Configuring SSL on the gRPC telemetry server

The gRPC-server telemetry implementation supports secure monitoring through SSL transport security.

  1. In privileged EXEC mode, enter configure terminal. 
    device# configure terminal
  2. Enter telemetry server, with the option of specifying a VRF other than the default mgmt-vrf.
    • (Default) mgmt-vrf
      device(config)# telemetry server
    • Other VRF
      device(config)# telemetry server use-vrf blue_vrf
  3. Enter the activate command. 
    device(config-server-mgmt-vrf)# activate
  4. Enter do telemetry client-cert generate to generate SSL certificates for the server and client. 
    device(config-server-mgmt-vrf)# do telemetry client-cert generate
  5. Verify the certificate is active with the do show telemetry client-cert command.
    This output displays the SSL public CA certificate that is used for secure connections on the client side for establishing SSL connections, such as streaming with recipients for gRPC clients or destinations. 
    device(config-server-mgmt-vrf)# do show telemetry client-cert

-----BEGIN CERTIFICATE-----
MIIC2jCCAcICAQEwDQYJKoZIhvcNAQEFBQAwMzELMAkGA1UEBhMCQ0ExEDAOBgNV
BAoMB0Jyb2NhZGUxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzAzMjExNzQ1NDNa
Fw0xODAzMjExNzQ1NDNaMDMxCzAJBgNVBAYTAkNBMRAwDgYDVQQKDAdCcm9jYWRl
MRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC+YG/CkiNm/BO+u1mYLKP8cpz/0O9CE+fusO0spXxjKfjPAvK7kiogxABm
bg9MQeWl4SbFa5x3q5uyZJxApJ+tAnnWZa+cbj5pmNsQFfIbFOwSAmFyhh/NIp7Y
/wApskKjnVsMFkarqX8W2xKxZreapZFMa9DGpOeh8Jo2yvcTAimFfSJ4nyKlCr1C
DuuaTSvAttC8Z9mEqD9TOaSYwQI0pnfVO+ySgY8ndqDXYdRvl+bV1taghlKOgxMY
J78lyZxYf6CIn22BAaz/f9a5ffS13Hh5Cmurj2dUmmqDE49p2KEVtXQ3D6nuopli
V49ok+z93/40Uq4OVJZJk5Kx8ZuxAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAI1d
1VkMH9i3SorPIHpbVqbeDe7LPdaFmrT0COr3AFUECw3gBj1Zy82Kp8XkIJJdVCu8
MNm3wTARqeNBY2c3luw6QeA6l4qRIVM4FqNj6rvtqtNZQ9EEKRRwAm0GSVp+uSvu
E88XSXO+r6N+SXQemRIyhNQ7LJq+cDEaP5WfNtKg+zj085Xd0qiB94BKFt5Q+xAa
B7lwuUvT7Yt92aUVXIaZ6aY5oMv4t7+lPBBKjg8cNeywDa9h3yVZYIzSggghu0qu
GZO57qUh5agxqKiEVf9Ya325u5gj73UJsKOSsyVA1HB8RsPEEdz8j8FBAqMNSTQj
8UDtUGpYiYlzyiBUELc=
-----END CERTIFICATE-----
  6. Enter transport ssl. 
    device(config-server-mgmt-vrf)# transport ssl

Example

The following example is a complete SSL configuration example. 

device# configure terminal
device(config)# telemetry server
device(config-server-mgmt-vrf)# activate
device(config-server-mgmt-vrf)# do show telemetry server status

Telemetry Server running on IP 10.128.116.10 and port 1, with transport as tcp.

Active Sessions:
----------------
Client            Profiles Streamed                      Interval   Uptime      Last Streamed
------            -------------------                    ---------  ----------  ---------------
ClientIP1/Host1   default_interface_statistics           120 sec    05/10:23    2017-01-15: :05:07:33
                  default_system_utilization_statistics  300 sec    05/10:23    2017-01-15: :05:07:33

ClientIP2/Host2   default_system_utilization_statistics  300 sec    05/10:23    2017-01-15: :05:07:33

device(config-server-mgmt-vrf)# do telemetry client-cert generate
device(config-server-mgmt-vrf)# do show telemetry client-cert

-----BEGIN CERTIFICATE-----
MIIC2jCCAcICAQEwDQYJKoZIhvcNAQEFBQAwMzELMAkGA1UEBhMCQ0ExEDAOBgNV
BAoMB0Jyb2NhZGUxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNzAzMjExNzQ1NDNa
Fw0xODAzMjExNzQ1NDNaMDMxCzAJBgNVBAYTAkNBMRAwDgYDVQQKDAdCcm9jYWRl
MRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC+YG/CkiNm/BO+u1mYLKP8cpz/0O9CE+fusO0spXxjKfjPAvK7kiogxABm
bg9MQeWl4SbFa5x3q5uyZJxApJ+tAnnWZa+cbj5pmNsQFfIbFOwSAmFyhh/NIp7Y
/wApskKjnVsMFkarqX8W2xKxZreapZFMa9DGpOeh8Jo2yvcTAimFfSJ4nyKlCr1C
DuuaTSvAttC8Z9mEqD9TOaSYwQI0pnfVO+ySgY8ndqDXYdRvl+bV1taghlKOgxMY
J78lyZxYf6CIn22BAaz/f9a5ffS13Hh5Cmurj2dUmmqDE49p2KEVtXQ3D6nuopli
V49ok+z93/40Uq4OVJZJk5Kx8ZuxAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAI1d
1VkMH9i3SorPIHpbVqbeDe7LPdaFmrT0COr3AFUECw3gBj1Zy82Kp8XkIJJdVCu8
MNm3wTARqeNBY2c3luw6QeA6l4qRIVM4FqNj6rvtqtNZQ9EEKRRwAm0GSVp+uSvu
E88XSXO+r6N+SXQemRIyhNQ7LJq+cDEaP5WfNtKg+zj085Xd0qiB94BKFt5Q+xAa
B7lwuUvT7Yt92aUVXIaZ6aY5oMv4t7+lPBBKjg8cNeywDa9h3yVZYIzSggghu0qu
GZO57qUh5agxqKiEVf9Ya325u5gj73UJsKOSsyVA1HB8RsPEEdz8j8FBAqMNSTQj
8UDtUGpYiYlzyiBUELc=
-----END CERTIFICATE-----
device(config-server-mgmt-vrf)# transport ssl 
device(config-server-mgmt-vrf)# do show telemetry server status

Telemetry Server running on IP 10.128.116.10 and port 1, with transport as ssl.

Active Sessions:
----------------
Client            Profiles Streamed                      Interval   Uptime      Last Streamed
------            -------------------                    ---------  ----------  ---------------
ClientIP1/Host1   default_interface_statistics           120 sec    05/10:23    2017-01-15: :05:07:33
                  default_system_utilization_statistics  300 sec    05/10:23    2017-01-15: :05:07:33

ClientIP2/Host2   default_system_utilization_statistics  300 sec    05/10:23    2017-01-15: :05:07:33
9036676-01 Rev AA