Brocade Logo

Configure the Brocade NOS REST API to use HTTPS

Brocade VDX switches have REST and NETCONF interfaces. The REST API uses the built-in HTTP server. By default, this uses plain-text HTTP. As of NOS 6.0, you can (and should!) use HTTPS. If NOS has a certificate configured, it will automatically use HTTPS. Here’s how to configure it.

Pre-Change Tests

Let’s just do a couple of quick checks before we begin. Check that the switch is only listening on port 80, and that it responds to simple API queries:

OK, all as expected.

Set up your Certificate Authority

You can use any CA to sign your switch certificate. If you already have your own working internal Certificate Authority, you should use that. If you’re feeling flush, you could pay money for a signed certificate. Let’s Encrypt should work too, although I haven’t investigated it.

But if you don’t care about this certificate being trusted by every browser, it’s fine to set up your own root CA, and use it for this. There are quite a few steps to this. Jamie Nguyen has documented the steps for using OpenSSL to set up your own CA. I followed Jamie’s excellent instructions to create my own root + intermediate CAs. The file locations I’ve used below are the same as his.

Note that I’ve used the intermediate CA to sign the switch certificate. You don’t have to do this – you could just have a root CA. Your steps will vary slightly, but you should be able to figure out what you need to do.

Prepare your switch & generate a CSR

On the switch, we need to generate a key pair, and set up the CA. We’ll import the CA certificate from our CA server. Note that the file I import is a combination file containing both the root & intermediate CAs.

Now we generate our CSR, and transfer it to the CA server:

Sign the certificate & install it

Signing the certificate on our CA:

And installing it on the switch:

Note the error message – that is a very generic error message. In this case I’d entered the wrong password. I mention it here to point out that you should check the basics – NTP, IP addresses, directories, filenames, passwords – before digging into the keys & certs.

Restart the HTTP server

You need to restart the HTTP server to make it detect the new HTTPS certificate, and to disable HTTP.

OK, looking good.

Testing time!

The eagle-eyed will notice that I’m using “-k” for my cURL testing, to tell it to ignore certificate errors. This is because my local system does not yet have the root CA certificate installed. If it did, and I configured DNS correctly, I would not get certificate errors.

Done!

,
No comments yet.

Leave a Reply