1 .. _netconf-user-guide:
17 NETCONF is an XML-based protocol used for configuration and monitoring
18 devices in the network. The base NETCONF protocol is described in
19 `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__.
21 **NETCONF in OpenDaylight:.**
23 OpenDaylight supports the NETCONF protocol as a northbound server as
24 well as a southbound plugin. It also includes a set of test tools for
25 simulating NETCONF devices and clients.
27 Southbound (netconf-connector)
28 ------------------------------
30 The NETCONF southbound plugin is capable of connecting to remote NETCONF
31 devices and exposing their configuration/operational datastores, RPCs
32 and notifications as MD-SAL mount points. These mount points allow
33 applications and remote users (over RESTCONF) to interact with the
36 In terms of RFCs, the connector supports:
38 - `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
40 - `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
42 - `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
44 - `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
46 **Netconf-connector is fully model-driven (utilizing the YANG modeling
47 language) so in addition to the above RFCs, it supports any
48 data/RPC/notifications described by a YANG model that is implemented by
53 NETCONF southbound can be activated by installing
54 ``odl-netconf-connector-all`` Karaf feature.
56 Netconf-connector configuration
57 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
59 NETCONF connectors are configured directly through the usage of the
60 network-topology model. You can configure new NETCONF connectors both
61 through the NETCONF server for MD-SAL (port 2830) or RESTCONF. This guide
66 Since 2022.09 Chlorine there is only one RESTCONF endpoint:
68 - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://www.rfc-editor.org/rfc/rfc8040>`__,
69 | can be activated by installing ``odl-restconf-nb``
72 | Resources for configuration and operational datastores start
75 http://localhost:8181/rests/data/network-topology:network-topology
76 with response of both datastores. It's allowed to use query
77 parameters to distinguish between them.
79 http://localhost:8181/rests/data/network-topology:network-topology?content=config
80 for configuration datastore
82 http://localhost:8181/rests/data/network-topology:network-topology?content=nonconfig
83 for operational datastore.
85 | Also if a data node in the path expression is a YANG leaf-list or list
86 node, the path segment has to be constructed by having leaf-list or
87 list node name, followed by an "=" character, then followed by the
88 leaf-list or list value. Any reserved characters must be
91 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf?content=config
92 for retrieving data from configuration datastore for
93 topology-netconf value of topology list.
98 1. OpenDaylight is running
100 2. In Karaf, you must have the ``odl-netconf-topology`` or
101 ``odl-netconf-clustered-topology`` feature installed.
103 3. Feature ``odl-restconf-nb`` must be installed
105 Spawning new NETCONF connectors
106 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
108 To create a new NETCONF connector you need to send the following PUT request
115 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
117 You could use the same body to create the new NETCONF connector with a POST
118 without specifying the node in the URL:
124 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf
132 **Content-type:** ``application/xml``
134 **Accept:** ``application/xml``
136 **Authentication:** ``admin:admin``
140 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
141 <node-id>new-netconf-device</node-id>
142 <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
143 <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
144 <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
145 <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
146 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
147 <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
148 <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
149 <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
150 <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
151 <between-attempts-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">2000</between-attempts-timeout-millis>
152 <sleep-factor xmlns="urn:opendaylight:netconf-node-topology">1.5</sleep-factor>
153 <!-- keepalive-delay set to 0 turns off keepalives-->
154 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
159 **Content-type:** ``application/json``
161 **Accept:** ``application/json``
163 **Authentication:** ``admin:admin``
170 "node-id": "new-netconf-device",
171 "netconf-node-topology:port": 17830,
172 "netconf-node-topology:reconnect-on-changed-schema": false,
173 "netconf-node-topology:connection-timeout-millis": 20000,
174 "netconf-node-topology:tcp-only": false,
175 "netconf-node-topology:max-connection-attempts": 0,
176 "netconf-node-topology:username": "admin",
177 "netconf-node-topology:password": "admin",
178 "netconf-node-topology:sleep-factor": 1.5,
179 "netconf-node-topology:host": "127.0.0.1",
180 "netconf-node-topology:between-attempts-timeout-millis": 2000,
181 "netconf-node-topology:keepalive-delay": 120
186 Note that the device name in <node-id> element must match the last
187 element of the restconf URL.
189 Reconfiguring an existing connector
190 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
192 The steps to reconfigure an existing connector are exactly the same as
193 when spawning a new connector. The old connection will be disconnected
194 and a new connector with the new configuration will be created. This needs
195 to be done with a PUT request because the node already exists. A POST
196 request will fail for that reason.
198 Additionally, a PATCH request can be used to modify an existing
199 configuration. Currently, only yang-patch (`RFC-8072 <https://www.rfc-editor.org/rfc/rfc8072>`__)
200 is supported. The URL would be the same as the above PUT examples.
201 Using JSON for the body, the headers needed for the request would
206 - Accept: application/yang-data+json
208 - Content-Type: application/yang-patch+json
210 Example JSON payload to modify the password entry:
215 "ietf-restconf:yang-patch" : {
220 "operation" : "merge",
225 "node-id": "new-netconf-device",
226 "netconf-node-topology:password" : "newpassword"
235 Deleting an existing connector
236 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
238 To remove an already configured NETCONF connector you need to send a
239 DELETE request to the same PUT request URL that was used to create the
246 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
250 No body is needed to delete the node/device
252 Connecting to a device not supporting NETCONF monitoring
253 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
255 The netconf-connector in OpenDaylight relies on ietf-netconf-monitoring
256 support when connecting to remote NETCONF device. The
257 ietf-netconf-monitoring support allows netconf-connector to list and
258 download all YANG schemas that are used by the device. NETCONF connector
259 can only communicate with a device if it knows the set of used schemas
260 (or at least a subset). However, some devices use YANG models internally
261 but do not support NETCONF monitoring. Netconf-connector can also
262 communicate with these devices, but you have to side load the necessary
263 yang models into OpenDaylight’s YANG model cache for netconf-connector.
264 In general there are 2 situations you might encounter:
266 **1. NETCONF device does not support ietf-netconf-monitoring but it does
267 list all its YANG models as capabilities in HELLO message**
269 This could be a device that internally uses only ietf-inet-types YANG
270 model with revision 2010-09-24. In the HELLO message that is sent from
271 this device there is this capability reported:
275 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2010-09-24
277 **For such devices you only need to put the schema into folder
278 cache/schema inside your Karaf distribution.**
282 The file with YANG schema for ietf-inet-types has to be called
283 ietf-inet-types@2010-09-24.yang. It is the required naming format of
286 **2. NETCONF device does not support ietf-netconf-monitoring and it does
287 NOT list its YANG models as capabilities in HELLO message**
289 Compared to device that lists its YANG models in HELLO message, in this
290 case there would be no capability with ietf-inet-types in the HELLO
291 message. This type of device basically provides no information about the
292 YANG schemas it uses so its up to the user of OpenDaylight to properly
293 configure netconf-connector for this device.
295 Netconf-connector has an optional configuration attribute called
296 yang-module-capabilities and this attribute can contain a list of "YANG
297 module based" capabilities. So by setting this configuration attribute,
298 it is possible to override the "yang-module-based" capabilities reported
299 in HELLO message of the device. To do this, we need to modify the
300 configuration of netconf-connector like in the example below:
306 **Content-type:** ``application/xml``
308 **Accept:** ``application/xml``
310 **Authentication:** ``admin:admin``
314 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
315 <node-id>r5</node-id>
316 <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
317 <port xmlns="urn:opendaylight:netconf-node-topology">8305</port>
318 <username xmlns="urn:opendaylight:netconf-node-topology">root</username>
319 <password xmlns="urn:opendaylight:netconf-node-topology">root</password>
320 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
321 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">30</keepalive-delay>
322 <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
323 <override>true</override>
324 <capability xmlns="urn:opendaylight:netconf-node-topology">
325 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15
327 </yang-module-capabilities>
332 **Content-type:** ``application/json``
334 **Accept:** ``application/json``
336 **Authentication:** ``admin:admin``
344 "netconf-node-topology:host": "127.0.0.1",
345 "netconf-node-topology:password": "root",
346 "netconf-node-topology:username": "root",
347 "netconf-node-topology:yang-module-capabilities": {
350 "urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15"
353 "netconf-node-topology:port": 8305,
354 "netconf-node-topology:tcp-only": false,
355 "netconf-node-topology:keepalive-delay": 30
360 **Remember to also put the YANG schemas into the cache folder.**
364 For putting multiple capabilities, you just need to replicate the
365 capability element inside yang-module-capability element.
366 Capability element is modeled as a leaf-list. With this
367 configuration, we would make the remote device report usage of
368 ietf-inet-types in the eyes of netconf-connector.
370 Connecting to a device supporting only NETCONF 1.0
371 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
373 OpenDaylight is schema-based distribution and heavily depends on YANG
374 models. However some legacy NETCONF devices are not schema-based and
375 implement just RFC 4741. This type of device does not utilize YANG
376 models internally and OpenDaylight does not know how to communicate
377 with such devices, how to validate data, or what the semantics of data
380 NETCONF connector can communicate also with these devices, but the
381 trade-offs are worsened possibilities in utilization of NETCONF
382 mountpoints. Using RESTCONF with such devices is not suported. Also
383 communicating with schemaless devices from application code is slightly
386 To connect to schemaless device, there is a optional configuration option
387 in netconf-node-topology model called schemaless. You have to set this
390 Clustered NETCONF connector
391 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
393 To spawn NETCONF connectors that are cluster-aware you need to install
394 the ``odl-netconf-clustered-topology`` karaf feature.
398 The ``odl-netconf-topology`` and ``odl-netconf-clustered-topology``
399 features are considered **INCOMPATIBLE**. They both manage the same
400 space in the datastore and would issue conflicting writes if
403 Configuration of clustered NETCONF connectors works the same as the
404 configuration through the topology model in the previous section.
406 When a new clustered connector is configured the configuration gets
407 distributed among the member nodes and a NETCONF connector is spawned on
408 each node. From these nodes a master is chosen which handles the schema
409 download from the device and all the communication with the device. You
410 will be able to read/write to/from the device from all slave nodes due
411 to the proxy data brokers implemented.
413 You can use the ``odl-netconf-clustered-topology`` feature in a single
414 node scenario as well but the code that uses akka will be used, so for a
415 scenario where only a single node is used, ``odl-netconf-topology``
418 Netconf-connector utilization
419 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
421 Once the connector is up and running, users can utilize the new mount
422 point instance. By using RESTCONF or from their application code. This
423 chapter deals with using RESTCONF and more information for app
424 developers can be found in the developers guide or in the official
425 tutorial application **ncmount** that can be found in the coretutorials
428 - https://github.com/opendaylight/coretutorials/tree/master/ncmount
430 Reading data from the device
431 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
433 Just invoke (no body needed):
436 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount?content=nonconfig
438 This will return the entire content of operation datastore from the
439 device. To view just the configuration datastore, change **nonconfig**
440 in this URL to **config**.
442 Writing configuration data to the device
443 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
445 In general, you cannot simply write any data you want to the device. The
446 data have to conform to the YANG models implemented by the device. In
447 this example we are adding a new interface-configuration to the mounted
448 device (assuming the device supports Cisco-IOS-XR-ifmgr-cfg YANG model).
449 In fact this request comes from the tutorial dedicated to the
450 **ncmount** tutorial app.
453 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/Cisco-IOS-XR-ifmgr-cfg:interface-configurations
457 <interface-configuration xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">
459 <interface-name>mpls</interface-name>
460 <description>Interface description</description>
461 <bandwidth>32</bandwidth>
462 <link-status></link-status>
463 </interface-configuration>
465 Should return 200 response code with no body.
469 This call is transformed into a couple of NETCONF RPCs. Resulting
470 NETCONF RPCs that go directly to the device can be found in the
471 OpenDaylight logs after invoking ``log:set TRACE
472 org.opendaylight.controller.sal.connect.netconf`` in the Karaf
473 shell. Seeing the NETCONF RPCs might help with debugging.
475 This request is very similar to the one where we spawned a new netconf
476 device. That’s because we used the loopback netconf-connector to write
477 configuration data into config-subsystem datastore and config-subsystem
478 picked it up from there.
483 Devices can implement any additional RPC and as long as it provides YANG
484 models for it, it can be invoked from OpenDaylight. Following example
485 shows how to invoke the get-schema RPC (get-schema is quite common among
486 netconf devices). Invoke:
489 http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/ietf-netconf-monitoring:get-schema
493 <input xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
494 <identifier>ietf-yang-types</identifier>
495 <version>2013-07-15</version>
498 This call should fetch the source for ietf-yang-types YANG model from
501 Receiving Netconf Device Notifications on a http client
502 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
504 Devices emit netconf alarms and notifictions on certain situtations, which can demand
505 attention from Device Administration. The notifications are received as Netconf messages on an
506 active Netconf session.
508 Opendaylight provides the way to stream the device notifications over a http session.
510 - Step 1: Mount the device (assume node name is test_device)
512 - Step 2: Wait for the device to be connected.
514 - Step 3: Create the Subscription for notification on the active session.
519 http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=test_device/yang-ext:mount/notifications:create-subscription
520 Content-Type: application/json
521 Accept: application/json
531 - Step 4: Create the http Stream for the events.
536 http://localhost:8181/rests/operations/odl-device-notification:subscribe-device-notification
537 Content-Type: application/json
538 Accept: application/json
544 "path":"/network-topology:network-topology/topology[topology-id='topology-netconf']/node[node-id='test_device']"
548 The response suggests the http url for reading the notifications.
553 "odl-device-notification:output": {
554 "stream-path": "http://localhost:8181/rests/notif/test_device?notificationType=test_device"
558 - Step 5: User can access the url in the response and the notifications will be as follows.
563 http://localhost:8181/rests/notif/test_device?notificationType=test_device
564 Content-Type: application/xml
565 Accept: application/xml
580 data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:08.60228Z</eventTime><netconf-session-start xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><session-id>2</session-id></netconf-session-start></notification>
582 data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:12.458258Z</eventTime><netconf-session-end xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><termination-reason>closed</termination-reason><session-id>2</session-id></netconf-session-end></notification>
584 Change event notification subscription tutorial
585 -----------------------------------------------
587 Subscribing to data change notifications makes it possible to obtain
588 notifications about data manipulation (insert, change, delete) which are
589 done on any specified **path** of any specified **datastore** with
590 specific **scope**. In following examples *{odlAddress}* is address of
591 server where ODL is running and *{odlPort}* is port on which
592 OpenDaylight is running. OpenDaylight offers two methods for receiving notifications:
593 Server-Sent Events (SSE) and WebSocket. SSE is the default notification mechanism used in OpenDaylight.
595 SSE notifications subscription process
596 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
598 In this section we will learn what steps need to be taken in order to
599 successfully subscribe to data change event notifications.
604 In order to use event notifications you first need to call RPC that
605 creates notification stream that you can later listen to. You need to
606 provide three parameters to this RPC:
608 - **path**: data store path that you plan to listen to. You can
609 register listener on containers, lists and leaves.
611 - **datastore**: data store type. *OPERATIONAL* or *CONFIGURATION*.
613 - **scope**: Represents scope of data change. Possible options are:
615 - BASE: only changes directly to the data tree node specified in the
616 path will be reported
618 - ONE: changes to the node and to direct child nodes will be
621 - SUBTREE: changes anywhere in the subtree starting at the node will
624 The RPC to create the stream can be invoked via RESTCONF like this:
629 URI: http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription
630 HEADER: Content-Type=application/json
631 Accept=application/json
637 "path": "/toaster:toaster/toaster:toasterStatus",
638 "sal-remote-augment:datastore": "OPERATIONAL",
639 "sal-remote-augment:scope": "ONE"
643 The response should look something like this:
648 "sal-remote:output": {
649 "stream-name": "data-change-event-subscription/toaster:toaster/toaster:toasterStatus/datastore=CONFIGURATION/scope=SUBTREE"
653 **stream-name** is important because you will need to use it when you
654 subscribe to the stream in the next step.
658 Internally, this will create a new listener for *stream-name* if it
659 did not already exist.
664 In order to subscribe to stream and obtain SSE location you need
665 to call *GET* on your stream path. The URI should generally be
666 `http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{streamName}`,
667 where *{streamName}* is the *stream-name* parameter contained in
668 response from *create-data-change-event-subscription* RPC from the
674 URI: http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/data-change-event-subscription/toaster:toaster/datastore=CONFIGURATION/scope=SUBTREE
676 The subscription call may be modified with the following query parameters defined in the RESTCONF RFC:
678 - `filter <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.4>`__
680 - `start-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.7>`__
682 - `end-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.8>`__
684 In addition, the following ODL extension query parameter is supported:
686 :odl-leaf-nodes-only:
687 If this parameter is set to "true", create and update notifications will only
688 contain the leaf nodes modified instead of the entire subscription subtree.
689 This can help in reducing the size of the notifications.
691 :odl-skip-notification-data:
692 If this parameter is set to "true", create and update notifications will only
693 contain modified leaf nodes without data.
694 This can help in reducing the size of the notifications.
696 The response should look something like this:
701 "subscribe-to-notification:location": "http://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
706 During this phase there is an internal check for to see if a
707 listener for the *stream-name* from the URI exists. If not, new a
708 new listener is registered with the DOM data broker.
710 Receive notifications
711 ^^^^^^^^^^^^^^^^^^^^^
713 Once you got SSE location you can now connect to it and
714 start receiving data change events. The request should look something like this:
718 curl -v -X GET http://localhost:8181/rests/notif/data-change-event-subscription/toaster:toaster/toasterStatus/datastore=OPERATIONAL/scope=ONE -H "Content-Type: text/event-stream" -H "Authorization: Basic YWRtaW46YWRtaW4="
721 WebSocket notifications subscription process
722 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
724 Enabling WebSocket notifications in OpenDaylight requires a manual setup before starting the application.
725 The following steps can be followed to enable WebSocket notifications in OpenDaylight:
727 1. Open the file `restconf8040.cfg`, at `etc/` folder inside your Karaf distribution.
728 2. Locate the `use-sse` configuration parameter and change its value from `true` to `false`.
729 3. Uncomment the `use-sse` parameter if it is commented out.
730 4. Save the changes made to the `restconf8040.cfg` file.
731 5. Restart OpenDaylight if it is already running.
733 Once these steps are completed, WebSocket notifications will be enabled in OpenDaylight,
734 and they can be used for receiving notifications instead of SSE.
736 WebSocket Notifications subscription process is the same as SSE until you receive a location of WebSocket.
737 You can follow steps given above and after subscribing to a notification stream over WebSocket,
738 you will receive a response indicating that the subscription was successful:
743 "subscribe-to-notification:location": "ws://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
746 You can use this WebSocket to listen to data
747 change notifications. To listen to notifications you can use a
748 JavaScript client or if you are using chrome browser you can use the
750 Client <https://chrome.google.com/webstore/detail/simple-websocket-client/pfdhoblngboilpfeibdedpjgfnlcodoo>`__.
752 Also, for testing purposes, there is simple Java application named
753 WebSocketClient. The application is placed in the
754 */restconf/websocket-client* project. It accepts a WebSocket URI
755 as and input parameter. After starting the utility (WebSocketClient
756 class directly in Eclipse/InteliJ Idea) received notifications should be
757 displayed in console.
759 Notifications are always in XML format and look like this:
763 <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
764 <eventTime>2014-09-11T09:58:23+02:00</eventTime>
765 <data-changed-notification xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:remote">
767 <path xmlns:meae="http://netconfcentral.org/ns/toaster">/meae:toaster</path>
768 <operation>updated</operation>
770 <!-- updated data -->
773 </data-changed-notification>
779 The typical use case is listening to data change events to update web
780 page data in real-time. In this tutorial we will be using toaster as the
783 When you call *make-toast* RPC, it sets *toasterStatus* to "down" to
784 reflect that the toaster is busy making toast. When it finishes,
785 *toasterStatus* is set to "up" again. We will listen to this toaster
786 status changes in data store and will reflect it on our web page in
787 real-time thanks to WebSocket data change notification.
789 Simple javascript client implementation
790 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
792 We will create simple JavaScript web application that will listen
793 updates on *toasterStatus* leaf and update some element of our web page
794 according to new toaster status state.
799 First you need to create stream that you are planing to subscribe to.
800 This can be achieved by invoking "create-data-change-event-subscription"
801 RPC on RESTCONF via AJAX request. You need to provide data store
802 **path** that you plan to listen on, **data store type** and **scope**.
803 If the request is successful you can extract the **stream-name** from
804 the response and use that to subscribe to the newly created stream. The
805 *{username}* and *{password}* fields represent your credentials that you
806 use to connect to OpenDaylight via RESTCONF:
810 The default user name and password are "admin".
812 .. code-block:: javascript
814 function createStream() {
817 url: 'http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription',
820 'Authorization': 'Basic ' + btoa('{username}:{password}'),
821 'Content-Type': 'application/json'
823 data: JSON.stringify(
826 'path': '/toaster:toaster/toaster:toasterStatus',
827 'sal-remote-augment:datastore': 'OPERATIONAL',
828 'sal-remote-augment:scope': 'ONE'
832 }).done(function (data) {
833 // this function will be called when ajax call is executed successfully
834 subscribeToStream(data.output['stream-name']);
835 }).fail(function (data) {
836 // this function will be called when ajax call fails
837 console.log("Create stream call unsuccessful");
844 The Next step is to subscribe to the stream. To subscribe to the stream
845 you need to call *GET* on
846 *http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{stream-name}*.
847 If the call is successful, you get WebSocket address for this stream in
848 **Location** parameter inside response header. You can get response
849 header by calling *getResponseHeader(\ *Location*)* on HttpRequest
850 object inside *done()* function call:
852 .. code-block:: javascript
854 function subscribeToStream(streamName) {
857 url: 'http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/' + streamName;
860 'Authorization': 'Basic ' + btoa('{username}:{password}'),
863 ).done(function (data, textStatus, httpReq) {
864 // we need function that has http request object parameter in order to access response headers.
865 listenToNotifications(httpReq.getResponseHeader('Location'));
866 }).fail(function (data) {
867 console.log("Subscribe to stream call unsuccessful");
871 Receive notifications
872 ^^^^^^^^^^^^^^^^^^^^^
874 Once you got WebSocket server location you can now connect to it and
875 start receiving data change events. You need to define functions that
876 will handle events on WebSocket. In order to process incoming events
877 from OpenDaylight you need to provide a function that will handle
878 *onmessage* events. The function must have one parameter that represents
879 the received event object. The event data will be stored in
880 *event.data*. The data will be in an XML format that you can then easily
883 .. code-block:: javascript
885 function listenToNotifications(socketLocation) {
887 var notificatinSocket = new WebSocket(socketLocation);
889 notificatinSocket.onmessage = function (event) {
890 // we process our received event here
891 console.log('Received toaster data change event.');
892 $($.parseXML(event.data)).find('data-change-event').each(
894 var operation = $(this).find('operation').text();
895 if (operation == 'updated') {
896 // toaster status was updated so we call function that gets the value of toasterStatus leaf
897 updateToasterStatus();
903 notificatinSocket.onerror = function (error) {
904 console.log("Socket error: " + error);
906 notificatinSocket.onopen = function (event) {
907 console.log("Socket connection opened.");
909 notificatinSocket.onclose = function (event) {
910 console.log("Socket connection closed.");
912 // if there is a problem on socket creation we get exception (i.e. when socket address is incorrect)
914 alert("Error when creating WebSocket" + e );
918 The *updateToasterStatus()* function represents function that calls
919 *GET* on the path that was modified and sets toaster status in some web
920 page element according to received data. After the WebSocket connection
921 has been established you can test events by calling make-toast RPC via
926 for more information about WebSockets in JavaScript visit `Writing
928 applications <https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_client_applications>`__
930 Netconf-connector + Netopeer
931 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
933 `Netopeer <https://github.com/cesnet/netopeer>`__ (an open-source
934 NETCONF server) can be used for testing/exploring NETCONF southbound in
937 Netopeer installation
938 ^^^^^^^^^^^^^^^^^^^^^
940 A `Docker <https://www.docker.com/>`__ container with netopeer will be
941 used in this guide. To install Docker and start the `netopeer
942 image <https://hub.docker.com/r/sysrepo/sysrepo-netopeer2>`__ perform
945 1. Install docker https://docs.docker.com/get-started/
947 2. Start the netopeer image:
951 docker run -it --name sysrepo -p 830:830 --rm sysrepo/sysrepo-netopeer2:latest
953 3. Verify netopeer is running by invoking (netopeer should send its
954 HELLO message right away:
958 ssh root@localhost -p 830 -s netconf
961 Mounting netopeer NETCONF server
962 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
966 - OpenDaylight is started with features ``odl-restconf-all`` and
967 ``odl-netconf-connector-all``.
969 - Netopeer is up and running in docker
971 Now just follow the section: `Spawning new NETCONF connectors`_.
972 In the payload change the:
974 - name, e.g., to netopeer
976 - username/password to your system credentials
982 After netopeer is mounted successfully, its configuration can be read
983 using RESTCONF by invoking:
986 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
988 Northbound (NETCONF servers)
989 ----------------------------
991 OpenDaylight provides 2 types of NETCONF servers:
993 - **NETCONF server for config-subsystem (listening by default on port
996 - Serves as a default interface for config-subsystem and allows
997 users to spawn/reconfigure/destroy modules (or applications) in
1000 - **NETCONF server for MD-SAL (listening by default on port 2830)**
1002 - Serves as an alternative interface for MD-SAL (besides RESTCONF)
1003 and allows users to read/write data from MD-SAL’s datastore and to
1004 invoke its rpcs (NETCONF notifications are not available in the
1005 Boron release of OpenDaylight)
1009 The reason for having 2 NETCONF servers is that config-subsystem and
1010 MD-SAL are 2 different components of OpenDaylight and require
1011 different approach for NETCONF message handling and data
1012 translation. These 2 components will probably merge in the future.
1016 Since Nitrogen release, there is performance regression in NETCONF
1017 servers accepting SSH connections. While opening a connection takes
1018 less than 10 seconds on Carbon, on Nitrogen time can increase up to
1019 60 seconds. Please see https://jira.opendaylight.org/browse/ODLPARENT-112
1021 NETCONF server for config-subsystem
1022 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1024 This NETCONF server is the primary interface for config-subsystem. It
1025 allows the users to interact with config-subsystem in a standardized
1028 In terms of RFCs, these are supported:
1030 - `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
1032 - `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
1034 - `RFC-6470 <https://www.rfc-editor.org/rfc/rfc6470>`__
1036 - (partially, only the schema-change notification is available in
1039 - `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
1041 For regular users it is recommended to use RESTCONF + the
1042 controller-config loopback mountpoint instead of using pure NETCONF. How
1043 to do that is spesific for each component/module/application in
1044 OpenDaylight and can be found in their dedicated user guides.
1046 NETCONF server for MD-SAL
1047 ~~~~~~~~~~~~~~~~~~~~~~~~~
1049 This NETCONF server is just a generic interface to MD-SAL in
1050 OpenDaylight. It uses the stadard MD-SAL APIs and serves as an
1051 alternative to RESTCONF. It is fully model driven and supports any data
1052 and rpcs that are supported by MD-SAL.
1054 In terms of RFCs, these are supported:
1056 - `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
1058 - `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
1060 - `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
1062 Notifications over NETCONF are not supported in the Boron release.
1066 Install NETCONF northbound for MD-SAL by installing feature:
1067 ``odl-netconf-mdsal`` in karaf. Default binding port is **2830**.
1072 The default configuration can be found in file: *08-netconf-mdsal.xml*.
1073 The file contains the configuration for all necessary dependencies and a
1074 single SSH endpoint starting on port 2830. There is also a (by default
1075 disabled) TCP endpoint. It is possible to start multiple endpoints at
1076 the same time either in the initial configuration file or while
1077 OpenDaylight is running.
1079 The credentials for SSH endpoint can also be configured here, the
1080 defaults are admin/admin. Credentials in the SSH endpoint are not yet
1081 managed by the centralized AAA component and have to be configured
1084 Verifying MD-SAL’s NETCONF server
1085 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1087 After the NETCONF server is available it can be examined by a command
1092 ssh admin@localhost -p 2830 -s netconf
1094 The server will respond by sending its HELLO message and can be used as
1095 a regular NETCONF server from then on.
1097 Mounting the MD-SAL’s NETCONF server
1098 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1100 To perform this operation, just spawn a new netconf-connector as
1101 described in `Spawning new NETCONF connectors`_. Just change the ip to
1102 "127.0.0.1" port to "2830" and its name to "controller-mdsal".
1104 Now the MD-SAL’s datastore can be read over RESTCONF via NETCONF by
1108 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=controller-mdsal/yang-ext:mount?content:nonconfig
1112 This might not seem very useful, since MD-SAL can be accessed
1113 directly from RESTCONF or from Application code, but the same method
1114 can be used to mount and control other OpenDaylight instances by the
1115 "master OpenDaylight".
1117 NETCONF stress/performance measuring tool
1118 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1120 This is basically a NETCONF client that puts NETCONF servers under heavy
1121 load of NETCONF RPCs and measures the time until a configurable amount
1122 of them is processed.
1124 RESTCONF stress-performance measuring tool
1125 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1127 Very similar to NETCONF stress tool with the difference of using
1128 RESTCONF protocol instead of NETCONF.
1130 YANGLIB remote repository
1131 -------------------------
1133 There are scenarios in NETCONF deployment, that require for a centralized
1134 YANG models repository. YANGLIB plugin provides such remote repository.
1136 To start this plugin, you have to install odl-yanglib feature. Then you
1137 have to configure YANGLIB either through RESTCONF or NETCONF. We will
1138 show how to configure YANGLIB through RESTCONF.
1140 YANGLIB configuration
1141 ~~~~~~~~~~~~~~~~~~~~~
1142 YANGLIB configuration works through OSGi Configuration Admin interface, in the
1143 ``org.opendaylight.netconf.yanglib`` configuration PID. There are three tuneables you can
1146 * ``cache-folder``, which defaults to ``cache/schema``
1147 * ``binding-address``, which defaults to ``localhost``
1148 * ``binding-port``, which defaults to ``8181``
1150 In order to change these settings, you can either modify the corresponding configuration
1151 file, ``etc/org.opendaylight.netconf.yanglib.cfg``, for example:
1154 cache-folder = cache/newSchema
1155 binding-address = localhost
1161 opendaylight-user@root>config:edit org.opendaylight.netconf.yanglib
1162 opendaylight-user@root>config:property-set cache-folder cache/newSchema
1163 opendaylight-user@root>config:property-set binding-address localhost
1164 opendaylight-user@root>config:property-set binding-port 8181
1165 opendaylight-user@root>config:update
1167 This YANGLIB takes all YANG sources from the configured sources folder and
1168 for each generates URL in form:
1172 http://localhost:8181/yanglib/schemas/{modelName}/{revision}
1174 On this URL will be hosted YANG source for particular module.
1176 YANGLIB instance also write this URL along with source identifier to
1177 ietf-netconf-yang-library/modules-state/module list.
1179 Netconf-connector with YANG library as fallback
1180 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1182 There is an optional configuration in netconf-connector called
1183 yang-library. You can specify YANG library to be plugged as additional
1184 source provider into the mount's schema repository. Since YANGLIB
1185 plugin is advertising provided modules through yang-library model, we
1186 can use it in mount point's configuration as YANG library. To do this,
1187 we need to modify the configuration of netconf-connector by adding this
1192 <yang-library xmlns="urn:opendaylight:netconf-node-topology">
1193 <yang-library-url xmlns="urn:opendaylight:netconf-node-topology">http://localhost:8181/rests/data/ietf-yang-library:modules-state</yang-library-url>
1194 <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
1195 <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
1198 This will register YANGLIB provided sources as a fallback schemas for
1199 particular mount point.
1204 Call Home Installation
1205 ~~~~~~~~~~~~~~~~~~~~~~
1207 ODL Call-Home server is installed in Karaf by installing karaf feature
1208 ``odl-netconf-callhome-ssh``. RESTCONF feature is recommended for
1209 configuring Call Home & testing its functionality.
1213 feature:install odl-netconf-callhome-ssh
1218 In order to test Call Home functionality we recommend Netopeer or
1219 Netopeer2. See `Netopeer Call Home <https://github.com/CESNET/netopeer/wiki/CallHome>`__
1220 or `Netopeer2 <https://github.com/CESNET/netopeer2>`__ to learn how to
1221 enable call-home on Netopeer.
1223 Northbound Call-Home API
1224 ~~~~~~~~~~~~~~~~~~~~~~~~
1226 The northbound Call Home API is used for administering the Call-Home Server. The
1227 following describes this configuration.
1229 Global Configuration
1230 ^^^^^^^^^^^^^^^^^^^^
1233 The global configuration is not a part of the `RFC 8071
1234 <https://www.rfc-editor.org/rfc/rfc8071>`__ and, therefore, subject to change.
1236 Configuring global credentials
1237 ''''''''''''''''''''''''''''''
1239 ODL Call-Home server allows user to configure global credentials, which will be
1240 used for connected over SSH transport protocol devices which does not have
1241 device-specific credentials configured.
1243 This is done by creating
1244 ``/odl-netconf-callhome-server:netconf-callhome-server/global/credentials``
1245 with username and passwords specified.
1247 *Configuring global username & passwords to try*
1252 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/credentials
1253 Content-Type: application/json
1254 Accept: application/json
1256 .. code-block:: json
1261 "username": "example",
1262 "passwords": [ "first-password-to-try", "second-password-to-try" ]
1266 Configuring to accept any ssh server key using global credentials
1267 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
1269 By default Netconf Call-Home Server accepts only incoming connections
1270 from allowed devices
1271 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``,
1272 if user desire to allow all incoming connections, it is possible to set
1273 ``accept-all-ssh-keys`` to ``true`` in
1274 ``/odl-netconf-callhome-server:netconf-callhome-server/global``.
1276 The name of this devices in ``netconf-topology`` will be in format
1277 ``ip-address:port``. For naming devices see Device-Specific
1280 *Allowing unknown devices to connect*
1282 This is a debug feature and should not be used in production. Besides being an obvious
1283 security issue, this also causes the Call-Home Server to drastically increase its output
1289 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/accept-all-ssh-keys
1290 Content-Type: application/json
1291 Accept: application/json
1293 .. code-block:: json
1296 "accept-all-ssh-keys": "true"
1299 Device-Specific Configuration
1300 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1302 Netconf Call Home server supports both of the secure transports used
1303 by the Network Configuration Protocol (NETCONF) - Secure Shell (SSH),
1304 and Transport Layer Security (TLS).
1306 Configure device to connect over SSH protocol
1307 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1309 Netconf Call Home Server uses device provided SSH server key (host key)
1310 to identify device. The pairing of name and server key is configured in
1311 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``.
1312 This list is colloquially called a allowlist.
1314 If the Call-Home Server finds the SSH host key in the allowlist, it continues
1315 to negotiate a NETCONF connection over an SSH session. If the SSH host key is
1316 not found, the connection between the Call Home server and the device is dropped
1317 immediately. In either case, the device that connects to the Call home server
1318 leaves a record of its presence in the operational store.
1320 Configuring Device with Device-specific Credentials
1321 '''''''''''''''''''''''''''''''''''''''''''''''''''
1323 Adding specific device to the allowed list is done by creating
1324 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device={device}``
1325 with device-id and connection parameters inside the ssh-client-params container.
1327 *Configuring Device with Credentials*
1332 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1333 Content-Type: application/json
1334 Accept: application/json
1336 .. code-block:: json
1340 "unique-id": "example",
1341 "ssh-client-params": {
1343 "username": "example",
1344 "passwords": [ "password" ]
1346 "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1351 Configuring Device with Global Credentials
1352 '''''''''''''''''''''''''''''''''''''''''''''''''''
1354 It is possible to omit ``username`` and ``password`` for ssh-client-params,
1355 in such case values from global credentials will be used.
1357 *Example of configuring device*
1362 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1363 Content-Type: application/json
1364 Accept: application/json
1366 .. code-block:: json
1370 "unique-id": "example",
1371 "ssh-client-params": {
1372 "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1377 Deprecated configuration models for devices accessed with SSH protocol
1378 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
1380 With `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8071>`__ alignment and adding
1381 support for TLS transport following configuration models has been marked
1384 Configuring Device with Global Credentials
1385 '''''''''''''''''''''''''''''''''''''''''''''''''''
1387 *Example of configuring device*
1392 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1393 Content-Type: application/json
1394 Accept: application/json
1396 .. code-block:: json
1400 "unique-id": "example",
1401 "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1405 Configuring Device with Device-specific Credentials
1406 '''''''''''''''''''''''''''''''''''''''''''''''''''
1408 Call Home Server also allows to configure credentials per device basis,
1409 this is done by introducing ``credentials`` container into
1410 device-specific configuration. Format is same as in global credentials.
1412 *Configuring Device with Credentials*
1417 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1418 Content-Type: application/json
1419 Accept: application/json
1421 .. code-block:: json
1425 "unique-id": "example",
1427 "username": "example",
1428 "passwords": [ "password" ]
1430 "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1434 Configure device to connect over TLS protocol
1435 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1437 Netconf Call Home Server allows devices to use TLS transport protocol to
1438 establish a connection towards the NETCONF device. This communication
1439 requires proper setup to make two-way TLS authentication possible for client
1442 The initial step is to configure certificates and keys for two-way TLS by
1443 storing them within the netconf-keystore.
1445 *Adding a client private key credential to the netconf-keystore*
1450 /rests/operations/netconf-keystore:add-keystore-entry
1451 Content-Type: application/json
1452 Accept: application/json
1454 .. code-block:: json
1460 "key-id": "example-client-key-id",
1461 "private-key": "base64encoded-private-key",
1462 "passphrase": "passphrase"
1468 *Associate a private key with a client and CA certificates chain*
1473 /rests/operations/netconf-keystore:add-private-key
1474 Content-Type: application/json
1475 Accept: application/json
1477 .. code-block:: json
1483 "name": "example-client-key-id",
1485 "certificate-chain": [
1493 *Add a list of trusted CA and server certificates*
1498 /rests/operations/netconf-keystore:add-trusted-certificate
1499 Content-Type: application/json
1500 Accept: application/json
1502 .. code-block:: json
1506 "trusted-certificate": [
1508 "name": "example-ca-certificate",
1509 "certificate": "ca-certificate-data"
1512 "name": "example-server-certificate",
1513 "certificate": "server-certificate-data"
1519 In a second step, it is required to create an allowed device associated with
1520 a server certificate and client key. The server certificate will be used to
1521 identify and pin the NETCONF device during SSL handshake and should be unique
1522 among the allowed devices.
1524 *Add device configuration for TLS protocol to allowed devices list*
1529 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example-device
1530 Content-Type: application/json
1531 Accept: application/json
1533 .. code-block:: json
1537 "unique-id": "example-device",
1538 "tls-client-params": {
1539 "key-id": "example-client-key-id",
1540 "certificate-id": "example-server-certificate"
1548 Once an entry is made into the config side of "allowed-devices", the Call-Home Server will
1549 populate an corresponding operational device that is the same as the config device but
1550 has an additional status. By default, this status is *DISCONNECTED*. Once a device calls
1551 home, this status will change to one of:
1553 *CONNECTED* — The device is currently connected and the NETCONF mount is available for network
1556 *FAILED_AUTH_FAILURE* — The last attempted connection was unsuccessful because the Call-Home
1557 Server was unable to provide the acceptable credentials of the device. The device is also
1558 disconnected and not available for network management.
1560 *FAILED_NOT_ALLOWED* — The last attempted connection was unsuccessful because the device was
1561 not recognized as an acceptable device. The device is also disconnected and not available for
1564 *FAILED* — The last attempted connection was unsuccessful for a reason other than not
1565 allowed to connect or incorrect client credentials. The device is also disconnected and not
1566 available for network management.
1568 *DISCONNECTED* — The device is currently disconnected.
1573 Devices which are not on the allowlist might try to connect to the Call-Home Server. In
1574 these cases, the server will keep a record by instantiating an operational device. There
1575 will be no corresponding config device for these rogues. They can be identified readily
1576 because their device id, rather than being user-supplied, will be of the form
1577 "address:port". Note that if a device calls back multiple times, there will only be
1578 a single operatinal entry (even if the port changes); these devices are recognized by
1579 their unique host key.
1581 Southbound Call-Home API
1582 ~~~~~~~~~~~~~~~~~~~~~~~~
1584 The Call-Home Server listens for incoming TCP connections and assumes that the other side of
1585 the connection is a device calling home via a NETCONF connection with SSH for
1586 management. The server uses port 6666 by default and this can be configured via a
1587 blueprint configuration file.
1589 The device **must** initiate the connection and the server will not try to re-establish the
1590 connection in case of a drop. By requirement, the server cannot assume it has connectivity
1591 to the device due to NAT or firewalls among others.
1593 Reading data with selected fields
1594 ---------------------------------
1599 If user would like to read only selected fields from NETCONF device, it is possible to use
1600 fields query parameter that is described by RFC-8040. RESTCONF parses content of query
1601 parameter into format that is accepted by NETCONF subtree filtering - filtering of data is done
1602 on NETCONF server, not on NETCONF client side. This approach optimizes network traffic load,
1603 because data in which user doesn't have interest, is not transferred over network.
1607 * using single RESTCONF request and single NETCONF RPC for reading multiple subtrees
1608 * possibility to read only selected fields under list node across multiple hierarchies
1609 (it cannot be done without proper selection API)
1613 More information about fields query parameter: `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.3>`__
1618 For demonstration, we will define next YANG model:
1622 module test-module {
1624 namespace "urn:opendaylight:test-module";
1626 revision "2023-02-16";
1629 container simple-root {
1649 container list-root {
1662 container next-data {
1684 Follow the :doc:`testtool` instructions to save this schema and run it with testtool.
1686 Mounting NETCONF device that runs on NETCONF testtool:
1688 .. code-block:: bash
1690 curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool' \
1691 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1692 --header 'Content-Type: application/json' \
1696 "node-id": "testtool",
1697 "netconf-node-topology:host": "127.0.0.1",
1698 "netconf-node-topology:port": 17830,
1699 "netconf-node-topology:keepalive-delay": 100,
1700 "netconf-node-topology:tcp-only": false,
1701 "netconf-node-topology:username": "admin",
1702 "netconf-node-topology:password": "admin"
1707 Setting initial configuration on NETCONF device:
1709 .. code-block:: bash
1711 curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root' \
1712 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1713 --header 'Content-Type: application/json' \
1812 1. Reading whole leaf-list 'll' and leaf 'nested/sample-x' under 'simple-root' container.
1816 .. code-block:: bash
1818 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/simple-root?content=config&fields=ll;nested/sample-x' \
1819 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1820 --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1822 Generated NETCONF RPC request:
1826 <rpc message-id="m-18" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1831 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1832 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1846 Using fields query parameter it is also possible to read whole leaf-list or list without
1847 necessity to specify value / key predicate (without reading parent entity). Such scenario
1848 is not permitted in RFC-8040 paths alone - fields query parameter can be used as
1849 workaround for this case.
1853 .. code-block:: json
1856 "test-module:simple-root": {
1868 2. Reading all identifiers of 'nested-list' under all elements of 'top-list'.
1872 .. code-block:: bash
1874 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=top-list(nested-list/identifier)' \
1875 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1876 --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1878 Generated NETCONF RPC request:
1882 <rpc message-id="m-27" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1887 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1888 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1905 NETCONF client automatically fetches values of list keys since they are required for correct
1906 deserialization of NETCONF response and at the end serialization of response to RESTCONF
1907 response (JSON/XML).
1911 .. code-block:: json
1914 "test-module:list-root": {
1965 3. Reading value of leaf 'branch-ab' and all values of leaves 'switch-1' that are placed
1966 under 'top-list' list elements.
1970 .. code-block:: bash
1972 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=branch-ab;top-list/next-data/switch-1' \
1973 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1974 --header 'Cookie: JSESSIONID=node01jx6o5thwae9t1ft7c2zau5zbz4.node0'
1976 Generated NETCONF RPC request:
1980 <rpc message-id="m-42" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1985 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1986 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
2004 .. code-block:: json
2007 "test-module:list-root": {