Is that expected?
Yes , its expected. In the telegraf.tmpl file only this references are needed:
client_crt = "/opt/telegraf/config/cert_files/mx2_re.crt"
client_key = "/opt/telegraf/config/cert_files/mx2_re.key"
ca_crt = "/opt/telegraf/config/cert_files/ca.crt"
ssl_cert = "/opt/telegraf/config/cert_files/mx2_re.pem"
I generated those files following the procedure of David Gee (http://ipengineer.net/2018/05/configuring-ssl-grpc-junos/)
The files I've got in the vMX:
root@mx2_re> file list /var/tmp/
/var/tmp/:
[...]
ca.crt
ca.key
ca.srl
mx2_re.crt
mx2_re.csr
mx2_re.key
mx2_re.pem
[...]
Ok. I was thinking that OC will send its cert/key and mx has its cert/key, they will mutually authenticate each others certs.
Hi, got it working now, finally.
Do you need username/password or with mutual authentication, can you skip it? Without the username/password, getting below error but when i enable grpc skip-authentication, that error goes away.
2018-09-07T13:12:01Z D! Available collection for nqa3-mx10003-d12-12 is: []
2018-09-07T13:12:01Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unauthenticated desc = JGrpcServer: Session not authenticated/authorized: nqa3-mx10003-d12-12
Have you configured lab/lab123 in your router ? In my case it works when I use username/pass + client_id and when I don't use username + password + client_id and configure skip auth in the router.
yeah, i was trying to avoid using username password but when I use uid/password or without uid/pwd + skip-auth on router, it works.
If you use username+passw+client_id without skip config , it works ? (That's the setup I'm using)
yeap, that works.
Ok, glad to hear that. As I said , that version is only for testing/demo purposes, once is published in telegraf we will integrate that into the master branch.
Hope it's been useful
Thanks.
Clarification question - if i have this below and using the normal (not your new plugin that supports SSL) instance to authenticate grpc session. I see initially auth failed but get sensor data...
[[inputs.jti_openconfig_telemetry]]
servers = ["10.133.85.41:50051"]
username = "lab"
password = "lab123"
client_id = "telegraf"
set system services extension-service request-response grpc clear-text port 50051
set system services extension-service traceoptions file extension-service.log
set system services extension-service traceoptions file size 5m
set system services extension-service traceoptions file files 2
set system services extension-service traceoptions flag all
2018-09-14T11:14:52Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Internal desc = invalid header field value "Authorization failed\b\xf7\xf5\b\x03": 10.133.85.41
2018-09-14T11:14:54Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41
2018-09-14T11:14:55Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41
2018-09-14T11:14:55Z D! Output [influxdb] buffer fullness: 0 / 10000 metrics.
2018-09-14T11:14:55Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41
2018-09-14T11:14:56Z E! Error in plugin [inputs.jti_openconfig_telemetry]: E! Failed to read from rpc error: code = Unknown desc = Authorization failed: 10.133.85.41
2018-09-14T11:14:56Z D! Received from 10.133.85.41: system_id:"nqa3-mx10003-d12-12" path:"sensor_1000:/junos/system/linecard/firewall/:/junos/system/linecard/firewall/:PFE" timestamp:1536952162823 kv:<key:"timestamp" uint_value:1536952162893 > kv:<key:"prefix" str_value:"/junos/firewall[name='IPV4_PROTECT_RE']/state/" > kv:<key:"timestamp" uint_value:1536891839 > kv:<key:"memory-usage[name='HEAP']/allocated" uint_value:131812 > kv:<key:"prefix" str_value:"/junos/firewall[name='count-dscp-et-0/1/0.0-i']/state/" > kv:<key:"timestamp" uint_value:1536884774 > kv:<key:"memory-usage[name='HEAP']/allocated" uint_value:1396 > kv:<key:"counter[name='dscp0-et-0/1/0.0-i']/packets" uint_value:577503868 > kv:<key:"counter[name='dscp0-et-0/1/0.0-i']/bytes" uint_value:285286910792 > kv:<key:"counter[name='rest-et-0/1/0.0-i']/packets" uint_value:264198 > kv:<key:"counter[name='rest-et-0/1/0.0-i']/bytes" uint_value:15644639 > kv:<key:"prefix" str_value:"/junos/firewall[name='count-dscp-et-0/1/1.0-i']/state/" > kv:<k
I think so. Did not validate for sure.
Any clue on the traceoptions ?
I lost the log, let me try to do it again and will get back.
how can we have the SSL setup for multiple devices? should I use the same ssl certificate on all of the devices? I am looking to have SSL for encrypting the traffic between devices and the NTI server. also I would like to have the SSL authentication as well.
Hi @littlespace
You can define more than one input plugin and therefore attach different certificates to each group of servers (i.e)
###############################################################################
# INPUT PLUGINS #
###############################################################################
# Read OpenConfig Telemetry from listed sensors
[[inputs.jti_openconfig_telemetry]]
servers = ["10.102.183.182:50051"]
## Frequency to get data in millisecond
sample_frequency = "5000ms"
sensors = [
"/network-instances/network-instance/protocols/protocol/bgp/",
]
str_as_tags = false
[[inputs.jti_openconfig_telemetry]]
servers = ["10.102.183.150:50051"]
## Frequency to get data in millisecond
sample_frequency = "5000ms"
sensors = [
"/network-instances/network-instance/protocols/protocol/bgp/",
]
str_as_tags = false
With regard mutual authentication we are still working on the final code we will merge into the master branch.
Regards
Pablo
Hello Pablo,
When you say mutual authentication is being worked on - you mean open-nti to authenticate cert received from the router right? just want to confirm.
Cheers,
-Mohan
Any update on merging this feature with the main?
Yes , its expected. In the telegraf.tmpl file only this references are needed:
client_crt = "/opt/telegraf/config/cert_files/mx2_re.crt"
client_key = "/opt/telegraf/config/cert_files/mx2_re.key"
ca_crt = "/opt/telegraf/config/cert_files/ca.crt"
ssl_cert = "/opt/telegraf/config/cert_files/mx2_re.pem"I generated those files following the procedure of David Gee (http://ipengineer.net/2018/05/configuring-ssl-grpc-junos/)
@psagrera Do you have the config for latest telegraf version (1.14)? TLS config params have been changed slightly. And why do you use the router certificate and key (mx2_ce.xxx) as client crt and key? Shouldn't they be the client certs and key (oc.xxx)?
@pravindamodaran check the telegraf repo. I have added the tls option to the jti plug-in almost a year ago.
@littlespace Maybe irrelevant here, but my telegraf config looks like this:
[[inputs.jti_openconfig_telemetry]]
## List of device addresses to collect telemetry from
servers = ["ec2-10-10-10-10.us-east-2.compute.amazonaws.com:32767"]
username = "test"
password = "test123"
client_id = "telegraf"
sample_frequency = "50000ms"
sensors = [
"/interfaces"
]
## Optional TLS Config
enable_tls = true
tls_ca = "/etc/telegraf/certs/ca.crt"
tls_cert = "/etc/telegraf/certs/client.crt"
tls_key = "/etc/telegraf/certs/client.key"
## Use TLS but skip chain & host verification
insecure_skip_verify = false
retry_delay = "10000ms"
## To treat all string values as tags, set this to true
str_as_tags = false
And I keep getting this error in telegraf:
telegraf_1 | 2020-05-27T15:32:12Z E! [inputs.jti_openconfig_telemetry] Error in plugin: failed to read from ec2-10-10-10-10.us-east-2.compute.amazonaws: rpc error: code = Unknown desc = Authorization failed
Any idea? Should I open an issue in the telegraf repo?
@pravindamodaran I need to check it, what version of junos are you running on the box? Is your username super user as well?
@pravindamodaran I need to check it, what version of junos are you running on the box? Is your username super user as well?
Junos version: JUNOS 18.4R1.8 Kernel 64-bit JNPR-11.0-20181207.6c2f68b_2_b
This is the default image available in AWS Marketplace for virtual router. And yeah, I have set the class as super-user for my username. For some reason, this image does not let me setup grpc server in junos without tls. So TLS is the only option I have
Same question for the TLS problem
How do i modify telegraf.tmpl if i use master ???
I just add "username", "password", "client_id", "enable_tls" and the tls cert, but it fails to compose in the opennti_input_oc docker.
Thanks!