Starting from 20.3.2 administrators were able to protect GNMI with TLS. To use this service admin performs the following configuration.
SLX(config-gNMI-server)# secure-port <port number>
where the port number can vary from 1024 to 49151. When this
configuration is done GNMI runs over TLS on the above mentioned port and client get connected
to this port to make a TLS connection.
The administrator need to use a GNMI client that has TLS support and configure it for the same.
Note
Removing the above configuration makesGNMI to switch to non
-secure mode, which is default and will listen on the non-secure default port 9339. On SLX which is the GNMI server, the GNMI server certificate and the private key signing
it can be imported to the switch via pkcs12 format just like HTTPs certificate and key are imported.
The
following command option is provided for the same, where the certificate and the key is
encrypted into pkcs12 format
file on a trusted external server and imported from that server.
SLX# crypto ca import-pkcs type pkcs12 cert-type gNMI-server directory <dir-name> file <file-name> host <host-name/ip> protocol <SCP|FTP> user <server-username> password <server-password> pkcs-passphrase <pkcs export password>