Update user-guide after login-password removal
[netconf.git] / docs / user-guide.rst
1 .. _netconf-user-guide:
2
3 .. |ss| raw:: html
4
5    <strike>
6
7 .. |se| raw:: html
8
9    </strike>
10
11 NETCONF User Guide
12 ==================
13
14 Overview
15 --------
16
17 NETCONF is an XML-based protocol used for configuration and monitoring
18 devices in the network. The base NETCONF protocol is described in
19 `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__.
20
21 **NETCONF in OpenDaylight:.**
22
23 OpenDaylight supports the NETCONF protocol as a northbound server as
24 well as a southbound plugin. It also includes a set of test tools for
25 simulating NETCONF devices and clients.
26
27 Southbound (netconf-connector)
28 ------------------------------
29
30 The NETCONF southbound plugin is capable of connecting to remote NETCONF
31 devices and exposing their configuration/operational datastores, RPCs
32 and notifications as MD-SAL mount points. These mount points allow
33 applications and remote users (over RESTCONF) to interact with the
34 mounted devices.
35
36 In terms of RFCs, the connector supports:
37
38 -  `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
39
40 -  `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
41
42 -  `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
43
44 -  `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
45
46 **Netconf-connector is fully model-driven (utilizing the YANG modeling
47 language) so in addition to the above RFCs, it supports any
48 data/RPC/notifications described by a YANG model that is implemented by
49 the device.**
50
51 .. tip::
52
53     NETCONF southbound can be activated by installing
54     ``odl-netconf-connector-all`` Karaf feature.
55
56 .. _netconf-connector:
57
58 Netconf-connector configuration
59 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
60
61 NETCONF connectors are configured directly through the usage of the
62 network-topology model. You can configure new NETCONF connectors both
63 through the NETCONF server for MD-SAL (port 2830) or RESTCONF. This guide
64 focuses on RESTCONF.
65
66 .. important::
67
68     Since 2022.09 Chlorine there is only one RESTCONF endpoint:
69
70     - | ``http://localhost:8181/rests`` is related to `RFC-8040 <https://www.rfc-editor.org/rfc/rfc8040>`__,
71       | can be activated by installing ``odl-restconf-nb``
72        Karaf feature.
73
74     | Resources for configuration and operational datastores start
75      ``/rests/data/``,
76     | e. g. GET
77      http://localhost:8181/rests/data/network-topology:network-topology
78      with response of both datastores. It's allowed to use query
79      parameters to distinguish between them.
80     | e. g. GET
81      http://localhost:8181/rests/data/network-topology:network-topology?content=config
82      for configuration datastore
83     | and GET
84      http://localhost:8181/rests/data/network-topology:network-topology?content=nonconfig
85      for operational datastore.
86
87     | Also if a data node in the path expression is a YANG leaf-list or list
88      node, the path segment has to be constructed by having leaf-list or
89      list node name, followed by an "=" character, then followed by the
90      leaf-list or list value. Any reserved characters must be
91      percent-encoded.
92     | e. g. GET
93      http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf?content=config
94      for retrieving data from configuration datastore for
95      topology-netconf value of topology list.
96
97 Preconditions
98 ^^^^^^^^^^^^^
99
100 1. OpenDaylight is running
101
102 2. In Karaf, you must have the ``odl-netconf-topology`` or
103    ``odl-netconf-clustered-topology`` feature installed.
104
105 3. Feature ``odl-restconf-nb`` must be installed
106
107 Spawning new NETCONF connectors
108 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
109
110 To create a new NETCONF connector you need to send the following PUT request
111 to RESTCONF:
112
113 .. list-table::
114    :widths: 1 5
115
116    * - rfc8040
117      - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
118
119 You could use the same body to create the new  NETCONF connector with a POST
120 without specifying the node in the URL:
121
122 .. list-table::
123    :widths: 1 5
124
125    * - rfc8040
126      - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf
127
128 Payload:
129
130 .. tabs::
131
132    .. tab:: XML
133
134       **Content-type:** ``application/xml``
135
136       **Accept:** ``application/xml``
137
138       **Authentication:** ``admin:admin``
139
140       .. code-block:: xml
141
142          <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
143            <node-id>new-netconf-device</node-id>
144            <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
145            <port xmlns="urn:opendaylight:netconf-node-topology">17830</port>
146            <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
147              <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
148              <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
149            </login-password-unencrypted>
150            <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
151            <!-- non-mandatory fields with default values, you can safely remove these if you do not wish to override any of these values-->
152            <reconnect-on-changed-schema xmlns="urn:opendaylight:netconf-node-topology">false</reconnect-on-changed-schema>
153            <connection-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">20000</connection-timeout-millis>
154            <max-connection-attempts xmlns="urn:opendaylight:netconf-node-topology">0</max-connection-attempts>
155            <between-attempts-timeout-millis xmlns="urn:opendaylight:netconf-node-topology">2000</between-attempts-timeout-millis>
156            <sleep-factor xmlns="urn:opendaylight:netconf-node-topology">1.5</sleep-factor>
157            <!-- keepalive-delay set to 0 turns off keepalives-->
158            <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">120</keepalive-delay>
159          </node>
160
161    .. tab:: JSON
162
163       **Content-type:** ``application/json``
164
165       **Accept:** ``application/json``
166
167       **Authentication:** ``admin:admin``
168
169       .. code-block:: json
170
171          {
172              "node": [
173                  {
174                      "node-id": "new-netconf-device",
175                      "netconf-node-topology:port": 17830,
176                      "netconf-node-topology:reconnect-on-changed-schema": false,
177                      "netconf-node-topology:connection-timeout-millis": 20000,
178                      "netconf-node-topology:tcp-only": false,
179                      "netconf-node-topology:max-connection-attempts": 0,
180                      "netconf-node-topology:login-password-unencrypted": {
181                         "netconf-node-topology:username": "admin",
182                         "netconf-node-topology:password": "admin"
183                      },
184                      "netconf-node-topology:sleep-factor": 1.5,
185                      "netconf-node-topology:host": "127.0.0.1",
186                      "netconf-node-topology:between-attempts-timeout-millis": 2000,
187                      "netconf-node-topology:keepalive-delay": 120
188                  }
189              ]
190          }
191
192 Note that the device name in <node-id> element must match the last
193 element of the restconf URL.
194
195 Reconfiguring an existing connector
196 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
197
198 The steps to reconfigure an existing connector are exactly the same as
199 when spawning a new connector. The old connection will be disconnected
200 and a new connector with the new configuration will be created. This needs
201 to be done with a PUT request because the node already exists. A POST
202 request will fail for that reason.
203
204 Additionally, a PATCH request can be used to modify an existing
205 configuration. Currently, only yang-patch (`RFC-8072 <https://www.rfc-editor.org/rfc/rfc8072>`__)
206 is supported. The URL would be the same as the above PUT examples.
207 Using JSON for the body, the headers needed for the request would
208 be:
209
210 Headers:
211
212 -  Accept: application/yang-data+json
213
214 -  Content-Type: application/yang-patch+json
215
216 Example JSON payload to modify the password entry:
217
218 ::
219
220     {
221       "ietf-restconf:yang-patch" : {
222         "patch-id" : "0",
223         "edit" : [
224           {
225             "edit-id" : "edit1",
226             "operation" : "merge",
227             "target" : "",
228             "value" : {
229              "node": [
230                 {
231                  "node-id": "new-netconf-device",
232                  "netconf-node-topology:password" : "newpassword"
233                 }
234              ]
235             }
236          }
237         ]
238       }
239     }
240
241 Deleting an existing connector
242 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
243
244 To remove an already configured NETCONF connector you need to send a
245 DELETE request to the same PUT request URL that was used to create the
246 device:
247
248 .. list-table::
249    :widths: 1 5
250
251    * - rfc8040
252      - http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device
253
254 .. note::
255
256     No body is needed to delete the node/device
257
258 Connecting to a device not supporting NETCONF monitoring
259 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
260
261 The netconf-connector in OpenDaylight relies on ietf-netconf-monitoring
262 support when connecting to remote NETCONF device. The
263 ietf-netconf-monitoring support allows netconf-connector to list and
264 download all YANG schemas that are used by the device. NETCONF connector
265 can only communicate with a device if it knows the set of used schemas
266 (or at least a subset). However, some devices use YANG models internally
267 but do not support NETCONF monitoring. Netconf-connector can also
268 communicate with these devices, but you have to side load the necessary
269 yang models into OpenDaylight’s YANG model cache for netconf-connector.
270 In general there are 2 situations you might encounter:
271
272 **1. NETCONF device does not support ietf-netconf-monitoring but it does
273 list all its YANG models as capabilities in HELLO message**
274
275 This could be a device that internally uses only ietf-inet-types YANG
276 model with revision 2010-09-24. In the HELLO message that is sent from
277 this device there is this capability reported:
278
279 ::
280
281     urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2010-09-24
282
283 **For such devices you only need to put the schema into folder
284 cache/schema inside your Karaf distribution.**
285
286 .. important::
287
288     The file with YANG schema for ietf-inet-types has to be called
289     ietf-inet-types@2010-09-24.yang. It is the required naming format of
290     the cache.
291
292 **2. NETCONF device does not support ietf-netconf-monitoring and it does
293 NOT list its YANG models as capabilities in HELLO message**
294
295 Compared to device that lists its YANG models in HELLO message, in this
296 case there would be no capability with ietf-inet-types in the HELLO
297 message. This type of device basically provides no information about the
298 YANG schemas it uses so its up to the user of OpenDaylight to properly
299 configure netconf-connector for this device.
300
301 Netconf-connector has an optional configuration attribute called
302 yang-module-capabilities and this attribute can contain a list of "YANG
303 module based" capabilities. So by setting this configuration attribute,
304 it is possible to override the "yang-module-based" capabilities reported
305 in HELLO message of the device. To do this, we need to modify the
306 configuration of netconf-connector like in the example below:
307
308 .. tabs::
309
310    .. tab:: XML
311
312       **Content-type:** ``application/xml``
313
314       **Accept:** ``application/xml``
315
316       **Authentication:** ``admin:admin``
317
318       .. code-block:: xml
319
320          <node xmlns="urn:TBD:params:xml:ns:yang:network-topology">
321            <node-id>r5</node-id>
322            <host xmlns="urn:opendaylight:netconf-node-topology">127.0.0.1</host>
323            <port xmlns="urn:opendaylight:netconf-node-topology">8305</port>
324            <login-password-unencrypted xmlns="urn:opendaylight:netconf-node-topology">
325              <username xmlns="urn:opendaylight:netconf-node-topology">root</username>
326              <password xmlns="urn:opendaylight:netconf-node-topology">root</password>
327            </login-password-unencrypted>
328            <tcp-only xmlns="urn:opendaylight:netconf-node-topology">false</tcp-only>
329            <keepalive-delay xmlns="urn:opendaylight:netconf-node-topology">30</keepalive-delay>
330            <yang-module-capabilities xmlns="urn:opendaylight:netconf-node-topology">
331              <override>true</override>
332              <capability xmlns="urn:opendaylight:netconf-node-topology">
333                urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&amp;revision=2013-07-15
334              </capability>
335            </yang-module-capabilities>
336          </node>
337
338    .. tab:: JSON
339
340       **Content-type:** ``application/json``
341
342       **Accept:** ``application/json``
343
344       **Authentication:** ``admin:admin``
345
346       .. code-block:: json
347
348          {
349              "node": [
350                  {
351                      "node-id": "device",
352                      "netconf-node-topology:host": "127.0.0.1",
353                      "netconf-node-topology:login-password-unencrypted": {
354                         "netconf-node-topology:password": "root",
355                         "netconf-node-topology:username": "root"
356                      },
357                      "netconf-node-topology:yang-module-capabilities": {
358                          "override": true,
359                          "capability": [
360                              "urn:ietf:params:xml:ns:yang:ietf-inet-types?module=ietf-inet-types&revision=2013-07-15"
361                          ]
362                      },
363                      "netconf-node-topology:port": 8305,
364                      "netconf-node-topology:tcp-only": false,
365                      "netconf-node-topology:keepalive-delay": 30
366                  }
367              ]
368          }
369
370 **Remember to also put the YANG schemas into the cache folder.**
371
372 .. note::
373
374     For putting multiple capabilities, you just need to replicate the
375     capability element inside yang-module-capability element.
376     Capability element is modeled as a leaf-list. With this
377     configuration, we would make the remote device report usage of
378     ietf-inet-types in the eyes of netconf-connector.
379
380 Connecting to a device supporting only NETCONF 1.0
381 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
382
383 OpenDaylight is schema-based distribution and heavily depends on YANG
384 models. However some legacy NETCONF devices are not schema-based and
385 implement just RFC 4741. This type of device does not utilize YANG
386 models internally and OpenDaylight does not know how to communicate
387 with such devices, how to validate data, or what the semantics of data
388 are.
389
390 NETCONF connector can communicate also with these devices, but the
391 trade-offs are worsened possibilities in utilization of NETCONF
392 mountpoints. Using RESTCONF with such devices is not supported. Also
393 communicating with schemaless devices from application code is slightly
394 different.
395
396 To connect to schemaless device, there is a optional configuration option
397 in netconf-node-topology model called schemaless. You have to set this
398 option to true.
399
400 Clustered NETCONF connector
401 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
402
403 To spawn NETCONF connectors that are cluster-aware you need to install
404 the ``odl-netconf-clustered-topology`` karaf feature.
405
406 .. warning::
407
408     The ``odl-netconf-topology`` and ``odl-netconf-clustered-topology``
409     features are considered **INCOMPATIBLE**. They both manage the same
410     space in the datastore and would issue conflicting writes if
411     installed together.
412
413 Configuration of clustered NETCONF connectors works the same as the
414 configuration through the topology model in the previous section.
415
416 When a new clustered connector is configured the configuration gets
417 distributed among the member nodes and a NETCONF connector is spawned on
418 each node. From these nodes a master is chosen which handles the schema
419 download from the device and all the communication with the device. You
420 will be able to read/write to/from the device from all slave nodes due
421 to the proxy data brokers implemented.
422
423 You can use the ``odl-netconf-clustered-topology`` feature in a single
424 node scenario as well but the code that uses akka will be used, so for a
425 scenario where only a single node is used, ``odl-netconf-topology``
426 might be preferred.
427
428 Netconf-connector utilization
429 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
430
431 Once the connector is up and running, users can utilize the new mount
432 point instance. By using RESTCONF or from their application code. This
433 chapter deals with using RESTCONF and more information for app
434 developers can be found in the developers guide or in the official
435 tutorial application **ncmount** that can be found in the coretutorials
436 project:
437
438 -  https://github.com/opendaylight/coretutorials/tree/master/ncmount
439
440 Reading data from the device
441 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
442
443 Just invoke (no body needed):
444
445 GET
446 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount?content=nonconfig
447
448 This will return the entire content of operation datastore from the
449 device. To view just the configuration datastore, change **nonconfig**
450 in this URL to **config**.
451
452 Writing configuration data to the device
453 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
454
455 In general, you cannot simply write any data you want to the device. The
456 data have to conform to the YANG models implemented by the device. In
457 this example we are adding a new interface-configuration to the mounted
458 device (assuming the device supports Cisco-IOS-XR-ifmgr-cfg YANG model).
459 In fact this request comes from the tutorial dedicated to the
460 **ncmount** tutorial app.
461
462 POST
463 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/Cisco-IOS-XR-ifmgr-cfg:interface-configurations
464
465 ::
466
467     <interface-configuration xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">
468         <active>act</active>
469         <interface-name>mpls</interface-name>
470         <description>Interface description</description>
471         <bandwidth>32</bandwidth>
472         <link-status></link-status>
473     </interface-configuration>
474
475 Should return 200 response code with no body.
476
477 .. tip::
478
479     This call is transformed into a couple of NETCONF RPCs. Resulting
480     NETCONF RPCs that go directly to the device can be found in the
481     OpenDaylight logs after invoking ``log:set TRACE
482     org.opendaylight.controller.sal.connect.netconf`` in the Karaf
483     shell. Seeing the NETCONF RPCs might help with debugging.
484
485 This request is very similar to the one where we spawned a new netconf
486 device. That’s because we used the loopback netconf-connector to write
487 configuration data into config-subsystem datastore and config-subsystem
488 picked it up from there.
489
490 Invoking custom RPC
491 ^^^^^^^^^^^^^^^^^^^
492
493 Devices can implement any additional RPC and as long as it provides YANG
494 models for it, it can be invoked from OpenDaylight. Following example
495 shows how to invoke the get-schema RPC (get-schema is quite common among
496 netconf devices). Invoke:
497
498 POST
499 http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=new-netconf-device/yang-ext:mount/ietf-netconf-monitoring:get-schema
500
501 ::
502
503     <input xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-monitoring">
504       <identifier>ietf-yang-types</identifier>
505       <version>2013-07-15</version>
506     </input>
507
508 This call should fetch the source for ietf-yang-types YANG model from
509 the mounted device.
510
511 Receiving Netconf Device Notifications on a http client
512 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
513
514 Devices emit netconf alarms and notifications in certain situations, which can demand
515 attention from Device Administration. The notifications are received as Netconf messages on an
516 active Netconf session.
517
518 Opendaylight provides the way to stream the device notifications over a http session.
519
520 - Step 1: Mount the device (assume node name is test_device)
521
522 - Step 2: Wait for the device to be connected.
523
524 - Step 3: Create the Subscription for notification on the active session.
525
526  .. code-block::
527
528     POST
529     http://localhost:8181/rests/operations/network-topology:network-topology/topology=topology-netconf/node=test_device/yang-ext:mount/notifications:create-subscription
530     Content-Type: application/json
531     Accept: application/json
532
533  .. code-block:: json
534
535     {
536       "input": {
537         "stream": "NETCONF"
538        }
539     }
540
541 - Step 4: Create the http Stream for the events.
542
543 .. code-block::
544
545     POST
546     http://localhost:8181/rests/operations/odl-device-notification:subscribe-device-notification
547     Content-Type: application/json
548     Accept: application/json
549
550 .. code-block:: json
551
552     {
553       "input": {
554          "path":"/network-topology:network-topology/topology[topology-id='topology-netconf']/node[node-id='test_device']"
555       }
556     }
557
558 The response suggests the http url for reading the notifications.
559
560 .. code-block:: json
561
562     {
563        "odl-device-notification:output": {
564             "stream-path": "http://localhost:8181/rests/notif/test_device?notificationType=test_device"
565         }
566     }
567
568 - Step 5: User can access the url in the response and the notifications will be as follows.
569
570 .. code-block::
571
572     GET
573     http://localhost:8181/rests/notif/test_device?notificationType=test_device
574     Content-Type: application/xml
575     Accept: application/xml
576
577
578 .. code-block:: xml
579
580     : ping
581
582     : ping
583
584     : ping
585
586     : ping
587
588     : ping
589
590     data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:08.60228Z</eventTime><netconf-session-start xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><session-id>2</session-id></netconf-session-start></notification>
591
592     data: <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"><eventTime>2022-06-17T07:01:12.458258Z</eventTime><netconf-session-end xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-notifications"><username>root</username><source-host>127.0.0.1</source-host><termination-reason>closed</termination-reason><session-id>2</session-id></netconf-session-end></notification>
593
594 Change event notification subscription tutorial
595 -----------------------------------------------
596
597 Subscribing to data change notifications makes it possible to obtain
598 notifications about data manipulation (insert, change, delete) which are
599 done on any specified **path** of any specified **datastore** with
600 specific **scope**. In following examples *{odlAddress}* is address of
601 server where ODL is running and *{odlPort}* is port on which
602 OpenDaylight is running. OpenDaylight offers two methods for receiving notifications:
603 Server-Sent Events (SSE) and WebSocket. SSE is the default notification mechanism used in OpenDaylight.
604
605 SSE notifications subscription process
606 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
607
608 In this section we will learn what steps need to be taken in order to
609 successfully subscribe to data change event notifications.
610
611 Create stream
612 ^^^^^^^^^^^^^
613
614 In order to use event notifications you first need to call RPC that
615 creates notification stream that you can later listen to. You need to
616 provide three parameters to this RPC:
617
618 -  **path**: data store path that you plan to listen to. You can
619    register listener on containers, lists and leaves.
620
621 -  **datastore**: data store type. *OPERATIONAL* or *CONFIGURATION*.
622
623 -  **scope**: Represents scope of data change. Possible options are:
624
625    -  BASE: only changes directly to the data tree node specified in the
626       path will be reported
627
628    -  ONE: changes to the node and to direct child nodes will be
629       reported
630
631    -  SUBTREE: changes anywhere in the subtree starting at the node will
632       be reported
633
634 The RPC to create the stream can be invoked via RESTCONF like this:
635
636 ::
637
638     OPERATION: POST
639     URI:  http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription
640     HEADER: Content-Type=application/json
641             Accept=application/json
642
643 .. code-block:: json
644
645        {
646            "input": {
647                "path": "/toaster:toaster/toaster:toasterStatus",
648                "sal-remote-augment:datastore": "OPERATIONAL",
649                "sal-remote-augment:scope": "ONE"
650            }
651        }
652
653 The response should look something like this:
654
655 .. code-block:: json
656
657     {
658         "sal-remote:output": {
659             "stream-name": "data-change-event-subscription/toaster:toaster/toaster:toasterStatus/datastore=CONFIGURATION/scope=SUBTREE"
660         }
661     }
662
663 **stream-name** is important because you will need to use it when you
664 subscribe to the stream in the next step.
665
666 .. note::
667
668     Internally, this will create a new listener for *stream-name* if it
669     did not already exist.
670
671 Subscribe to stream
672 ^^^^^^^^^^^^^^^^^^^
673
674 In order to subscribe to stream and obtain SSE location you need
675 to call *GET* on your stream path. The URI should generally be
676 `http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{streamName}`,
677 where *{streamName}* is the *stream-name* parameter contained in
678 response from *create-data-change-event-subscription* RPC from the
679 previous step.
680
681 ::
682
683    OPERATION: GET
684    URI: http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/data-change-event-subscription/toaster:toaster/datastore=CONFIGURATION/scope=SUBTREE
685
686 The subscription call may be modified with the following query parameters defined in the RESTCONF RFC:
687
688 -  `filter <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.4>`__
689
690 -  `start-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.7>`__
691
692 -  `end-time <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.8>`__
693
694 In addition, the following ODL extension query parameter is supported:
695
696 :odl-leaf-nodes-only:
697   If this parameter is set to "true", create and update notifications will only
698   contain the leaf nodes modified instead of the entire subscription subtree.
699   This can help in reducing the size of the notifications.
700
701 :odl-skip-notification-data:
702   If this parameter is set to "true", create and update notifications will only
703   contain modified leaf nodes without data.
704   This can help in reducing the size of the notifications.
705
706 The response should look something like this:
707
708 .. code-block:: json
709
710     {
711         "subscribe-to-notification:location": "http://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
712     }
713
714 .. note::
715
716     During this phase there is an internal check for to see if a
717     listener for the *stream-name* from the URI exists. If not, new a
718     new listener is registered with the DOM data broker.
719
720 Receive notifications
721 ^^^^^^^^^^^^^^^^^^^^^
722
723 Once you got SSE location you can now connect to it and
724 start receiving data change events. The request should look something like this:
725
726 ::
727
728     curl -v -X GET  http://localhost:8181/rests/notif/data-change-event-subscription/toaster:toaster/toasterStatus/datastore=OPERATIONAL/scope=ONE  -H "Content-Type: text/event-stream" -H "Authorization: Basic YWRtaW46YWRtaW4="
729
730
731 WebSocket notifications subscription process
732 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
733
734 Enabling WebSocket notifications in OpenDaylight requires a manual setup before starting the application.
735 The following steps can be followed to enable WebSocket notifications in OpenDaylight:
736
737 1. Open the file `restconf8040.cfg`, at `etc/` folder inside your Karaf distribution.
738 2. Locate the `use-sse` configuration parameter and change its value from `true` to `false`.
739 3. Uncomment the `use-sse` parameter if it is commented out.
740 4. Save the changes made to the `restconf8040.cfg` file.
741 5. Restart OpenDaylight if it is already running.
742
743 Once these steps are completed, WebSocket notifications will be enabled in OpenDaylight,
744 and they can be used for receiving notifications instead of SSE.
745
746 WebSocket Notifications subscription process is the same as SSE until you receive a location of WebSocket.
747 You can follow steps given above and after subscribing to a notification stream over WebSocket,
748 you will receive a response indicating that the subscription was successful:
749
750 .. code-block:: json
751
752     {
753         "subscribe-to-notification:location": "ws://localhost:8181/rests/notif/data-change-event-subscription/network-topology:network-topology/datastore=CONFIGURATION/scope=SUBTREE"
754     }
755
756 You can use this WebSocket to listen to data
757 change notifications. To listen to notifications you can use a
758 JavaScript client or if you are using chrome browser you can use the
759 `Simple WebSocket
760 Client <https://chrome.google.com/webstore/detail/simple-websocket-client/pfdhoblngboilpfeibdedpjgfnlcodoo>`__.
761
762 Also, for testing purposes, there is simple Java application named
763 WebSocketClient. The application is placed in the
764 */restconf/websocket-client* project. It accepts a WebSocket URI
765 as an input parameter. After starting the utility (WebSocketClient
766 class directly in Eclipse/InteliJ Idea) received notifications should be
767 displayed in console.
768
769 Notifications are always in XML format and look like this:
770
771 .. code-block:: xml
772
773     <notification xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0">
774         <eventTime>2014-09-11T09:58:23+02:00</eventTime>
775         <data-changed-notification xmlns="urn:opendaylight:params:xml:ns:yang:controller:md:sal:remote">
776             <data-change-event>
777                 <path xmlns:meae="http://netconfcentral.org/ns/toaster">/meae:toaster</path>
778                 <operation>updated</operation>
779                 <data>
780                    <!-- updated data -->
781                 </data>
782             </data-change-event>
783         </data-changed-notification>
784     </notification>
785
786 Example use case
787 ~~~~~~~~~~~~~~~~
788
789 The typical use case is listening to data change events to update web
790 page data in real time. In this tutorial we will be using toaster as the
791 base.
792
793 When you call *make-toast* RPC, it sets *toasterStatus* to "down" to
794 reflect that the toaster is busy making toast. When it finishes,
795 *toasterStatus* is set to "up" again. We will listen to these toaster
796 status changes in data store and will reflect it on our web page in
797 real-time thanks to WebSocket data change notification.
798
799 Simple javascript client implementation
800 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
801
802 We will create a simple JavaScript web application that will listen for
803 updates on *toasterStatus* leaf and update some elements of our web page
804 according to the new toaster status state.
805
806 Create stream
807 ^^^^^^^^^^^^^
808
809 First you need to create stream that you are planning to subscribe to.
810 This can be achieved by invoking "create-data-change-event-subscription"
811 RPC on RESTCONF via AJAX request. You need to provide data store
812 **path** that you plan to listen on, **data store type** and **scope**.
813 If the request is successful you can extract the **stream-name** from
814 the response and use that to subscribe to the newly created stream. The
815 *{username}* and *{password}* fields represent the credentials that you
816 use to connect to OpenDaylight via RESTCONF:
817
818 .. note::
819
820     The default user name and password are "admin".
821
822 .. code-block:: javascript
823
824     function createStream() {
825         $.ajax(
826             {
827                 url: 'http://{odlAddress}:{odlPort}/rests/operations/sal-remote:create-data-change-event-subscription',
828                 type: 'POST',
829                 headers: {
830                   'Authorization': 'Basic ' + btoa('{username}:{password}'),
831                   'Content-Type': 'application/json'
832                 },
833                 data: JSON.stringify(
834                     {
835                         'input': {
836                             'path': '/toaster:toaster/toaster:toasterStatus',
837                             'sal-remote-augment:datastore': 'OPERATIONAL',
838                             'sal-remote-augment:scope': 'ONE'
839                         }
840                     }
841                 )
842             }).done(function (data) {
843                 // this function will be called when ajax call is executed successfully
844                 subscribeToStream(data.output['stream-name']);
845             }).fail(function (data) {
846                 // this function will be called when ajax call fails
847                 console.log("Create stream call unsuccessful");
848             })
849     }
850
851 Subscribe to stream
852 ^^^^^^^^^^^^^^^^^^^
853
854 The Next step is to subscribe to the stream. To subscribe to the stream
855 you need to call *GET* on
856 *http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/{stream-name}*.
857 If the call is successful, you get WebSocket address for this stream in
858 **Location** parameter inside response header. You can get response
859 header by calling *getResponseHeader(\ *Location*)* on HttpRequest
860 object inside *done()* function call:
861
862 .. code-block:: javascript
863
864     function subscribeToStream(streamName) {
865         $.ajax(
866             {
867                 url: 'http://{odlAddress}:{odlPort}/rests/data/ietf-restconf-monitoring:restconf-state/streams/stream/' + streamName;
868                 type: 'GET',
869                 headers: {
870                   'Authorization': 'Basic ' + btoa('{username}:{password}'),
871                 }
872             }
873         ).done(function (data, textStatus, httpReq) {
874             // we need function that has http request object parameter in order to access response headers.
875             listenToNotifications(httpReq.getResponseHeader('Location'));
876         }).fail(function (data) {
877             console.log("Subscribe to stream call unsuccessful");
878         });
879     }
880
881 Receive notifications
882 ^^^^^^^^^^^^^^^^^^^^^
883
884 Once you have WebSocket server location you can now connect to it and
885 start receiving data change events. You need to define functions that
886 will handle events on WebSocket. In order to process incoming events
887 from OpenDaylight you need to provide a function that will handle
888 *onmessage* events. The function must have one parameter that represents
889 the received event object. The event data will be stored in
890 *event.data*. The data will be in an XML format that you can then easily
891 parse using jQuery.
892
893 .. code-block:: javascript
894
895     function listenToNotifications(socketLocation) {
896         try {
897             var notificatinSocket = new WebSocket(socketLocation);
898
899             notificatinSocket.onmessage = function (event) {
900                 // we process our received event here
901                 console.log('Received toaster data change event.');
902                 $($.parseXML(event.data)).find('data-change-event').each(
903                     function (index) {
904                         var operation = $(this).find('operation').text();
905                         if (operation == 'updated') {
906                             // toaster status was updated so we call function that gets the value of toasterStatus leaf
907                             updateToasterStatus();
908                             return false;
909                         }
910                     }
911                 );
912             }
913             notificatinSocket.onerror = function (error) {
914                 console.log("Socket error: " + error);
915             }
916             notificatinSocket.onopen = function (event) {
917                 console.log("Socket connection opened.");
918             }
919             notificatinSocket.onclose = function (event) {
920                 console.log("Socket connection closed.");
921             }
922             // if there is a problem on socket creation we get exception (i.e. when socket address is incorrect)
923         } catch(e) {
924             alert("Error when creating WebSocket" + e );
925         }
926     }
927
928 The *updateToasterStatus()* function represents function that calls
929 *GET* on the path that was modified and sets toaster status in some web
930 page element according to received data. After the WebSocket connection
931 has been established you can test events by calling make-toast RPC via
932 RESTCONF.
933
934 .. note::
935
936     for more information about WebSockets in JavaScript visit `Writing
937     WebSocket client
938     applications <https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API/Writing_WebSocket_client_applications>`__
939
940 Netconf-connector + Netopeer
941 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
942
943 `Netopeer <https://github.com/cesnet/netopeer>`__ (an open-source
944 NETCONF server) can be used for testing/exploring NETCONF southbound in
945 OpenDaylight.
946
947 Netopeer installation
948 ^^^^^^^^^^^^^^^^^^^^^
949
950 A `Docker <https://www.docker.com/>`__ container with netopeer will be
951 used in this guide. To install Docker and start the `netopeer
952 image <https://hub.docker.com/r/sysrepo/sysrepo-netopeer2>`__ perform
953 following steps:
954
955 1. Install docker https://docs.docker.com/get-started/
956
957 2. Start the netopeer image:
958
959    ::
960
961        docker run -it --name sysrepo -p 830:830 --rm sysrepo/sysrepo-netopeer2:latest
962
963 3. Verify netopeer is running by invoking (netopeer should send its
964    HELLO message right away:
965
966    ::
967
968        ssh root@localhost -p 830 -s netconf
969        (password root)
970
971 Mounting netopeer NETCONF server
972 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
973
974 Preconditions:
975
976 -  OpenDaylight is started with features ``odl-restconf-all`` and
977    ``odl-netconf-connector-all``.
978
979 -  Netopeer is up and running in docker
980
981 Now just follow the section: `Spawning new NETCONF connectors`_.
982 In the payload change the:
983
984 -  name, e.g., to netopeer
985
986 -  username/password to your system credentials
987
988 -  ip to localhost
989
990 -  port to 1831.
991
992 After netopeer is mounted successfully, its configuration can be read
993 using RESTCONF by invoking:
994
995 GET
996 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=netopeer/yang-ext:mount?content:config
997
998 Northbound (NETCONF servers)
999 ----------------------------
1000
1001 OpenDaylight provides 2 types of NETCONF servers:
1002
1003 -  **NETCONF server for config-subsystem (listening by default on port
1004    1830)**
1005
1006    -  Serves as a default interface for config-subsystem and allows
1007       users to spawn/reconfigure/destroy modules (or applications) in
1008       OpenDaylight
1009
1010 -  **NETCONF server for MD-SAL (listening by default on port 2830)**
1011
1012    -  Serves as an alternative interface for MD-SAL (besides RESTCONF)
1013       and allows users to read/write data from MD-SAL’s datastore and to
1014       invoke its rpcs (NETCONF notifications are not available in the
1015       Boron release of OpenDaylight)
1016
1017 .. note::
1018
1019     The reason for having 2 NETCONF servers is that config-subsystem and
1020     MD-SAL are 2 different components of OpenDaylight and require
1021     different approaches for NETCONF message handling and data
1022     translation. These 2 components will probably merge in the future.
1023
1024 .. note::
1025
1026     Since Nitrogen release, there has been performance regression in NETCONF
1027     servers accepting SSH connections. While opening a connection takes
1028     less than 10 seconds on Carbon, on Nitrogen time can increase up to
1029     60 seconds. Please see https://jira.opendaylight.org/browse/ODLPARENT-112
1030
1031 NETCONF server for config-subsystem
1032 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1033
1034 This NETCONF server is the primary interface for config-subsystem. It
1035 allows the users to interact with config-subsystem in a standardized
1036 NETCONF manner.
1037
1038 In terms of RFCs, these are supported:
1039
1040 -  `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
1041
1042 -  `RFC-5277 <https://www.rfc-editor.org/rfc/rfc5277>`__
1043
1044 -  `RFC-6470 <https://www.rfc-editor.org/rfc/rfc6470>`__
1045
1046    -  (partially, only the schema-change notification is available in
1047       Boron release)
1048
1049 -  `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
1050
1051 For regular users it is recommended to use RESTCONF + the
1052 controller-config loopback mountpoint instead of using pure NETCONF. How
1053 to do that is specific for each component/module/application in
1054 OpenDaylight and can be found in their dedicated user guides.
1055
1056 NETCONF server for MD-SAL
1057 ~~~~~~~~~~~~~~~~~~~~~~~~~
1058
1059 This NETCONF server is just a generic interface to MD-SAL in
1060 OpenDaylight. It uses the standard MD-SAL APIs and serves as an
1061 alternative to RESTCONF. It is fully model-driven and supports any data
1062 and rpcs that are supported by MD-SAL.
1063
1064 In terms of RFCs, these are supported:
1065
1066 -  `RFC-6241 <https://www.rfc-editor.org/rfc/rfc6241>`__
1067
1068 -  `RFC-6022 <https://www.rfc-editor.org/rfc/rfc6022>`__
1069
1070 -  `RFC-7895 <https://www.rfc-editor.org/rfc/rfc7895>`__
1071
1072 Notifications over NETCONF are not supported in the Boron release.
1073
1074 .. tip::
1075
1076     Install NETCONF northbound for MD-SAL by installing feature:
1077     ``odl-netconf-mdsal`` in karaf. Default binding port is **2830**.
1078
1079 Configuration
1080 ^^^^^^^^^^^^^
1081
1082 The default configuration can be found in file: *08-netconf-mdsal.xml*.
1083 The file contains the configuration for all necessary dependencies and a
1084 single SSH endpoint starting on port 2830. There is also a (by default
1085 disabled) TCP endpoint. It is possible to start multiple endpoints at
1086 the same time either in the initial configuration file or while
1087 OpenDaylight is running.
1088
1089 The credentials for SSH endpoint can also be configured here, the
1090 defaults are admin/admin. Credentials in the SSH endpoint are not yet
1091 managed by the centralized AAA component and have to be configured
1092 separately.
1093
1094 Verifying MD-SAL’s NETCONF server
1095 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1096
1097 After the NETCONF server is available it can be examined by a command
1098 line ssh tool:
1099
1100 ::
1101
1102     ssh admin@localhost -p 2830 -s netconf
1103
1104 The server will respond by sending its HELLO message and can be used as
1105 a regular NETCONF server from then on.
1106
1107 Mounting the MD-SAL’s NETCONF server
1108 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1109
1110 To perform this operation, just spawn a new netconf-connector as
1111 described in `Spawning new NETCONF connectors`_. Just change the ip to
1112 "127.0.0.1" port to "2830" and its name to "controller-mdsal".
1113
1114 Now the MD-SAL’s datastore can be read over RESTCONF via NETCONF by
1115 invoking:
1116
1117 GET
1118 http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=controller-mdsal/yang-ext:mount?content:nonconfig
1119
1120 .. note::
1121
1122     This might not seem very useful, since MD-SAL can be accessed
1123     directly from RESTCONF or from Application code, but the same method
1124     can be used to mount and control other OpenDaylight instances by the
1125     "master OpenDaylight".
1126
1127 NETCONF stress/performance measuring tool
1128 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1129
1130 This is basically a NETCONF client that puts NETCONF servers under heavy
1131 load of NETCONF RPCs and measures the time until a configurable amount
1132 of them is processed.
1133
1134 RESTCONF stress-performance measuring tool
1135 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1136
1137 Very similar to NETCONF stress tool with the difference of using
1138 RESTCONF protocol instead of NETCONF.
1139
1140 YANGLIB remote repository
1141 -------------------------
1142
1143 There are scenarios in NETCONF deployment, that require for a centralized
1144 YANG models repository. YANGLIB plugin provides such remote repository.
1145
1146 To start this plugin, you have to install odl-yanglib feature. Then you
1147 have to configure YANGLIB either through RESTCONF or NETCONF. We will
1148 show how to configure YANGLIB through RESTCONF.
1149
1150 YANGLIB configuration
1151 ~~~~~~~~~~~~~~~~~~~~~
1152 YANGLIB configuration works through OSGi Configuration Admin interface, in the
1153 ``org.opendaylight.netconf.yanglib`` configuration PID. There are three tuneables you can
1154 set:
1155
1156 * ``cache-folder``, which defaults to ``cache/schema``
1157 * ``binding-address``, which defaults to ``localhost``
1158 * ``binding-port``, which defaults to ``8181``
1159
1160 In order to change these settings, you can either modify the corresponding configuration
1161 file, ``etc/org.opendaylight.netconf.yanglib.cfg``, for example:
1162
1163 ::
1164     cache-folder = cache/newSchema
1165     binding-address = localhost
1166     binding-port = 8181
1167
1168 Or use Karaf CLI:
1169
1170 ::
1171     opendaylight-user@root>config:edit org.opendaylight.netconf.yanglib
1172     opendaylight-user@root>config:property-set cache-folder cache/newSchema
1173     opendaylight-user@root>config:property-set binding-address localhost
1174     opendaylight-user@root>config:property-set binding-port 8181
1175     opendaylight-user@root>config:update
1176
1177 This YANGLIB takes all YANG sources from the configured sources folder and
1178 for each generates URL in form:
1179
1180 ::
1181
1182     http://localhost:8181/yanglib/schemas/{modelName}/{revision}
1183
1184 On this URL will be hosted YANG source for particular module.
1185
1186 YANGLIB instance also writes this URL along with source identifier to
1187 ietf-netconf-yang-library/modules-state/module list.
1188
1189 Netconf-connector with YANG library as fallback
1190 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1191
1192 There is an optional configuration in netconf-connector called
1193 yang-library. You can specify YANG library to be plugged as additional
1194 source provider into the mount's schema repository. Since YANGLIB
1195 plugin is advertising provided modules through yang-library model, we
1196 can use it in mount point's configuration as YANG library.  To do this,
1197 we need to modify the configuration of netconf-connector by adding this
1198 XML
1199
1200 ::
1201
1202     <yang-library xmlns="urn:opendaylight:netconf-node-topology">
1203       <yang-library-url xmlns="urn:opendaylight:netconf-node-topology">http://localhost:8181/rests/data/ietf-yang-library:modules-state</yang-library-url>
1204       <username xmlns="urn:opendaylight:netconf-node-topology">admin</username>
1205       <password xmlns="urn:opendaylight:netconf-node-topology">admin</password>
1206     </yang-library>
1207
1208 This will register YANGLIB provided sources as a fallback schemas for
1209 particular mount point.
1210
1211 NETCONF Call Home
1212 -----------------
1213
1214 Call Home Installation
1215 ~~~~~~~~~~~~~~~~~~~~~~
1216
1217 ODL Call-Home server is installed in Karaf by installing karaf feature
1218 ``odl-netconf-callhome-ssh``. RESTCONF feature is recommended for
1219 configuring Call Home & testing its functionality.
1220
1221 ::
1222
1223   feature:install odl-netconf-callhome-ssh
1224
1225
1226 .. note::
1227
1228     In order to test Call Home functionality we recommend Netopeer or
1229     Netopeer2. See `Netopeer Call Home <https://github.com/CESNET/netopeer/wiki/CallHome>`__
1230     or `Netopeer2 <https://github.com/CESNET/netopeer2>`__ to learn how to
1231     enable call-home on Netopeer.
1232
1233 Northbound Call-Home API
1234 ~~~~~~~~~~~~~~~~~~~~~~~~
1235
1236 The northbound Call Home API is used for administering the Call-Home Server. The
1237 following describes this configuration.
1238
1239 Global Configuration
1240 ^^^^^^^^^^^^^^^^^^^^
1241
1242 .. important::
1243   The global configuration is not a part of the `RFC 8071
1244   <https://www.rfc-editor.org/rfc/rfc8071>`__ and, therefore, subject to change.
1245
1246 Configuring global credentials
1247 ''''''''''''''''''''''''''''''
1248
1249 The ODL Call-Home server allows user to configure global credentials, which will be
1250 used for devices connecting over SSH transport protocol that do not have
1251 device-specific credentials configured.
1252
1253 This is done by creating
1254 ``/odl-netconf-callhome-server:netconf-callhome-server/global/credentials``
1255 with username and passwords specified.
1256
1257 *Configuring global username & passwords to try*
1258
1259 .. code-block::
1260
1261     PUT HTTP/1.1
1262     /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/credentials
1263     Content-Type: application/json
1264     Accept: application/json
1265
1266 .. code-block:: json
1267
1268     {
1269       "credentials":
1270       {
1271         "username": "example",
1272         "passwords": [ "first-password-to-try", "second-password-to-try" ]
1273       }
1274     }
1275
1276 Configuring to accept any ssh server key using global credentials
1277 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
1278
1279 By default Netconf Call-Home Server accepts only incoming connections
1280 from allowed devices
1281 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``,
1282 if user desires to allow all incoming connections, it is possible to set
1283 ``accept-all-ssh-keys`` to ``true`` in
1284 ``/odl-netconf-callhome-server:netconf-callhome-server/global``.
1285
1286 The name of these devices in ``netconf-topology`` will be in format
1287 ``ip-address:port``. For naming devices see Device-Specific
1288 Configuration.
1289
1290 *Allowing unknown devices to connect*
1291
1292 This is a debug feature and should not be used in production. Besides being an obvious
1293 security issue, this also causes the Call-Home Server to drastically increase its output
1294 to the log.
1295
1296 .. code-block::
1297
1298     PUT HTTP/1.1
1299     /rests/data/odl-netconf-callhome-server:netconf-callhome-server/global/accept-all-ssh-keys
1300     Content-Type: application/json
1301     Accept: application/json
1302
1303 .. code-block:: json
1304
1305     {
1306         "accept-all-ssh-keys": "true"
1307     }
1308
1309 Device-Specific Configuration
1310 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1311
1312 Netconf Call Home server supports both of the secure transports used
1313 by the Network Configuration Protocol (NETCONF) - Secure Shell (SSH),
1314 and Transport Layer Security (TLS).
1315
1316 Configure device to connect over SSH protocol
1317 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1318
1319 Netconf Call Home Server uses device provided SSH server key (host key)
1320 to identify device. The pairing of name and server key is configured in
1321 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices``.
1322 This list is colloquially called a allowlist.
1323
1324 If the Call-Home Server finds the SSH host key in the allowlist, it continues
1325 to negotiate a NETCONF connection over an SSH session. If the SSH host key is
1326 not found, the connection between the Call Home server and the device is dropped
1327 immediately. In either case, the device that connects to the Call home server
1328 leaves a record of its presence in the operational store.
1329
1330 Configuring Device with Device-specific Credentials
1331 '''''''''''''''''''''''''''''''''''''''''''''''''''
1332
1333 Adding specific device to the allowed list is done by creating
1334 ``/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device={device}``
1335 with device-id and connection parameters inside the ssh-client-params container.
1336
1337 *Configuring Device with Credentials*
1338
1339 .. code-block::
1340
1341     PUT HTTP/1.1
1342     /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1343     Content-Type: application/json
1344     Accept: application/json
1345
1346 .. code-block:: json
1347
1348     {
1349       "device": {
1350         "unique-id": "example",
1351         "ssh-client-params": {
1352           "credentials": {
1353             "username": "example",
1354             "passwords": [ "password" ]
1355           },
1356           "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1357         }
1358       }
1359     }
1360
1361 Configuring Device with Global Credentials
1362 '''''''''''''''''''''''''''''''''''''''''''''''''''
1363
1364 It is possible to omit ``username`` and ``password`` for ssh-client-params,
1365 in such case values from global credentials will be used.
1366
1367 *Example of configuring device*
1368
1369 .. code-block::
1370
1371     PUT HTTP/1.1
1372     /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1373     Content-Type: application/json
1374     Accept: application/json
1375
1376 .. code-block:: json
1377
1378     {
1379       "device": {
1380         "unique-id": "example",
1381         "ssh-client-params": {
1382           "host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1383         }
1384       }
1385     }
1386
1387 Deprecated configuration models for devices accessed with SSH protocol
1388 ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
1389
1390 With `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8071>`__ alignment and adding
1391 support for TLS transport following configuration models have been marked
1392 deprecated.
1393
1394 Configuring Device with Global Credentials
1395 '''''''''''''''''''''''''''''''''''''''''''''''''''
1396
1397 *Example of configuring device*
1398
1399 .. code-block::
1400
1401     PUT HTTP/1.1
1402     /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1403     Content-Type: application/json
1404     Accept: application/json
1405
1406 .. code-block:: json
1407
1408     {
1409       "device": {
1410         "unique-id": "example",
1411         "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1412       }
1413     }
1414
1415 Configuring Device with Device-specific Credentials
1416 '''''''''''''''''''''''''''''''''''''''''''''''''''
1417
1418 Call Home Server also allows the configuration of credentials per device basis.
1419 This is done by introducing ``credentials`` container into the
1420 device-specific configuration. Format is same as in global credentials.
1421
1422 *Configuring Device with Credentials*
1423
1424 .. code-block::
1425
1426     PUT HTTP/1.1
1427     /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example
1428     Content-Type: application/json
1429     Accept: application/json
1430
1431 .. code-block:: json
1432
1433     {
1434       "device": {
1435         "unique-id": "example",
1436         "credentials": {
1437           "username": "example",
1438           "passwords": [ "password" ]
1439         },
1440         "ssh-host-key": "AAAAB3NzaC1yc2EAAAADAQABAAABAQDHoH1jMjltOJnCt999uaSfc48ySutaD3ISJ9fSECe1Spdq9o9mxj0kBTTTq+2V8hPspuW75DNgN+V/rgJeoUewWwCAasRx9X4eTcRrJrwOQKzb5Fk+UKgQmenZ5uhLAefi2qXX/agFCtZi99vw+jHXZStfHm9TZCAf2zi+HIBzoVksSNJD0VvPo66EAvLn5qKWQD4AdpQQbKqXRf5/W8diPySbYdvOP2/7HFhDukW8yV/7ZtcywFUIu3gdXsrzwMnTqnATSLPPuckoi0V2jd8dQvEcu1DY+rRqmqu0tEkFBurlRZDf1yhNzq5xWY3OXcjgDGN+RxwuWQK3cRimcosH"
1441       }
1442     }
1443
1444 Configure device to connect over TLS protocol
1445 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1446
1447 Netconf Call Home Server allows devices to use TLS transport protocol to
1448 establish a connection towards the NETCONF device. This communication
1449 requires proper setup to make two-way TLS authentication possible for client
1450 and server.
1451
1452 The initial step is to configure certificates and keys for two-way TLS by
1453 storing them within the netconf-keystore.
1454
1455 *Adding a client private key credential to the netconf-keystore*
1456
1457 .. code-block::
1458
1459     POST HTTP/1.1
1460     /rests/operations/netconf-keystore:add-keystore-entry
1461     Content-Type: application/json
1462     Accept: application/json
1463
1464 .. code-block:: json
1465
1466   {
1467     "input": {
1468       "key-credential": [
1469         {
1470           "key-id": "example-client-key-id",
1471           "private-key": "base64encoded-private-key",
1472           "passphrase": "passphrase"
1473         }
1474       ]
1475     }
1476   }
1477
1478 *Associate a private key with a client and CA certificates chain*
1479
1480 .. code-block::
1481
1482     POST HTTP/1.1
1483     /rests/operations/netconf-keystore:add-private-key
1484     Content-Type: application/json
1485     Accept: application/json
1486
1487 .. code-block:: json
1488
1489   {
1490     "input": {
1491       "private-key": [
1492         {
1493           "name": "example-client-key-id",
1494           "data": "key-data",
1495           "certificate-chain": [
1496             "certificate-data"
1497           ]
1498         }
1499       ]
1500     }
1501   }
1502
1503 *Add a list of trusted CA and server certificates*
1504
1505 .. code-block::
1506
1507     POST HTTP/1.1
1508     /rests/operations/netconf-keystore:add-trusted-certificate
1509     Content-Type: application/json
1510     Accept: application/json
1511
1512 .. code-block:: json
1513
1514   {
1515     "input": {
1516       "trusted-certificate": [
1517         {
1518           "name": "example-ca-certificate",
1519           "certificate": "ca-certificate-data"
1520         },
1521         {
1522           "name": "example-server-certificate",
1523           "certificate": "server-certificate-data"
1524         }
1525       ]
1526     }
1527   }
1528
1529 In a second step, it is required to create an allowed device associated with
1530 a server certificate and client key. The server certificate will be used to
1531 identify and pin the NETCONF device during SSL handshake and should be unique
1532 among the allowed devices.
1533
1534 *Add device configuration for TLS protocol to allowed devices list*
1535
1536 .. code-block::
1537
1538     PUT HTTP/1.1
1539     /rests/data/odl-netconf-callhome-server:netconf-callhome-server/allowed-devices/device=example-device
1540     Content-Type: application/json
1541     Accept: application/json
1542
1543 .. code-block:: json
1544
1545   {
1546     "device": {
1547       "unique-id": "example-device",
1548       "tls-client-params": {
1549         "key-id": "example-client-key-id",
1550         "certificate-id": "example-server-certificate"
1551       }
1552     }
1553   }
1554
1555 Operational Status
1556 ^^^^^^^^^^^^^^^^^^
1557
1558 Once an entry is made on the config side of "allowed-devices", the Call-Home Server will
1559 populate a corresponding operational device that is the same as the config device but
1560 has an additional status. By default, this status is *DISCONNECTED*. Once a device calls
1561 home, this status will change to one of:
1562
1563 *CONNECTED* â€” The device is currently connected and the NETCONF mount is available for network
1564 management.
1565
1566 *FAILED_AUTH_FAILURE* â€” The last attempted connection was unsuccessful because the Call-Home
1567 Server was unable to provide the acceptable credentials of the device. The device is also
1568 disconnected and not available for network management.
1569
1570 *FAILED_NOT_ALLOWED* â€” The last attempted connection was unsuccessful because the device was
1571 not recognized as an acceptable device. The device is also disconnected and not available for
1572 network management.
1573
1574 *FAILED* â€” The last attempted connection was unsuccessful for a reason other than not
1575 allowed to connect or incorrect client credentials. The device is also disconnected and not
1576 available for network management.
1577
1578 *DISCONNECTED* â€” The device is currently disconnected.
1579
1580 Rogue Devices
1581 '''''''''''''
1582
1583 Devices that are not on the allowlist might try to connect to the Call-Home Server. In
1584 these cases, the server will keep a record by instantiating an operational device. There
1585 will be no corresponding config device for these rogues. They can be identified readily
1586 because their device id, rather than being user-supplied, will be of the form
1587 "address:port". Note that if a device calls back multiple times, there will only be
1588 a single operatinal entry (even if the port changes); these devices are recognized by
1589 their unique host key.
1590
1591 Southbound Call-Home API
1592 ~~~~~~~~~~~~~~~~~~~~~~~~
1593
1594 The Call-Home Server listens for incoming TCP connections and assumes that the other side of
1595 the connection is a device calling home via a NETCONF connection with SSH for
1596 management. The server uses port 4334 by default and this can be configured via a
1597 blueprint configuration file.
1598
1599 The device **must** initiate the connection and the server will not try to re-establish the
1600 connection in case of a drop. By requirement, the server cannot assume it has connectivity
1601 to the device due to NAT or firewalls among others.
1602
1603 Reading data with selected fields
1604 ---------------------------------
1605
1606 Overview
1607 ~~~~~~~~
1608
1609 If user would like to read only selected fields from a NETCONF device, it is possible to use
1610 the fields query parameter that is described by RFC-8040. RESTCONF parses content of query
1611 parameter into format that is accepted by NETCONF subtree filtering - filtering of data is done
1612 on NETCONF server, not on NETCONF client side. This approach optimizes network traffic load,
1613 because data in which user doesn't have interest, is not transferred over network.
1614
1615 Next advantages:
1616
1617 * using single RESTCONF request and single NETCONF RPC for reading multiple subtrees
1618 * possibility to read only selected fields under list node across multiple hierarchies
1619   (it cannot be done without proper selection API)
1620
1621 .. note::
1622
1623   More information about fields query parameter: `RFC 8071 <https://www.rfc-editor.org/rfc/rfc8040#section-4.8.3>`__
1624
1625 Preparation of data
1626 ~~~~~~~~~~~~~~~~~~~
1627
1628 For demonstration, we will define next YANG model:
1629
1630 ::
1631
1632     module test-module {
1633         yang-version 1.1;
1634         namespace "urn:opendaylight:test-module";
1635         prefix "tm";
1636         revision "2023-02-16";
1637
1638         container root {
1639             container simple-root {
1640                 leaf leaf-a {
1641                     type string;
1642                 }
1643                 leaf leaf-b {
1644                     type string;
1645                 }
1646                 leaf-list ll {
1647                     type string;
1648                 }
1649                 container nested {
1650                     leaf sample-x {
1651                         type boolean;
1652                     }
1653                     leaf sample-y {
1654                         type boolean;
1655                     }
1656                 }
1657             }
1658
1659             container list-root {
1660                 leaf branch-ab {
1661                     type int32;
1662                 }
1663                 list top-list {
1664                     key "key-1 key-2";
1665                     ordered-by user;
1666                     leaf key-1 {
1667                         type string;
1668                     }
1669                     leaf key-2 {
1670                         type string;
1671                     }
1672                     container next-data {
1673                         leaf switch-1 {
1674                             type empty;
1675                         }
1676                         leaf switch-2 {
1677                             type empty;
1678                         }
1679                     }
1680                     list nested-list {
1681                         key "identifier";
1682                         leaf identifier {
1683                             type string;
1684                         }
1685                         leaf foo {
1686                             type int32;
1687                         }
1688                     }
1689                 }
1690             }
1691         }
1692     }
1693
1694 Follow the :doc:`testtool` instructions to save this schema and run it with testtool.
1695
1696 Mounting NETCONF device that runs on NETCONF testtool:
1697
1698 .. code-block:: bash
1699
1700   curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool' \
1701   --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1702   --header 'Content-Type: application/json' \
1703   --data-raw '{
1704       "node": [
1705           {
1706               "node-id": "testtool",
1707               "netconf-node-topology:host": "127.0.0.1",
1708               "netconf-node-topology:port": 17830,
1709               "netconf-node-topology:keepalive-delay": 100,
1710               "netconf-node-topology:tcp-only": false,
1711               "netconf-node-topology:login-password-unencrypted": {
1712                   "netconf-node-topology:username": "admin",
1713                   "netconf-node-topology:password": "admin"
1714               },
1715           }
1716       ]
1717   }'
1718
1719 Setting initial configuration on NETCONF device:
1720
1721 .. code-block:: bash
1722
1723   curl --location --request PUT 'http://127.0.0.1:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root' \
1724   --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1725   --header 'Content-Type: application/json' \
1726   --data-raw '{
1727       "root": {
1728           "simple-root": {
1729               "leaf-a": "asddhg",
1730               "leaf-b": "ffffff",
1731               "ll": [
1732                   "str1",
1733                   "str2",
1734                   "str3"
1735               ],
1736               "nested": {
1737                   "sample-x": true,
1738                   "sample-y": false
1739               }
1740           },
1741           "list-root": {
1742               "branch-ab": 5,
1743               "top-list": [
1744                   {
1745                       "key-1": "ka",
1746                       "key-2": "kb",
1747                       "next-data": {
1748                           "switch-1": [
1749                               null
1750                           ],
1751                           "switch-2": [
1752                               null
1753                           ]
1754                       },
1755                       "nested-list": [
1756                           {
1757                               "identifier": "f1",
1758                               "foo": 1
1759                           },
1760                           {
1761                               "identifier": "f2",
1762                               "foo": 10
1763                           },
1764                           {
1765                               "identifier": "f3",
1766                               "foo": 20
1767                           }
1768                       ]
1769                   },
1770                   {
1771                       "key-1": "kb",
1772                       "key-2": "ka",
1773                       "next-data": {
1774                           "switch-1": [
1775                               null
1776                           ]
1777                       },
1778                       "nested-list": [
1779                           {
1780                               "identifier": "e1",
1781                               "foo": 1
1782                           },
1783                           {
1784                               "identifier": "e2",
1785                               "foo": 2
1786                           },
1787                           {
1788                               "identifier": "e3",
1789                               "foo": 3
1790                           }
1791                       ]
1792                   },
1793                   {
1794                       "key-1": "kc",
1795                       "key-2": "ke",
1796                       "next-data": {
1797                           "switch-2": [
1798                               null
1799                           ]
1800                       },
1801                       "nested-list": [
1802                           {
1803                               "identifier": "q1",
1804                               "foo": 13
1805                           },
1806                           {
1807                               "identifier": "q2",
1808                               "foo": 14
1809                           },
1810                           {
1811                               "identifier": "q3",
1812                               "foo": 15
1813                           }
1814                       ]
1815                   }
1816               ]
1817           }
1818       }
1819   }'
1820
1821 Examples
1822 --------
1823
1824 1. Reading whole leaf-list 'll' and leaf 'nested/sample-x' under 'simple-root' container.
1825
1826 RESTCONF request:
1827
1828 .. code-block:: bash
1829
1830     curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/simple-root?content=config&fields=ll;nested/sample-x' \
1831     --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1832     --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1833
1834 Generated NETCONF RPC request:
1835
1836 .. code-block:: xml
1837
1838     <rpc message-id="m-18" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1839         <get-config>
1840             <source>
1841                 <running/>
1842             </source>
1843             <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1844                 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1845                     <simple-root>
1846                         <ll/>
1847                         <nested>
1848                             <sample-x/>
1849                         </nested>
1850                     </simple-root>
1851                 </root>
1852             </filter>
1853         </get-config>
1854     </rpc>
1855
1856 .. note::
1857
1858     Using fields query parameter it is also possible to read whole leaf-list or list without
1859     necessity to specify value / key predicate (without reading parent entity). Such scenario
1860     is not permitted in RFC-8040 paths alone - fields query parameter can be used as
1861     workaround for this case.
1862
1863 RESTCONF response:
1864
1865 .. code-block:: json
1866
1867     {
1868         "test-module:simple-root": {
1869             "ll": [
1870                 "str3",
1871                 "str1",
1872                 "str2"
1873             ],
1874             "nested": {
1875                 "sample-x": true
1876             }
1877         }
1878     }
1879
1880 2. Reading all identifiers of 'nested-list' under all elements of 'top-list'.
1881
1882 RESTCONF request:
1883
1884 .. code-block:: bash
1885
1886     curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=top-list(nested-list/identifier)' \
1887     --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1888     --header 'Cookie: JSESSIONID=node01h4w82eorc1k61866b71qjgj503.node0'
1889
1890 Generated NETCONF RPC request:
1891
1892 .. code-block:: xml
1893
1894     <rpc message-id="m-27" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1895         <get-config>
1896             <source>
1897                 <running/>
1898             </source>
1899             <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1900                 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1901                     <list-root>
1902                         <top-list>
1903                             <nested-list>
1904                                 <identifier/>
1905                             </nested-list>
1906                             <key-1/>
1907                             <key-2/>
1908                         </top-list>
1909                     </list-root>
1910                 </root>
1911             </filter>
1912         </get-config>
1913     </rpc>
1914
1915 .. note::
1916
1917     NETCONF client automatically fetches values of list keys since they are required for correct
1918     deserialization of NETCONF response and at the end serialization of response to RESTCONF
1919     response (JSON/XML).
1920
1921 RESTCONF response:
1922
1923 .. code-block:: json
1924
1925     {
1926         "test-module:list-root": {
1927             "top-list": [
1928                 {
1929                     "key-1": "ka",
1930                     "key-2": "kb",
1931                     "nested-list": [
1932                         {
1933                             "identifier": "f3"
1934                         },
1935                         {
1936                             "identifier": "f2"
1937                         },
1938                         {
1939                             "identifier": "f1"
1940                         }
1941                     ]
1942                 },
1943                 {
1944                     "key-1": "kb",
1945                     "key-2": "ka",
1946                     "nested-list": [
1947                         {
1948                             "identifier": "e3"
1949                         },
1950                         {
1951                             "identifier": "e2"
1952                         },
1953                         {
1954                             "identifier": "e1"
1955                         }
1956                     ]
1957                 },
1958                 {
1959                     "key-1": "kc",
1960                     "key-2": "ke",
1961                     "nested-list": [
1962                         {
1963                             "identifier": "q3"
1964                         },
1965                         {
1966                             "identifier": "q2"
1967                         },
1968                         {
1969                             "identifier": "q1"
1970                         }
1971                     ]
1972                 }
1973             ]
1974         }
1975     }
1976
1977 3. Reading value of leaf 'branch-ab' and all values of leaves 'switch-1' that are placed
1978    under 'top-list' list elements.
1979
1980 RESTCONF request:
1981
1982 .. code-block:: bash
1983
1984     curl --location --request GET 'http://localhost:8181/rests/data/network-topology:network-topology/topology=topology-netconf/node=testtool/yang-ext:mount/test-module:root/list-root?content=config&fields=branch-ab;top-list/next-data/switch-1' \
1985     --header 'Authorization: Basic YWRtaW46YWRtaW4=' \
1986     --header 'Cookie: JSESSIONID=node01jx6o5thwae9t1ft7c2zau5zbz4.node0'
1987
1988 Generated NETCONF RPC request:
1989
1990 .. code-block:: xml
1991
1992     <rpc message-id="m-42" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
1993         <get-config>
1994             <source>
1995                 <running/>
1996             </source>
1997             <filter xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:type="subtree">
1998                 <root xmlns="urn:ietf:params:xml:ns:yang:test-model">
1999                     <list-root>
2000                         <branch-ab/>
2001                         <top-list>
2002                             <next-data>
2003                                 <switch-1/>
2004                             </next-data>
2005                             <key-1/>
2006                             <key-2/>
2007                         </top-list>
2008                     </list-root>
2009                 </root>
2010             </filter>
2011         </get-config>
2012     </rpc>
2013
2014 RESTCONF response:
2015
2016 .. code-block:: json
2017
2018     {
2019         "test-module:list-root": {
2020             "branch-ab": 5,
2021             "top-list": [
2022                 {
2023                     "key-1": "ka",
2024                     "key-2": "kb",
2025                     "next-data": {
2026                         "switch-1": [
2027                             null
2028                         ]
2029                     }
2030                 },
2031                 {
2032                     "key-1": "kb",
2033                     "key-2": "ka",
2034                     "next-data": {
2035                         "switch-1": [
2036                             null
2037                         ]
2038                     }
2039                 },
2040                 {
2041                     "key-1": "kc",
2042                     "key-2": "ke"
2043                 }
2044             ]
2045         }
2046     }
2047
2048 RESTCONF OpenAPI
2049 ----------------
2050
2051 Overview
2052 ~~~~~~~~
2053
2054 The OpenAPI provides full API for configurational data which can be edited (by POST, PUT, PATCH and DELETE).
2055 For operational data we only provide GET API. For the majority of requests you can see only config data in examples.
2056 That’s because we can show only one example per request. The exception when you can see operational data in an
2057 example is when data are representing an operational (config false) container with no config data in it.
2058
2059
2060 Using the OpenAPI Explorer through HTTP
2061 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2062
2063 1. Install OpenApi into Karaf by installing karaf feature:
2064
2065 ::
2066
2067     $ feature:install odl-restconf-openapi
2068
2069 2.  Navigate to OpenAPI in your web browser which is available at URLs:
2070
2071 -  http://localhost:8181/openapi/explorer/index.html for general overview
2072
2073 -  http://localhost:8181/openapi/api/v3/single for JSON data
2074
2075 .. note::
2076
2077     In the URL links for OpenAPI, change *localhost* to the IP/Host name of your actual server.
2078
2079 3.  Enter the username and password.
2080     By default the credentials are  *admin/admin*.
2081
2082 4.  Select any model to try out.
2083
2084 5.  Select any available request to try out.
2085
2086 6.  Click on the **Try it out** button.
2087
2088 7.  Provide any required parameters or edit request body.
2089
2090 8.  Click the **Execute** button.
2091
2092 9.  You can see responses to the given request.
2093
2094
2095 OpenAPI Explorer can also be used for connected device. How to connect a device can be found :ref:`here <netconf-connector>`.
2096
2097 OpenAPI URLs in that case would look like this:
2098
2099 -  `http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device resources - RestConf RFC 8040 <http://localhost:8181/openapi/explorer/index.html?urls.primaryName=17830-sim-device%20resources%20-%20RestConf%20RFC%208040>`_ for device overview
2100
2101 -  http://localhost:8181/openapi/api/v3/mounts/1 for JSON data
2102
2103 -  `http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20) <http://localhost:8181/openapi/api/v3/mounts/1/toaster(2009-11-20)>`__ JSON data for given model
2104
2105 .. note::
2106
2107     The URL links for OpenAPI are made for device with name *17830-sim-device* and model toaster
2108     with *2009-11-20* revision and need to be changed accordingly to connected device.