1 .. _netconf-user-guide:
17 NETCONF is an XML-based protocol used for configuration and monitoring
18 devices in the network. The base NETCONF protocol is described in
19 `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__.
21 **NETCONF in OpenDaylight:.**
23 OpenDaylight supports the NETCONF protocol as a northbound server as
24 well as a southbound plugin. It also includes a set of test tools for
25 simulating NETCONF devices and clients.
27 Southbound (netconf-connector)
28 ------------------------------
30 The NETCONF southbound plugin is capable of connecting to remote NETCONF
31 devices and exposing their configuration/operational datastores, RPCs
32 and notifications as MD-SAL mount points. These mount points allow
33 applications and remote users (over RESTCONF) to interact with the
36 In terms of RFCs, the connector supports:
38 - `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
40 - `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
42 - `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
44 - `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
46 **Netconf-connector is fully model-driven (utilizing the YANG modeling
47 language) so in addition to the above RFCs, it supports any
48 data/RPC/notifications described by a YANG model that is implemented by
53 NETCONF southbound can be activated by installing
54 ``odl-netconf-connector-all`` Karaf feature.
56 .. _netconf-connector:
58 Netconf-connector configuration
59 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
61 NETCONF connectors are configured directly through the usage of the
62 network-topology model. You can configure new NETCONF connectors both
63 through the NETCONF server for MD-SAL (port 2830) or RESTCONF. This guide
68 Since 2022.09 Chlorine there is only one RESTCONF endpoint:
70 - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://www.rfc-editor.org/rfc/rfc8040>`__,
71 | can be activated by installing ``odl-restconf-nb``
74 | Resources for configuration and operational datastores start
77 http://localhost:8181/rests/data/network-topology:network-topology
78 with response of both datastores. It's allowed to use query
79 parameters to distinguish between them.
81 http://localhost:8181/rests/data/network-topology:network-topology?content=config
82 for configuration datastore
84 http://localhost:8181/rests/data/network-topology:network-topology?content=nonconfig
85 for operational datastore.
87 | Also if a data node in the path expression is a YANG leaf-list or list
88 node, the path segment has to be constructed by having leaf-list or
89 list node name, followed by an "=" character, then followed by the
90 leaf-list or list value. Any reserved characters must be
93 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf?content=config
94 for retrieving data from configuration datastore for
95 topology-netconf value of topology list.
100 1. OpenDaylight is running
102 2. In Karaf, you must have the ``odl-netconf-topology`` or
103 ``odl-netconf-clustered-topology`` feature installed.
105 3. Feature ``odl-restconf-nb`` must be installed
107 Spawning new NETCONF connectors
108 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
110 To create a new NETCONF connector you need to send the following PUT request
117 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
119 You could use the same body to create the new NETCONF connector with a POST
120 without specifying the node in the URL:
126 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf
134 **Content-type:** ``application/xml``
136 **Accept:** ``application/xml``
138 **Authentication:** ``admin:admin``
142 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
143 <node-id>new-netconf-device</node-id>
144 <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
145 <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
146 <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
147 <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
148 <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
149 </login-password-unencrypted>
150 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
151 <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
152 <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
153 <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
154 <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
155 <min-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">2000</min-backoff-millis>
156 <max-backoff-millis xmlns="urn:opendaylight:netconf-node-topology">1800000</max-backoff-millis>
157 <backoff-multiplier xmlns="urn:opendaylight:netconf-node-topology">1.5</backoff-multiplier>
158 <!-- keepalive-delay set to 0 turns off keepalives-->
159 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
164 **Content-type:** ``application/json``
166 **Accept:** ``application/json``
168 **Authentication:** ``admin:admin``
175 "node-id": "new-netconf-device",
176 "netconf-node-topology:port": 17830,
177 "netconf-node-topology:reconnect-on-changed-schema": false,
178 "netconf-node-topology:connection-timeout-millis": 20000,
179 "netconf-node-topology:tcp-only": false,
180 "netconf-node-topology:max-connection-attempts": 0,
181 "netconf-node-topology:login-password-unencrypted": {
182 "netconf-node-topology:username": "admin",
183 "netconf-node-topology:password": "admin"
185 "netconf-node-topology:host": "127.0.0.1",
186 "netconf-node-topology:min-backoff-millis": 2000,
187 "netconf-node-topology:max-backoff-millis": 1800000,
188 "netconf-node-topology:backoff-multiplier": 1.5,
189 "netconf-node-topology:keepalive-delay": 120
194 Note that the device name in <node-id> element must match the last
195 element of the restconf URL.
197 Reconfiguring an existing connector
198 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
200 The steps to reconfigure an existing connector are exactly the same as
201 when spawning a new connector. The old connection will be disconnected
202 and a new connector with the new configuration will be created. This needs
203 to be done with a PUT request because the node already exists. A POST
204 request will fail for that reason.
206 Additionally, a PATCH request can be used to modify an existing
207 configuration. Currently, only yang-patch (`RFC-8072 <https://www.rfc-editor.org/rfc/rfc8072>`__)
208 is supported. The URL would be the same as the above PUT examples.
209 Using JSON for the body, the headers needed for the request would
214 - Accept: application/yang-data+json
216 - Content-Type: application/yang-patch+json
218 Example JSON payload to modify the password entry:
223 "ietf-restconf:yang-patch" : {
228 "operation" : "merge",
233 "node-id": "new-netconf-device",
234 "netconf-node-topology:password" : "newpassword"
243 Deleting an existing connector
244 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
246 To remove an already configured NETCONF connector you need to send a
247 DELETE request to the same PUT request URL that was used to create the
254 - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
258 No body is needed to delete the node/device
260 Connecting to a device not supporting NETCONF monitoring
261 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
263 The netconf-connector in OpenDaylight relies on ietf-netconf-monitoring
264 support when connecting to remote NETCONF device. The
265 ietf-netconf-monitoring support allows netconf-connector to list and
266 download all YANG schemas that are used by the device. NETCONF connector
267 can only communicate with a device if it knows the set of used schemas
268 (or at least a subset). However, some devices use YANG models internally
269 but do not support NETCONF monitoring. Netconf-connector can also
270 communicate with these devices, but you have to side load the necessary
271 yang models into OpenDaylight’s YANG model cache for netconf-connector.
272 In general there are 2 situations you might encounter:
274 **1. NETCONF device does not support ietf-netconf-monitoring but it does
275 list all its YANG models as capabilities in HELLO message**
277 This could be a device that internally uses only ietf-inet-types YANG
278 model with revision 2010-09-24. In the HELLO message that is sent from
279 this device there is this capability reported:
283 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2010-09-24
285 **For such devices you only need to put the schema into folder
286 cache/schema inside your Karaf distribution.**
290 The file with YANG schema for ietf-inet-types has to be called
291 ietf-inet-types@2010-09-24.yang. It is the required naming format of
294 **2. NETCONF device does not support ietf-netconf-monitoring and it does
295 NOT list its YANG models as capabilities in HELLO message**
297 Compared to device that lists its YANG models in HELLO message, in this
298 case there would be no capability with ietf-inet-types in the HELLO
299 message. This type of device basically provides no information about the
300 YANG schemas it uses so its up to the user of OpenDaylight to properly
301 configure netconf-connector for this device.
303 Netconf-connector has an optional configuration attribute called
304 yang-module-capabilities and this attribute can contain a list of "YANG
305 module based" capabilities. So by setting this configuration attribute,
306 it is possible to override the "yang-module-based" capabilities reported
307 in HELLO message of the device. To do this, we need to modify the
308 configuration of netconf-connector like in the example below:
314 **Content-type:** ``application/xml``
316 **Accept:** ``application/xml``
318 **Authentication:** ``admin:admin``
322 <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
323 <node-id>r5</node-id>
324 <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
325 <port xmlns="urn:opendaylight:netconf-node-topology">8305</port>
326 <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
327 <username xmlns="urn:opendaylight:netconf-node-topology">root</username>
328 <password xmlns="urn:opendaylight:netconf-node-topology">root</password>
329 </login-password-unencrypted>
330 <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
331 <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">30</keepalive-delay>
332 <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
333 <override>true</override>
334 <capability xmlns="urn:opendaylight:netconf-node-topology">
335 urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15
337 </yang-module-capabilities>
342 **Content-type:** ``application/json``
344 **Accept:** ``application/json``
346 **Authentication:** ``admin:admin``
354 "netconf-node-topology:host": "127.0.0.1",
355 "netconf-node-topology:login-password-unencrypted": {
356 "netconf-node-topology:password": "root",
357 "netconf-node-topology:username": "root"
359 "netconf-node-topology:yang-module-capabilities": {
362 "urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15"
365 "netconf-node-topology:port": 8305,
366 "netconf-node-topology:tcp-only": false,
367 "netconf-node-topology:keepalive-delay": 30
372 **Remember to also put the YANG schemas into the cache folder.**
376 For putting multiple capabilities, you just need to replicate the
377 capability element inside yang-module-capability element.
378 Capability element is modeled as a leaf-list. With this
379 configuration, we would make the remote device report usage of
380 ietf-inet-types in the eyes of netconf-connector.
382 Connecting to a device supporting only NETCONF 1.0
383 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
385 OpenDaylight is schema-based distribution and heavily depends on YANG
386 models. However some legacy NETCONF devices are not schema-based and
387 implement just RFC 4741. This type of device does not utilize YANG
388 models internally and OpenDaylight does not know how to communicate
389 with such devices, how to validate data, or what the semantics of data
392 NETCONF connector can communicate also with these devices, but the
393 trade-offs are worsened possibilities in utilization of NETCONF
394 mountpoints. Using RESTCONF with such devices is not supported. Also
395 communicating with schemaless devices from application code is slightly
398 To connect to schemaless device, there is a optional configuration option
399 in netconf-node-topology model called schemaless. You have to set this
402 Clustered NETCONF connector
403 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
405 To spawn NETCONF connectors that are cluster-aware you need to install
406 the ``odl-netconf-clustered-topology`` karaf feature.
410 The ``odl-netconf-topology`` and ``odl-netconf-clustered-topology``
411 features are considered **INCOMPATIBLE**. They both manage the same
412 space in the datastore and would issue conflicting writes if
415 Configuration of clustered NETCONF connectors works the same as the
416 configuration through the topology model in the previous section.
418 When a new clustered connector is configured the configuration gets
419 distributed among the member nodes and a NETCONF connector is spawned on
420 each node. From these nodes a master is chosen which handles the schema
421 download from the device and all the communication with the device. You
422 will be able to read/write to/from the device from all slave nodes due
423 to the proxy data brokers implemented.
425 You can use the ``odl-netconf-clustered-topology`` feature in a single
426 node scenario as well but the code that uses akka will be used, so for a
427 scenario where only a single node is used, ``odl-netconf-topology``
430 Netconf-connector utilization
431 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
433 Once the connector is up and running, users can utilize the new mount
434 point instance. By using RESTCONF or from their application code. This
435 chapter deals with using RESTCONF and more information for app
436 developers can be found in the developers guide or in the official
437 tutorial application **ncmount** that can be found in the coretutorials
440 - https://github.com/opendaylight/coretutorials/tree/master/ncmount
442 Reading data from the device
443 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
445 Just invoke (no body needed):
448 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount?content=nonconfig
450 This will return the entire content of operation datastore from the
451 device. To view just the configuration datastore, change **nonconfig**
452 in this URL to **config**.
454 Writing configuration data to the device
455 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
457 In general, you cannot simply write any data you want to the device. The
458 data have to conform to the YANG models implemented by the device. In
459 this example we are adding a new interface-configuration to the mounted
460 device (assuming the device supports Cisco-IOS-XR-ifmgr-cfg YANG model).
461 In fact this request comes from the tutorial dedicated to the
462 **ncmount** tutorial app.
465 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/Cisco-IOS-XR-ifmgr-cfg:interface-configurations
469 <interface-configuration xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">
471 <interface-name>mpls</interface-name>
472 <description>Interface description</description>
473 <bandwidth>32</bandwidth>
474 <link-status></link-status>
475 </interface-configuration>
477 Should return 200 response code with no body.
481 This call is transformed into a couple of NETCONF RPCs. Resulting
482 NETCONF RPCs that go directly to the device can be found in the
483 OpenDaylight logs after invoking ``log:set TRACE
484 org.opendaylight.controller.sal.connect.netconf`` in the Karaf
485 shell. Seeing the NETCONF RPCs might help with debugging.
487 This request is very similar to the one where we spawned a new netconf
488 device. That’s because we used the loopback netconf-connector to write
489 configuration data into config-subsystem datastore and config-subsystem
490 picked it up from there.
495 Devices can implement any additional RPC and as long as it provides YANG
496 models for it, it can be invoked from OpenDaylight. Following example
497 shows how to invoke the get-schema RPC (get-schema is quite common among
498 netconf devices). Invoke:
501 http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/ietf-netconf-monitoring:get-schema
505 <input xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
506 <identifier>ietf-yang-types</identifier>
507 <version>2013-07-15</version>
510 This call should fetch the source for ietf-yang-types YANG model from
513 Receiving Netconf Device Notifications on a http client
514 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
516 Devices emit netconf alarms and notifications in certain situations, which can demand
517 attention from Device Administration. The notifications are received as Netconf messages on an
518 active Netconf session.
520 Opendaylight provides the way to stream the device notifications over a http session.
522 - Step 1: Mount the device (assume node name is test_device)
524 - Step 2: Wait for the device to be connected.
526 - Step 3: Create the Subscription for notification on the active session.
531 http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=test_device/yang-ext:mount/notifications:create-subscription
532 Content-Type: application/json
533 Accept: application/json
543 - Step 4: Create the http Stream for the events.
548 http://localhost:8181/rests/operations/odl-device-notification:subscribe-device-notification
549 Content-Type: application/json
550 Accept: application/json
556 "path":"/network-topology:network-topology/topology[topology-id='topology-netconf']/node[node-id='test_device']"
560 The response suggests the http url for reading the notifications.
565 "odl-device-notification:output": {
566 "stream-path": "http://localhost:8181/rests/notif/test_device?notificationType=test_device"
570 - Step 5: User can access the url in the response and the notifications will be as follows.
575 http://localhost:8181/rests/notif/test_device?notificationType=test_device
576 Content-Type: application/xml
577 Accept: application/xml
592 data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:08.60228Z</eventTime><netconf-session-start xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><session-id>2</session-id></netconf-session-start></notification>
594 data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:12.458258Z</eventTime><netconf-session-end xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><termination-reason>closed</termination-reason><session-id>2</session-id></netconf-session-end></notification>
596 Change event notification subscription tutorial
597 -----------------------------------------------
599 Subscribing to data change notifications makes it possible to obtain
600 notifications about data manipulation (insert, change, delete) which are
601 done on any specified **path** of any specified **datastore** with
602 specific **scope**. In following examples *{odlAddress}* is address of
603 server where ODL is running and *{odlPort}* is port on which
604 OpenDaylight is running. OpenDaylight offers two methods for receiving notifications:
605 Server-Sent Events (SSE) and WebSocket. SSE is the default notification mechanism used in OpenDaylight.
607 SSE notifications subscription process
608 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
610 In this section we will learn what steps need to be taken in order to
611 successfully subscribe to data change event notifications.
616 In order to use event notifications you first need to call RPC that
617 creates notification stream that you can later listen to. You need to
618 provide three parameters to this RPC:
620 - **path**: data store path that you plan to listen to. You can
621 register listener on containers, lists and leaves.
623 - **datastore**: data store type. *OPERATIONAL* or *CONFIGURATION*.
625 - **scope**: Represents scope of data change. Possible options are:
627 - BASE: only changes directly to the data tree node specified in the
628 path will be reported
630 - ONE: changes to the node and to direct child nodes will be
633 - SUBTREE: changes anywhere in the subtree starting at the node will
636 The RPC to create the stream can be invoked via RESTCONF like this:
641 URI: http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription
642 HEADER: Content-Type=application/json
643 Accept=application/json
649 "path": "/toaster:toaster/toaster:toasterStatus",
650 "sal-remote-augment:datastore": "OPERATIONAL",
651 "sal-remote-augment:scope": "ONE"
655 The response should look something like this:
660 "sal-remote:output": {
661 "stream-name": "data-change-event-subscription/toaster:toaster/toaster:toasterStatus/datastore=CONFIGURATION/scope=SUBTREE"
665 **stream-name** is important because you will need to use it when you
666 subscribe to the stream in the next step.
670 Internally, this will create a new listener for *stream-name* if it
671 did not already exist.
676 In order to subscribe to stream and obtain SSE location you need
677 to call *GET* on your stream path. The URI should generally be
678 `http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{streamName}`,
679 where *{streamName}* is the *stream-name* parameter contained in
680 response from *create-data-change-event-subscription* RPC from the
686 URI: http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/data-change-event-subscription/toaster:toaster/datastore=CONFIGURATION/scope=SUBTREE
688 The subscription call may be modified with the following query parameters defined in the RESTCONF RFC:
690 - `filter <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.4>`__
692 - `start-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.7>`__
694 - `end-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.8>`__
696 In addition, the following ODL extension query parameter is supported:
698 :odl-leaf-nodes-only:
699 If this parameter is set to "true", create and update notifications will only
700 contain the leaf nodes modified instead of the entire subscription subtree.
701 This can help in reducing the size of the notifications.
703 :odl-skip-notification-data:
704 If this parameter is set to "true", create and update notifications will only
705 contain modified leaf nodes without data.
706 This can help in reducing the size of the notifications.
708 The response should look something like this:
713 "subscribe-to-notification:location": "http://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
718 During this phase there is an internal check for to see if a
719 listener for the *stream-name* from the URI exists. If not, new a
720 new listener is registered with the DOM data broker.
722 Receive notifications
723 ^^^^^^^^^^^^^^^^^^^^^
725 Once you got SSE location you can now connect to it and
726 start receiving data change events. The request should look something like this:
730 curl -v -X GET http://localhost:8181/rests/notif/data-change-event-subscription/toaster:toaster/toasterStatus/datastore=OPERATIONAL/scope=ONE -H "Content-Type: text/event-stream" -H "Authorization: Basic YWRtaW46YWRtaW4="
733 WebSocket notifications subscription process
734 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
736 Enabling WebSocket notifications in OpenDaylight requires a manual setup before starting the application.
737 The following steps can be followed to enable WebSocket notifications in OpenDaylight:
739 1. Open the file `org.opendaylight.restconf.nb.rfc8040.cfg`, at `etc/` folder inside your Karaf distribution. Or create in case it does not exist.
740 2. Locate the `use-sse` configuration parameter and change its value from `true` to `false`. Or add ``use-sse=false`` as new line in case this parameter is not present.
741 3. Save the changes made to the `org.opendaylight.restconf.nb.rfc8040.cfg` file.
742 4. Restart OpenDaylight if it is already running.
744 Once these steps are completed, WebSocket notifications will be enabled in OpenDaylight,
745 and they can be used for receiving notifications instead of SSE.
747 WebSocket Notifications subscription process is the same as SSE until you receive a location of WebSocket.
748 You can follow steps given above and after subscribing to a notification stream over WebSocket,
749 you will receive a response indicating that the subscription was successful:
754 "subscribe-to-notification:location": "ws://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
757 You can use this WebSocket to listen to data
758 change notifications. To listen to notifications you can use a
759 JavaScript client or if you are using chrome browser you can use the
761 Client <https://chrome.google.com/webstore/detail/simple-websocket-client/pfdhoblngboilpfeibdedpjgfnlcodoo>`__.
763 Also, for testing purposes, there is simple Java application named
764 WebSocketClient. The application is placed in the
765 */restconf/websocket-client* project. It accepts a WebSocket URI
766 as an input parameter. After starting the utility (WebSocketClient
767 class directly in Eclipse/InteliJ Idea) received notifications should be
768 displayed in console.
770 Notifications are always in XML format and look like this:
774 <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
775 <eventTime>2014-09-11T09:58:23+02:00</eventTime>
776 <data-changed-notification xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:remote">
778 <path xmlns:meae="http://netconfcentral.org/ns/toaster">/meae:toaster</path>
779 <operation>updated</operation>
781 <!-- updated data -->
784 </data-changed-notification>
790 The typical use case is listening to data change events to update web
791 page data in real time. In this tutorial we will be using toaster as the
794 When you call *make-toast* RPC, it sets *toasterStatus* to "down" to
795 reflect that the toaster is busy making toast. When it finishes,
796 *toasterStatus* is set to "up" again. We will listen to these toaster
797 status changes in data store and will reflect it on our web page in
798 real-time thanks to WebSocket data change notification.
800 Simple javascript client implementation
801 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
803 We will create a simple JavaScript web application that will listen for
804 updates on *toasterStatus* leaf and update some elements of our web page
805 according to the new toaster status state.
810 First you need to create stream that you are planning to subscribe to.
811 This can be achieved by invoking "create-data-change-event-subscription"
812 RPC on RESTCONF via AJAX request. You need to provide data store
813 **path** that you plan to listen on, **data store type** and **scope**.
814 If the request is successful you can extract the **stream-name** from
815 the response and use that to subscribe to the newly created stream. The
816 *{username}* and *{password}* fields represent the credentials that you
817 use to connect to OpenDaylight via RESTCONF:
821 The default user name and password are "admin".
823 .. code-block:: javascript
825 function createStream() {
828 url: 'http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription',
831 'Authorization': 'Basic ' + btoa('{username}:{password}'),
832 'Content-Type': 'application/json'
834 data: JSON.stringify(
837 'path': '/toaster:toaster/toaster:toasterStatus',
838 'sal-remote-augment:datastore': 'OPERATIONAL',
839 'sal-remote-augment:scope': 'ONE'
843 }).done(function (data) {
844 // this function will be called when ajax call is executed successfully
845 subscribeToStream(data.output['stream-name']);
846 }).fail(function (data) {
847 // this function will be called when ajax call fails
848 console.log("Create stream call unsuccessful");
855 The Next step is to subscribe to the stream. To subscribe to the stream
856 you need to call *GET* on
857 *http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{stream-name}*.
858 If the call is successful, you get WebSocket address for this stream in
859 **Location** parameter inside response header. You can get response
860 header by calling *getResponseHeader(\ *Location*)* on HttpRequest
861 object inside *done()* function call:
863 .. code-block:: javascript
865 function subscribeToStream(streamName) {
868 url: 'http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/' + streamName;
871 'Authorization': 'Basic ' + btoa('{username}:{password}'),
874 ).done(function (data, textStatus, httpReq) {
875 // we need function that has http request object parameter in order to access response headers.
876 listenToNotifications(httpReq.getResponseHeader('Location'));
877 }).fail(function (data) {
878 console.log("Subscribe to stream call unsuccessful");
882 Receive notifications
883 ^^^^^^^^^^^^^^^^^^^^^
885 Once you have WebSocket server location you can now connect to it and
886 start receiving data change events. You need to define functions that
887 will handle events on WebSocket. In order to process incoming events
888 from OpenDaylight you need to provide a function that will handle
889 *onmessage* events. The function must have one parameter that represents
890 the received event object. The event data will be stored in
891 *event.data*. The data will be in an XML format that you can then easily
894 .. code-block:: javascript
896 function listenToNotifications(socketLocation) {
898 var notificatinSocket = new WebSocket(socketLocation);
900 notificatinSocket.onmessage = function (event) {
901 // we process our received event here
902 console.log('Received toaster data change event.');
903 $($.parseXML(event.data)).find('data-change-event').each(
905 var operation = $(this).find('operation').text();
906 if (operation == 'updated') {
907 // toaster status was updated so we call function that gets the value of toasterStatus leaf
908 updateToasterStatus();
914 notificatinSocket.onerror = function (error) {
915 console.log("Socket error: " + error);
917 notificatinSocket.onopen = function (event) {
918 console.log("Socket connection opened.");
920 notificatinSocket.onclose = function (event) {
921 console.log("Socket connection closed.");
923 // if there is a problem on socket creation we get exception (i.e. when socket address is incorrect)
925 alert("Error when creating WebSocket" + e );
929 The *updateToasterStatus()* function represents function that calls
930 *GET* on the path that was modified and sets toaster status in some web
931 page element according to received data. After the WebSocket connection
932 has been established you can test events by calling make-toast RPC via
937 for more information about WebSockets in JavaScript visit `Writing
939 applications <https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_client_applications>`__
941 Netconf-connector + Netopeer
942 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
944 `Netopeer <https://github.com/cesnet/netopeer>`__ (an open-source
945 NETCONF server) can be used for testing/exploring NETCONF southbound in
948 Netopeer installation
949 ^^^^^^^^^^^^^^^^^^^^^
951 A `Docker <https://www.docker.com/>`__ container with netopeer will be
952 used in this guide. To install Docker and start the `netopeer
953 image <https://hub.docker.com/r/sysrepo/sysrepo-netopeer2>`__ perform
956 1. Install docker https://docs.docker.com/get-started/
958 2. Start the netopeer image:
962 docker run -it --name sysrepo -p 830:830 --rm sysrepo/sysrepo-netopeer2:latest
964 3. Verify netopeer is running by invoking (netopeer should send its
965 HELLO message right away:
969 ssh root@localhost -p 830 -s netconf
972 Mounting netopeer NETCONF server
973 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
977 - OpenDaylight is started with features ``odl-restconf-all`` and
978 ``odl-netconf-connector-all``.
980 - Netopeer is up and running in docker
982 Now just follow the section: `Spawning new NETCONF connectors`_.
983 In the payload change the:
985 - name, e.g., to netopeer
987 - username/password to your system credentials
993 After netopeer is mounted successfully, its configuration can be read
994 using RESTCONF by invoking:
997 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
999 Northbound (NETCONF servers)
1000 ----------------------------
1002 OpenDaylight provides 2 types of NETCONF servers:
1004 - **NETCONF server for config-subsystem (listening by default on port
1007 - Serves as a default interface for config-subsystem and allows
1008 users to spawn/reconfigure/destroy modules (or applications) in
1011 - **NETCONF server for MD-SAL (listening by default on port 2830)**
1013 - Serves as an alternative interface for MD-SAL (besides RESTCONF)
1014 and allows users to read/write data from MD-SAL’s datastore and to
1015 invoke its rpcs (NETCONF notifications are not available in the
1016 Boron release of OpenDaylight)
1020 The reason for having 2 NETCONF servers is that config-subsystem and
1021 MD-SAL are 2 different components of OpenDaylight and require
1022 different approaches for NETCONF message handling and data
1023 translation. These 2 components will probably merge in the future.
1027 Since Nitrogen release, there has been performance regression in NETCONF
1028 servers accepting SSH connections. While opening a connection takes
1029 less than 10 seconds on Carbon, on Nitrogen time can increase up to
1030 60 seconds. Please see https://jira.opendaylight.org/browse/ODLPARENT-112
1032 NETCONF server for config-subsystem
1033 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1035 This NETCONF server is the primary interface for config-subsystem. It
1036 allows the users to interact with config-subsystem in a standardized
1039 In terms of RFCs, these are supported:
1041 - `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
1043 - `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
1045 - `RFC-6470 <https://www.rfc-editor.org/rfc/rfc6470>`__
1047 - (partially, only the schema-change notification is available in
1050 - `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
1052 For regular users it is recommended to use RESTCONF + the
1053 controller-config loopback mountpoint instead of using pure NETCONF. How
1054 to do that is specific for each component/module/application in
1055 OpenDaylight and can be found in their dedicated user guides.
1057 NETCONF server for MD-SAL
1058 ~~~~~~~~~~~~~~~~~~~~~~~~~
1060 This NETCONF server is just a generic interface to MD-SAL in
1061 OpenDaylight. It uses the standard MD-SAL APIs and serves as an
1062 alternative to RESTCONF. It is fully model-driven and supports any data
1063 and rpcs that are supported by MD-SAL.
1065 In terms of RFCs, these are supported:
1067 - `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
1069 - `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
1071 - `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
1073 Notifications over NETCONF are not supported in the Boron release.
1077 Install NETCONF northbound for MD-SAL by installing feature:
1078 ``odl-netconf-mdsal`` in karaf. Default binding port is **2830**.
1083 The default configuration can be found in file: *08-netconf-mdsal.xml*.
1084 The file contains the configuration for all necessary dependencies and a
1085 single SSH endpoint starting on port 2830. There is also a (by default
1086 disabled) TCP endpoint. It is possible to start multiple endpoints at
1087 the same time either in the initial configuration file or while
1088 OpenDaylight is running.
1090 The credentials for SSH endpoint can also be configured here, the
1091 defaults are admin/admin. Credentials in the SSH endpoint are not yet
1092 managed by the centralized AAA component and have to be configured
1095 Verifying MD-SAL’s NETCONF server
1096 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1098 After the NETCONF server is available it can be examined by a command
1103 ssh admin@localhost -p 2830 -s netconf
1105 The server will respond by sending its HELLO message and can be used as
1106 a regular NETCONF server from then on.
1108 Mounting the MD-SAL’s NETCONF server
1109 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1111 To perform this operation, just spawn a new netconf-connector as
1112 described in `Spawning new NETCONF connectors`_. Just change the ip to
1113 "127.0.0.1" port to "2830" and its name to "controller-mdsal".
1115 Now the MD-SAL’s datastore can be read over RESTCONF via NETCONF by
1119 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=controller-mdsal/yang-ext:mount?content:nonconfig
1123 This might not seem very useful, since MD-SAL can be accessed
1124 directly from RESTCONF or from Application code, but the same method
1125 can be used to mount and control other OpenDaylight instances by the
1126 "master OpenDaylight".
1128 NETCONF stress/performance measuring tool
1129 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1131 This is basically a NETCONF client that puts NETCONF servers under heavy
1132 load of NETCONF RPCs and measures the time until a configurable amount
1133 of them is processed.
1135 RESTCONF stress-performance measuring tool
1136 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1138 Very similar to NETCONF stress tool with the difference of using
1139 RESTCONF protocol instead of NETCONF.
1141 YANGLIB remote repository
1142 -------------------------
1144 There are scenarios in NETCONF deployment, that require for a centralized
1145 YANG models repository. YANGLIB plugin provides such remote repository.
1147 To start this plugin, you have to install odl-yanglib feature. Then you
1148 have to configure YANGLIB either through RESTCONF or NETCONF. We will
1149 show how to configure YANGLIB through RESTCONF.
1151 YANGLIB configuration
1152 ~~~~~~~~~~~~~~~~~~~~~
1153 YANGLIB configuration works through OSGi Configuration Admin interface, in the
1154 ``org.opendaylight.netconf.yanglib`` configuration PID. There are three tuneables you can
1157 * ``cache-folder``, which defaults to ``cache/schema``
1158 * ``binding-address``, which defaults to ``localhost``
1159 * ``binding-port``, which defaults to ``8181``
1161 In order to change these settings, you can either modify the corresponding configuration
1162 file, ``etc/org.opendaylight.netconf.yanglib.cfg``, for example:
1165 cache-folder = cache/newSchema
1166 binding-address = localhost
1172 opendaylight-user@root>config:edit org.opendaylight.netconf.yanglib
1173 opendaylight-user@root>config:property-set cache-folder cache/newSchema
1174 opendaylight-user@root>config:property-set binding-address localhost
1175 opendaylight-user@root>config:property-set binding-port 8181
1176 opendaylight-user@root>config:update
1178 This YANGLIB takes all YANG sources from the configured sources folder and
1179 for each generates URL in form:
1183 http://localhost:8181/yanglib/schemas/{modelName}/{revision}
1185 On this URL will be hosted YANG source for particular module.
1187 YANGLIB instance also writes this URL along with source identifier to
1188 ietf-netconf-yang-library/modules-state/module list.
1190 Netconf-connector with YANG library as fallback
1191 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1193 There is an optional configuration in netconf-connector called
1194 yang-library. You can specify YANG library to be plugged as additional
1195 source provider into the mount's schema repository. Since YANGLIB
1196 plugin is advertising provided modules through yang-library model, we
1197 can use it in mount point's configuration as YANG library. To do this,
1198 we need to modify the configuration of netconf-connector by adding this
1203 <yang-library xmlns="urn:opendaylight:netconf-node-topology">
1204 <yang-library-url xmlns="urn:opendaylight:netconf-node-topology">http://localhost:8181/rests/data/ietf-yang-library:modules-state</yang-library-url>
1205 <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
1206 <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
1209 This will register YANGLIB provided sources as a fallback schemas for
1210 particular mount point.
1212 Restconf northbound configuration
1213 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1214 Restconf-nb configuration works through OSGi Configuration Admin interface, in the
1215 ``org.opendaylight.restconf.nb.rfc8040`` configuration PID. There are six tuneables you can
1218 * ``maximum-fragment-length``, which defaults to ``0``
1219 * ``heartbeat-interval``, which defaults to ``10000``
1220 * ``idle-timeout``, which defaults to ``30000``
1221 * ``ping-executor-name-prefix``, which defaults to ``ping-executor``
1222 * ``max-thread-count``, which defaults to ``1``
1223 * ``use-sse``, which defaults to ``true``
1225 *maximum-fragment-length* — Maximum web-socket fragment length in number of Unicode code units (characters)
1226 (exceeded message length leads to fragmentation of messages)
1228 *heartbeat-interval* — Interval in milliseconds between sending of ping control frames.
1230 *idle-timeout* — Maximum idle time of web-socket session before the session is closed (milliseconds).
1232 *ping-executor-name-prefix* — Name of thread group Ping Executor will be run with.
1234 *max-thread-count* — Number of threads Ping Executor will be run with.
1236 *use-sse* — In case of ``true`` access to notification streams will be via Server-Sent Events.
1237 Otherwise web-socket servlet will be initialized.
1239 In order to change these settings, you can either modify the corresponding configuration
1240 file, ``org.opendaylight.restconf.nb.rfc8040.cfg``, for example:
1244 maximum-fragment-length=0
1245 heartbeat-interval=10000
1247 ping-executor-name-prefix="ping-executor"
1255 opendaylight-user@root>config:edit org.opendaylight.restconf.nb.rfc8040
1256 opendaylight-user@root>config:property-set maximum-fragment_length 0
1257 opendaylight-user@root>config:property-set heartbeat-interval 10000
1258 opendaylight-user@root>config:property-set idle-timeout 30000
1259 opendaylight-user@root>config:property-set ping-executor-name-prefix "ping-executor"
1260 opendaylight-user@root>config:property-set max-thread-count 1
1261 opendaylight-user@root>config:property-set use-sse true
1262 opendaylight-user@root>config:update
1267 Call Home Installation
1268 ~~~~~~~~~~~~~~~~~~~~~~
1270 ODL Call-Home server is installed in Karaf by installing karaf feature
1271 ``odl-netconf-callhome-ssh``. RESTCONF feature is recommended for
1272 configuring Call Home & testing its functionality.
1276 feature:install odl-netconf-callhome-ssh
1281 In order to test Call Home functionality we recommend Netopeer or
1282 Netopeer2. See `Netopeer Call Home <https://github.com/CESNET/netopeer/wiki/CallHome>`__
1283 or `Netopeer2 <https://github.com/CESNET/netopeer2>`__ to learn how to
1284 enable call-home on Netopeer.
1286 Northbound Call-Home API
1287 ~~~~~~~~~~~~~~~~~~~~~~~~
1289 The northbound Call Home API is used for administering the Call-Home Server. The
1290 following describes this configuration.
1292 Global Configuration
1293 ^^^^^^^^^^^^^^^^^^^^
1296 The global configuration is not a part of the `RFC 8071
1297 <https://www.rfc-editor.org/rfc/rfc8071>`__ and, therefore, subject to change.
1299 Configuring global credentials
1300 ''''''''''''''''''''''''''''''
1302 The ODL Call-Home server allows user to configure global credentials, which will be
1303 used for devices connecting over SSH transport protocol that do not have
1304 device-specific credentials configured.
1306 This is done by creating
1307 ``/odl-netconf-callhome-server:netconf-callhome-server/global/credentials``
1308 with username and passwords specified.
1310 *Configuring global username & passwords to try*
1315 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/credentials
1316 Content-Type: application/json
1317 Accept: application/json
1319 .. code-block:: json
1324 "username": "example",
1325 "passwords": [ "first-password-to-try", "second-password-to-try" ]
1329 Configuring to accept any ssh server key using global credentials
1330 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
1332 By default Netconf Call-Home Server accepts only incoming connections
1333 from allowed devices
1334 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``,
1335 if user desires to allow all incoming connections, it is possible to set
1336 ``accept-all-ssh-keys`` to ``true`` in
1337 ``/odl-netconf-callhome-server:netconf-callhome-server/global``.
1339 The name of these devices in ``netconf-topology`` will be in format
1340 ``ip-address:port``. For naming devices see Device-Specific
1343 *Allowing unknown devices to connect*
1345 This is a debug feature and should not be used in production. Besides being an obvious
1346 security issue, this also causes the Call-Home Server to drastically increase its output
1352 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/accept-all-ssh-keys
1353 Content-Type: application/json
1354 Accept: application/json
1356 .. code-block:: json
1359 "accept-all-ssh-keys": "true"
1362 Device-Specific Configuration
1363 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1365 Netconf Call Home server supports both of the secure transports used
1366 by the Network Configuration Protocol (NETCONF) - Secure Shell (SSH),
1367 and Transport Layer Security (TLS).
1369 Configure device to connect over SSH protocol
1370 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1372 Netconf Call Home Server uses device provided SSH server key (host key)
1373 to identify device. The pairing of name and server key is configured in
1374 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``.
1375 This list is colloquially called a allowlist.
1377 If the Call-Home Server finds the SSH host key in the allowlist, it continues
1378 to negotiate a NETCONF connection over an SSH session. If the SSH host key is
1379 not found, the connection between the Call Home server and the device is dropped
1380 immediately. In either case, the device that connects to the Call home server
1381 leaves a record of its presence in the operational store.
1383 Configuring Device with Device-specific Credentials
1384 '''''''''''''''''''''''''''''''''''''''''''''''''''
1386 Adding specific device to the allowed list is done by creating
1387 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device={device}``
1388 with device-id and connection parameters inside the ssh-client-params container.
1390 *Configuring Device with Credentials*
1395 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1396 Content-Type: application/json
1397 Accept: application/json
1399 .. code-block:: json
1403 "unique-id": "example",
1404 "ssh-client-params": {
1406 "username": "example",
1407 "passwords": [ "password" ]
1409 "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1414 Configuring Device with Global Credentials
1415 '''''''''''''''''''''''''''''''''''''''''''''''''''
1417 It is possible to omit ``username`` and ``password`` for ssh-client-params,
1418 in such case values from global credentials will be used.
1420 *Example of configuring device*
1425 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1426 Content-Type: application/json
1427 Accept: application/json
1429 .. code-block:: json
1433 "unique-id": "example",
1434 "ssh-client-params": {
1435 "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1440 Deprecated configuration models for devices accessed with SSH protocol
1441 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
1443 With `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8071>`__ alignment and adding
1444 support for TLS transport following configuration models have been marked
1447 Configuring Device with Global Credentials
1448 '''''''''''''''''''''''''''''''''''''''''''''''''''
1450 *Example of configuring device*
1455 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1456 Content-Type: application/json
1457 Accept: application/json
1459 .. code-block:: json
1463 "unique-id": "example",
1464 "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1468 Configuring Device with Device-specific Credentials
1469 '''''''''''''''''''''''''''''''''''''''''''''''''''
1471 Call Home Server also allows the configuration of credentials per device basis.
1472 This is done by introducing ``credentials`` container into the
1473 device-specific configuration. Format is same as in global credentials.
1475 *Configuring Device with Credentials*
1480 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1481 Content-Type: application/json
1482 Accept: application/json
1484 .. code-block:: json
1488 "unique-id": "example",
1490 "username": "example",
1491 "passwords": [ "password" ]
1493 "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1497 Configure device to connect over TLS protocol
1498 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1500 Netconf Call Home Server allows devices to use TLS transport protocol to
1501 establish a connection towards the NETCONF device. This communication
1502 requires proper setup to make two-way TLS authentication possible for client
1505 The initial step is to configure certificates and keys for two-way TLS by
1506 storing them within the netconf-keystore.
1508 *Adding a client private key credential to the netconf-keystore*
1513 /rests/operations/netconf-keystore:add-keystore-entry
1514 Content-Type: application/json
1515 Accept: application/json
1517 .. code-block:: json
1523 "key-id": "example-client-key-id",
1524 "private-key": "base64encoded-private-key",
1525 "passphrase": "passphrase"
1531 *Associate a private key with a client and CA certificates chain*
1536 /rests/operations/netconf-keystore:add-private-key
1537 Content-Type: application/json
1538 Accept: application/json
1540 .. code-block:: json
1546 "name": "example-client-key-id",
1548 "certificate-chain": [
1556 *Add a list of trusted CA and server certificates*
1561 /rests/operations/netconf-keystore:add-trusted-certificate
1562 Content-Type: application/json
1563 Accept: application/json
1565 .. code-block:: json
1569 "trusted-certificate": [
1571 "name": "example-ca-certificate",
1572 "certificate": "ca-certificate-data"
1575 "name": "example-server-certificate",
1576 "certificate": "server-certificate-data"
1582 In a second step, it is required to create an allowed device associated with
1583 a server certificate and client key. The server certificate will be used to
1584 identify and pin the NETCONF device during SSL handshake and should be unique
1585 among the allowed devices.
1587 *Add device configuration for TLS protocol to allowed devices list*
1592 /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example-device
1593 Content-Type: application/json
1594 Accept: application/json
1596 .. code-block:: json
1600 "unique-id": "example-device",
1601 "tls-client-params": {
1602 "key-id": "example-client-key-id",
1603 "certificate-id": "example-server-certificate"
1611 Once an entry is made on the config side of "allowed-devices", the Call-Home Server will
1612 populate a corresponding operational device that is the same as the config device but
1613 has an additional status. By default, this status is *DISCONNECTED*. Once a device calls
1614 home, this status will change to one of:
1616 *CONNECTED* — The device is currently connected and the NETCONF mount is available for network
1619 *FAILED_AUTH_FAILURE* — The last attempted connection was unsuccessful because the Call-Home
1620 Server was unable to provide the acceptable credentials of the device. The device is also
1621 disconnected and not available for network management.
1623 *FAILED_NOT_ALLOWED* — The last attempted connection was unsuccessful because the device was
1624 not recognized as an acceptable device. The device is also disconnected and not available for
1627 *FAILED* — The last attempted connection was unsuccessful for a reason other than not
1628 allowed to connect or incorrect client credentials. The device is also disconnected and not
1629 available for network management.
1631 *DISCONNECTED* — The device is currently disconnected.
1636 Devices that are not on the allowlist might try to connect to the Call-Home Server. In
1637 these cases, the server will keep a record by instantiating an operational device. There
1638 will be no corresponding config device for these rogues. They can be identified readily
1639 because their device id, rather than being user-supplied, will be of the form
1640 "address:port". Note that if a device calls back multiple times, there will only be
1641 a single operatinal entry (even if the port changes); these devices are recognized by
1642 their unique host key.
1644 Southbound Call-Home API
1645 ~~~~~~~~~~~~~~~~~~~~~~~~
1647 The Call-Home Server listens for incoming TCP connections and assumes that the other side of
1648 the connection is a device calling home via a NETCONF connection with SSH for
1649 management. The server uses port 4334 by default and this can be configured via a
1650 blueprint configuration file.
1652 The device **must** initiate the connection and the server will not try to re-establish the
1653 connection in case of a drop. By requirement, the server cannot assume it has connectivity
1654 to the device due to NAT or firewalls among others.
1656 Reading data with selected fields
1657 ---------------------------------
1662 If user would like to read only selected fields from a NETCONF device, it is possible to use
1663 the fields query parameter that is described by RFC-8040. RESTCONF parses content of query
1664 parameter into format that is accepted by NETCONF subtree filtering - filtering of data is done
1665 on NETCONF server, not on NETCONF client side. This approach optimizes network traffic load,
1666 because data in which user doesn't have interest, is not transferred over network.
1670 * using single RESTCONF request and single NETCONF RPC for reading multiple subtrees
1671 * possibility to read only selected fields under list node across multiple hierarchies
1672 (it cannot be done without proper selection API)
1676 More information about fields query parameter: `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.3>`__
1681 For demonstration, we will define next YANG model:
1685 module test-module {
1687 namespace "urn:opendaylight:test-module";
1689 revision "2023-02-16";
1692 container simple-root {
1712 container list-root {
1725 container next-data {
1747 Follow the :doc:`testtool` instructions to save this schema and run it with testtool.
1749 Mounting NETCONF device that runs on NETCONF testtool:
1751 .. code-block:: bash
1753 curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool' \
1754 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1755 --header 'Content-Type: application/json' \
1759 "node-id": "testtool",
1760 "netconf-node-topology:host": "127.0.0.1",
1761 "netconf-node-topology:port": 17830,
1762 "netconf-node-topology:keepalive-delay": 100,
1763 "netconf-node-topology:tcp-only": false,
1764 "netconf-node-topology:login-password-unencrypted": {
1765 "netconf-node-topology:username": "admin",
1766 "netconf-node-topology:password": "admin"
1772 Setting initial configuration on NETCONF device:
1774 .. code-block:: bash
1776 curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root' \
1777 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1778 --header 'Content-Type: application/json' \
1877 1. Reading whole leaf-list 'll' and leaf 'nested/sample-x' under 'simple-root' container.
1881 .. code-block:: bash
1883 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/simple-root?content=config&fields=ll;nested/sample-x' \
1884 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1885 --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1887 Generated NETCONF RPC request:
1891 <rpc message-id="m-18" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1896 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1897 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1911 Using fields query parameter it is also possible to read whole leaf-list or list without
1912 necessity to specify value / key predicate (without reading parent entity). Such scenario
1913 is not permitted in RFC-8040 paths alone - fields query parameter can be used as
1914 workaround for this case.
1918 .. code-block:: json
1921 "test-module:simple-root": {
1933 2. Reading all identifiers of 'nested-list' under all elements of 'top-list'.
1937 .. code-block:: bash
1939 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=top-list(nested-list/identifier)' \
1940 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1941 --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1943 Generated NETCONF RPC request:
1947 <rpc message-id="m-27" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1952 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1953 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1970 NETCONF client automatically fetches values of list keys since they are required for correct
1971 deserialization of NETCONF response and at the end serialization of response to RESTCONF
1972 response (JSON/XML).
1976 .. code-block:: json
1979 "test-module:list-root": {
2030 3. Reading value of leaf 'branch-ab' and all values of leaves 'switch-1' that are placed
2031 under 'top-list' list elements.
2035 .. code-block:: bash
2037 curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=branch-ab;top-list/next-data/switch-1' \
2038 --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
2039 --header 'Cookie: JSESSIONID=node01jx6o5thwae9t1ft7c2zau5zbz4.node0'
2041 Generated NETCONF RPC request:
2045 <rpc message-id="m-42" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
2050 <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
2051 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
2069 .. code-block:: json
2072 "test-module:list-root": {
2107 The OpenAPI provides full API for configurational data which can be edited (by POST, PUT, PATCH and DELETE).
2108 For operational data we only provide GET API. For the majority of requests you can see only config data in examples.
2109 That’s because we can show only one example per request. The exception when you can see operational data in an
2110 example is when data are representing an operational (config false) container with no config data in it.
2113 Using the OpenAPI Explorer through HTTP
2114 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2116 1. Install OpenApi into Karaf by installing karaf feature:
2120 $ feature:install odl-restconf-openapi
2122 2. Navigate to OpenAPI in your web browser which is available at URLs:
2124 - http://localhost:8181/openapi/explorer/index.html for general overview
2126 - http://localhost:8181/openapi/api/v3/single for JSON data
2130 In the URL links for OpenAPI, change *localhost* to the IP/Host name of your actual server.
2132 3. Enter the username and password.
2133 By default the credentials are *admin/admin*.
2135 4. Select any model to try out.
2137 5. Select any available request to try out.
2139 6. Click on the **Try it out** button.
2141 7. Provide any required parameters or edit request body.
2143 8. Click the **Execute** button.
2145 9. You can see responses to the given request.
2148 OpenAPI Explorer can also be used for connected device. How to connect a device can be found :ref:`here <netconf-connector>`.
2150 OpenAPI URLs in that case would look like this:
2152 - `http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device resources - RestConf RFC 8040 <http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device%20resources%20-%20RestConf%20RFC%208040>`_ for device overview
2154 - http://localhost:8181/openapi/api/v3/mounts/1 for JSON data
2156 - `http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20) <http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20)>`__ JSON data for given model
2160 The URL links for OpenAPI are made for device with name *17830-sim-device* and model toaster
2161 with *2009-11-20* revision and need to be changed accordingly to connected device.