Secure NX-API calls using HTTPS with a self-signed certificate.

Cisco NX-API documentation states...

NX-API is an enhancement to the Cisco Nexus 9000 Series CLI system, which supports XML output. NX-API also supports JSON output format for specific commands.

  • NX-API uses HTTP/HTTPS as its transport. CLIs are encoded into the HTTP/HTTPS POST body.
  • NX-API supports HTTPS. All communication to the device is encrypted when you use HTTPS.
  • NX-API is integrated into the authentication system on the device. Users must have appropriate accounts to access the device through NX-API. NX-API uses HTTP basic authentication. All requests must contain the username and password in the HTTP header. You should consider using HTTPS to secure your user's login credentials.

Process

First, generate a self-signed certificate off-box, then copy the files to the switch supervisor(s) and configure the NX-API feature with HTTPS using the self-signed certs.

Generate a Certificate

  1. Generate a self-signed certificate off-box, using OpenSSL on any linux host.

    The -nodes argument is used because NX-OS cannot import a passphrase encrypted key file; ref: CSCva75989... This bug is still present in NX-OS version 7.0(3)I7(4).

    openssl req -x509 -newkey rsa:4096 -keyout nxapi-key.pem -out nxapi-cert.pem -days 36500 -nodes

Copy the Files

  1. Create a directory on the active supervisor to store the certs (optional), copy the files to the switch.

    Replace {username}, {server}, and {path} in the following commands accordingly.

    mkdir bootflash:nxapi
    copy scp://{username}@{server}/{path}/nxapi-cert.pem bootflash://sup-1/nxapi/
    copy scp://{username}@{server}/{path}/nxapi-key.pem bootflash://sup-1/nxapi/
  2. Copy the files over to the standby supervisor (into the same directory), if it exists.

    mkdir bootflash:sup-2/nxapi
    copy bootflash://sup-1/nxapi/nxapi-cert.pem bootflash://sup-2/nxapi/
    copy bootflash://sup-1/nxapi/nxapi-key.pem bootflash://sup-2/nxapi/

Configure the Switch

  1. Enter configuration mode and enable the NX-API feature on the switch.

    conf
    feature nxapi
  2. Disable HTTP API access, define HTTPS port, and specify VRF (all optional).

    no nxapi http
    nxapi https port 8443
    nxapi use-vrf management
  3. Configure NX-API to use the self-signed certificates.

    nxapi certificate httpscrt certfile bootflash:nxapi/nxapi-cert.pem
    nxapi certificate httpskey keyfile bootflash:nxapi/nxapi-key.pem
    nxapi certificate enable
  4. Remember to write the config.

    end
    copy run start

References