Wired Intelligent Edge (Campus Switching and Routing)

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Contributor I

AOS REST API Trouble with .pem files

Hi everyone,

 

Using this quarantine time to learn about REST APIs. I have been following this template:

 

https://robin.lauren.fi/posts/hp-switch-certificate/

 

I have been able to get most of it done, but I run into trouble getting the certificate chain related to the trust anchor. I have been getting help with our cert guy, so a lot of this is foreign to me. Basically when I try to copy via TFTP, it tells me it's invalid (see attached photo), by my guy is telling me the certificate I'm relating is .pem encoded, so I'm confused.

 

I know this is kind of vague, but I'll answer any questions or offer more information if need be. Any help is appreciated.

 

 


Accepted Solutions
Highlighted
Occasional Contributor II

Re: AOS REST API Trouble with .pem files

The API is enabled by default in plaintext (HTTP). In CLI that would be "web-management" (note, no "ssl" behind it) 

If you want to encrypt the communication (HTTPS), you'd need a web server certificate on the switch. CLI: "web-management ssl"

 

For that, you can either use a self-signed certificate or a CA-signed certificate.

If you want to use your local CA, you need to install your certificate chain as Trust Anchor (make your PKI trusted), and then generate a CSR, so that your CA can sign it.

 

You can do that all via CLI or via API. 

On the CLI these commands are "crypto key" and "crypto pki", for API look at my previous post. 

 

EDIT:

I wrote a small tutorial:

https://kohnkenet.de/index.php/2020/04/16/introduction-to-arubaos-s-rest-api/

View solution in original post


All Replies
Highlighted
MVP Guru Elite

Re: AOS REST API Trouble with .pem files

Hi bs1,

 

What do you try to make ?

 

Because the link is about certificate on the switch (and not REST API)



PowerArubaSW: Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP... More info

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...) More info

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)

PowerArubaIAP: Powershell Module to use Aruba Instant AP

PowerArubaMC: Powershell Module to use Mobility Controller / Master


ACMP 6.4 / ACMX #107 / ACCP 6.5 / ACSP
Highlighted
Occasional Contributor II

Re: AOS REST API Trouble with .pem files

With what are you accessing the API? I have Python code for everything regarding certificates and AOS-S switches, so maybe I can give you a hand with your problem.

 

If you want to take a look yourself:

https://github.com/Linkk93/aos_api_connector/blob/master/aos_s/api_cert.py

 

What your colleague meant is probably, that the file you get from the switch is base64 encoded, you need to decode it (using f.e. OpenSSL) and if you want to upload it, you need to encode it first.

 

Edit:

You don't work with a TFTP if you work with the API. You just dump the data in the HTTP request.

Highlighted
Contributor I

Re: AOS REST API Trouble with .pem files

Hi guys,

 

Thanks for the info. I am very new to all this, so thanks for your patience.

 

My understanding was even before starting any REST APIs, I need to open up web management SSL on our switches, hence the need to put all these certs and trust chains on them.

 

Ideally, my goal was to be able to call for data from our 400+ switches (ex VLANs, MAC or IP addresses, or user-roles, etc.)

Highlighted
Occasional Contributor II

Re: AOS REST API Trouble with .pem files

The API is enabled by default in plaintext (HTTP). In CLI that would be "web-management" (note, no "ssl" behind it) 

If you want to encrypt the communication (HTTPS), you'd need a web server certificate on the switch. CLI: "web-management ssl"

 

For that, you can either use a self-signed certificate or a CA-signed certificate.

If you want to use your local CA, you need to install your certificate chain as Trust Anchor (make your PKI trusted), and then generate a CSR, so that your CA can sign it.

 

You can do that all via CLI or via API. 

On the CLI these commands are "crypto key" and "crypto pki", for API look at my previous post. 

 

EDIT:

I wrote a small tutorial:

https://kohnkenet.de/index.php/2020/04/16/introduction-to-arubaos-s-rest-api/

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: