REST API Switch Configuration Settings

Configuring REST API Access

Netvisor ONE® enables you to use REST API over HTTP and HTTPS to manage the switches in a fabric, in addition to using the CLI.

Though REST API access over HTTP is simpler to configure, Pluribus Networks recommends using HTTPS for security reasons.

The vREST web application that runs on the switch enables the REST API client to access the switch's resources.

Follow the steps below to configure REST API access over HTTP:

Enable the web service using the command: admin-service-modify.

CLI (network-admin@switch1) admin-service-modify if mgmt web

admin-service-modify	Modify services on the switch.
if if-string	Specify the administrative service interface. The options are mgmt or data.
Specify one or more of the following options:
ssh\|no-ssh	Specify if you want to connect to the switch using Secure Shell (SSH).
nfs\|no-nfs	Specify if you want to use Network Files System (NFS) for the administrative service.
web\|no-web	Specify if you want to enable web management. Use this option to enable REST API access over HTTP.
web-ssl\|no-web-ssl	Specify if you want to use SSL and certificates for web services. Use this option to enable REST API access over HTTPS.
web-ssl-port web-ssl-port-number	Specify the web SSL port.
web-port web-port-number	Specify the port for web management.
web-log\|no-web-log	Specify if you want to turn on or off web logging.
snmp\|no-snmp	Specify if SNMP is allowed as a service.
net-api\|no-net-api	Specify if APIs are allowed as a service.
icmp\|no-icmp	Specify if Internet Control Message Protocol (ICMP) is allowed as a service.

Verify the configuration using the command: admin-service-show:

CLI (network-admin@switch1) admin-service-show

switch if ssh nfs web web-ssl web-ssl-port web-port snmp net-api icmp

----------- ---- --- --- --- ------- ------------ -------- ---- ------- ----

switch1 mgmt on off on on 443 80 on off on

switch1 data on off on off 443 80 on off on

To access the log details, enable the web-log parameter by using the command:

CLI (network-admin@switch1) > admin-service-modify if mgmt web-log

Warning: We recommend enabling web-log for debugging purposes and only as advised by Pluribus Networks Technical Support as log files can quickly consume available disk space.

If you wish to confirm web_log is enabled run the following command:

CLI (network-admin@udev-leo1) > admin-service-show format all

To disable the web-log run the following command:

CLI (network-admin@switch1) > admin-service-modify if mgmt no-web-log

Configuring REST API Access over HTTPS

To enable HTTPS communication between a REST API client and Netvisor vREST web service, you have two options:

1. You can generate a self-signed certificate using Netvisor CLI and use this certificate for the REST web service.

2. After creating a self-signed certificate using Netvisor CLI, create a certificate request, get the certificate request signed by a trusted Certificate Authority (CA), import the signed certificate and CA certificate into Netvisor ONE, and use the certificates for REST API web service.

Follow the steps below to create the certificates and deploy them:

Generate self-signed certificate (the private key and the certificate file, in PEM format) using the web-cert-self-signed-create command.

CLI (network-admin@switch1) > web-cert-self-signed-create

web-cert-self-signed-create	This command creates a self-signed certificate and deletes any existing certificates.
country country-string	Specify the contact address of the organization, starting with the country code.
state state-string	Specify the state or province.
city city-string	Specify the city.
organization organization-string	Specify the name of the organization.
organizational-unit organizational-unit-string	Specify the organizational unit.
common-name common-name-string	Specify the common name. The common name must precisely match the hostname where the certificate is installed.

For example:

CLI (network-admin@switch1) > web-cert-self-signed-create country US state California city "Santa Clara" organization "Pluribus Networks Inc" organizational-unit Engineering common-name switch1.pluribusnetworks.com

Successfully generated self-signed certificate.

This command generates the certificate request and saves the files internally.

Enable web-ssl by using the admin-service-modify command.

CLI (network-admin@switch1) admin-service-modify if data web-ssl

If you want to get the certificate signed by a trusted Certificate Authority (CA), generate a CSR from the self-signed certificate by using the command web-cert-request-create.

CLI (network-admin@switch1) > web-cert-request-create

Certificate signing request successfully generated at /sftp/export/switch1.pluribusnetworks.com.csr

To view the CSR, use the command web-cert-request-show.

CLI (network-admin@switch1) > web-cert-request-show

web-cert-request-show	Displays the certificate signing request.
cert-request cert-request-string	Specify the name of the CSR.

For example:

CLI (network-switch1) > web-cert-request-show

cert-request

----------------------------------------------------------------

-----BEGIN CERTIFICATE REQUEST-----

MIICnDCCAYQCAQEwVzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH

DAJTSjELMAkGA1UECgwCUE4xDTALBgNVBAsMBEVuZ2cxEjAQBgNVBAMMCWVxLWNv

bG8tMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMmrZ8hvZ5J+FRs

Lo1sfVtwmmLEaxyhaxD/HNVdXSRhzbQDT20+qySfOudxtWGKyCsuCFFbgMUz7rgu

H1Xle8uwPSoxgTjLGq20sgBQIfNBT5UwDLDuzUUPzMEEjFb3/9Cg1VWju2t1KPim

Gqg3rcA3PCsMeCr/q+9Gz6gfLe6Rfx91yxTA44ZWsOWnvgDdXAPfHOLZ5zBWG8a3

ohgOwMLjy21ytDTA6aR1M9I12MkJwev3t0y6n/CLp6Zigp5wXiArPPnR9sZ+E7so

MqpEzz0rjFDfrNwNAGMzT3WPcmlYRjYrUJ0QsOEQ+O1uHJaNbw1pJEmK2jm97kbk

/HvEFmMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQCnlgEwzoesbuiCYG7HZJN/

Rxm/NcznpvJXxdlTAdzSbTWWLswrZMyX6bQqUTWEb3qvVccD4tIZShyIGiR0CpCD

22m8LD4+e6/FA6NijjanHkKsRW9Z7ka97TFpsUaH27sUTtfFDDkDImwRIGfns+nu

kTRNMuNiyC/+uHovsvCxS8is3OasQtS1lkG28sZgxisvP17qmfjlb9fQC3pcvR4t

K8GciPMUfgcIA5qLDmCZAg1A6JBMb/UHtUuEnztLrLz4qjWqJJK3pWvdLWZcKDEz

C0t5Dre9ByJ2RT75GdUq2c16xYBGAwZNCzjdhParyBnvn00Mwb6PpPmLGcBQiRNn

-----END CERTIFICATE REQUEST-----

Send the CSR to your trusted CA. You can copy the web-cert-request-show output and send it to the CA for signing the certificate.

You can also connect to the switch by using SFTP and copy the certificate file from /sftp/export location and send it to the CA.

If disabled, use the command admin-sftp-modify enable to enable SFTP.

In return, the CA provides the server certificate of your switch signed using the intermediate key.

Upload the signed certificate, the CA root certificate, and the intermediate CA certificate (if an intermediate CA signs the certificate) to /sftp/import directory on the switch using SFTP.

For example:

$ sftp sftp@switch1

Password:pluribus_password

sftp> cd /sftp/import

sftp> put server-cert.pem

Import the signed server certificate, CA root certificate, and the intermediate certificate (if available) onto the switch using the web-cert-import command:

CLI (network-admin@switch1) > web-cert-import

web-cert-import	This command imports certificates from /sftp/import directory.
file-ca file-ca-string	Specify the name of the CA certificate file.
file-server file-server-string	Specify the name of server certificate file (signed by CA).
file-inter file-inter-string	Specify the name of intermediate CA certificate file.

CLI (network-admin@switch1) > web-cert-import file-ca ca.pem file-server server-cert.pem file-inter intermediate.pem

Successfully imported certificates.

After the import is successful, enable web-ssl using the admin-service-modify command.

CLI (network-admin@switch) > admin-service-modify if data web-ssl

Related Commands

web-cert-clear

Use this command to delete previously generated certificates.

For example:

CLI (network-admin@switch1) > web-cert-clear

Successfully deleted all certificate files.

web-cert-info-show

Use this command to display web certificate information.

CLI (network-admin@switch1) web-cert-info-show

web-cert-info-show	Displays the web certificate information.
Specify any of the following options:
cert-type ca\|intermediate\|server	Specify the one among the options as the certificate type.
subject subject-string	Specify the the subject of the certificate.
issuer issuer-string	Specify the issuer of the certificate.
serial-number serial-number	Specify the serial number of the certificate.
valid-from valid-from-string	Specify the time from which the certificate is valid.
valid-to valid-to-string	Specify the time at which the certificate expires and is no longer valid.

For example:

CLI (network-admin@switch1) web-cert-info-show

switch: switch1

cert-type: ca

subject: /C=US/ST=CA/L=SJ/O=PN/OU=Engg/CN=switch1

issuer: /C=US/ST=CA/L=SJ/O=PN/OU=Engg/CN=switch1

serial-number: 1

valid-from: May 7 18:16:10 2019 GMT

valid-to: May 6 18:16:10 2020 GMT

----------------------------------------

switch: switch1

cert-type: server

subject: /C=US/ST=CA/L=SJ/O=PN/OU=Engg/CN=switch1

issuer: /C=US/ST=CA/L=SJ/O=PN/OU=Engg/CN=switch1

Using cURL to Implement SSL Certs

Use cURL to automate the upload of the CA root, CA intermediate and signed switch certificates.

Run the following command for each of the PEM formatted certificates:

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' <file-name>.pem

Example

$ awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /tmp/server-cert.pem.bkp

-----BEGIN CERTIFICATE-----

\nMIIDHDCCAgQCAQEwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCSU4xCzAJBgNV

\nBAgMAktBMQwwCgYDVQQHDANCTFIxCzAJBgNVBAoMAlBOMQwwCgYDVQQLDANFTkcx

\nDzANBgNVBAMMBlNQSU5FMTAeFw0yMDA1MDQxODM4NTZaFw0yMTA1MDQxODM4NTZa

\nMFQxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJLQTEMMAoGA1UEBwwDQkxSMQswCQYD

\nVQQKDAJQTjEMMAoGA1UECwwDRU5HMQ8wDQYDVQQDDAZTUElORTEwggEiMA0GCSqG

\nSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCot16ddH0LNHOrWZt63FHYiArVXYIYbCDh

\nWCY6MX3suoXYvKstvRgJkUe/6G5As+vYtwRi2bDqdDsgTC5+Qo4SnjrdTcTM98F+

\n0Qzqv02c+dbzk5GclUkljqq0PHGXRPGOMhou8B/6LI9Hg5XkG+FSfaDGQTM39uj2

\nzzvrMOFn96gzpTBoh40sMoIpnKQLrWeGjlNxaBxhM342c1jn1CVmXss/uHMQeang

\nsVhPTynikyxIrDwl9gh/2X1EwzVzpAnUBTUZvJ9rgrceC9GcuGmiPZgxxSruNb0w

\nK8xsyH8/hLwhK4Axgu3a+lfmmKFmSWjywmcxlmQl+jwiMPA/Ty55AgMBAAEwDQYJ

\nKoZIhvcNAQELBQADggEBAEG0D/2FcNU6Z6w/6eKbyH855kHSrJyqeU8eoCW9rnOb

\nqdnAsFX3aYwiUCjzSFXpWA3bRr3L7X0Y01x7VSvwITuDvwO43llK29rQfrSvoPiw

\nf7fhU7bszlUc2GAumU9OEdYBnSI1DzfBawUcPmbDmm+ci27k0po53KDWTbxkBIZR

\n2Oh25LXkmq8ZBzE4vgS+mAw436nToazB1/vDTMWoBuLVzOUlU8cdcjJUnJBevTbX

\nThP691sHVMED8B8Fhl08BzIJmQQ9qp1tjplFq1Ea9oEFnT5U5gKvJYy48qEPlW+r

\nhRIHysvZXF/dghtrLXDMSBWLlLofUsDQsh+qLxpo1+k=

\n-----END CERTIFICATE-----\n

Warning: Failure to use the escape character syntax of \n, as highlighted in red in the examples shown, results in the script failing, and the installation of the certificates to fail.

Note: Certificate examples on this page are displayed line-wrapped for purposes of documentation clarity only.

Copy the output into the json payload.

$ curl -u network-admin:pluribus_password http://10.100.64.5/vRest/web-certs/upload -H "content-type:application/json" -v -X POST -d '{"cert-ca":"-----BEGIN CERTIFICATE-----