No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R011C10 NETCONF YANG API Reference

This document describes the NETCONF API functions supported by the switch, including the data model and samples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI

PKI

This section describes the PKI configuration model and provides examples of packets.

Data Model

The PKI configuration model file is huawei-pki.yang.

Table 2-233  PKI data model

Object

Description

Value Range

Remarks

/huawei-pki:certificate-operation

Imports certificates. It is a root object, which is only used to contain sub-objects, but does not have any data meaning. -

NA

/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:realm-name PKI realm name. Only the default realm is supported. -
/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:certificate-type Certificate type. Only CA and local certificates are supported. -
/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:file-name Certificate file name. The value is a string of 1 to 64 case-insensitive characters without spaces or question marks (?).
/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:file-format Certificate format. Only the PEM format is supported. -
/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:operation-type Certificate operation type. Only the import operation is supported. -
/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:password The password is required only for certificate import. The value is a string of 6 to 32 case-sensitive characters without question marks (?).

/huawei-pki:certificate-replace

Replaces certificates. It is a root object, which is only used to contain sub-objects, but does not have any data meaning. -
/huawei-pki:certificate-replace/huawei-pki:files/huawei-pki:realm-name PKI realm name. Only the default realm is supported. -
/huawei-pki:certificate-replace/huawei-pki:files/huawei-pki:certificate-type Certificate type. Only CA and local certificates are supported. -
/huawei-pki:certificate-replace/huawei-pki:files/huawei-pki:file-name Certificate file name. Only the PEM format is supported. The value is a string of 1 to 64 case-insensitive characters without spaces or question marks (?).

/huawei-pki:certificate-adoption/huawei-pki:realms/huawei-pki:certificate-expire-warning/huawei-pki:start-timestamp

Configures the expiry warning time of the local certificate and CA certificate stored to the device memory.

The value is an integer that ranges from 7 to 180. The default value is 7.

/huawei-pki:certificate-status-notification

Reports an alarm when the certificate reaches the expiry time.

-

Importing Certificates

This section describes how to import certificates using the RPC method.

Table 2-234  Importing certificates

Operation

XPATH

edit-config: default

/huawei-pki:certificate-operation

Data requirement

Table 2-235  Importing certificates

Item

Data

Description

Realm name

default

The local certificate file local.pem is imported to the default realm using the password huawei@1234.

Certificate type

1

Certificate file name

local.pem

Certificate format

PEM

Certificate operation type

0

Password

huawei@1234

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <pki:certificate-operation xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
    <pki:files>
     <pki:realm-name>default</pki:realm-name>
     <pki:certificate-type>1</pki:certificate-type>
     <pki:file-name>local.pem</pki:file-name>
     <pki:file-format>pem</pki:file-format>
     <pki:operation-type>0</pki:operation-type>
     <pki:password>huawei@1234</pki:password>
    </pki:files>
  </pki:certificate-operation>
</rpc>

Response example

Sample of successful response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <errors>
    <errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-operation">
      <realm-name>default</realm-name>
      <error-tag>0</error-tag>
    <errors>
  <errors>
</rpc-reply>
Sample of failed response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <errors>
    <errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-operation">
      <realm-name>default</realm-name>
      <error-tag>1</error-tag>
    <errors>
  <errors>
</rpc-reply>
NOTE:

Response error-tag types:

  • 0: Operation succeeded.
  • 1: Operation failed.
  • 2: The parameter is invalid.
  • 3: The realm name is invalid.
  • 4: The shadow certificate does not exist.
  • 5: Failed to replace the certificate.
  • 6: Failed to replace the key pair.
  • 7: The imported file does not exist.
  • 8: Failed to parse the imported file.
  • 9: Unsupported file format.
  • 10: The shadow certificate already exists.
  • 11: Failed to save the shadow certificate.
  • 12: Failed to search for the key pair based on certificate.
  • 13: Failed to save the shadow key pair.
  • 14: Failed to save the certificate file.
  • 15: Failed to import certificate.
  • 16: Failed to save the key pair.
  • 17: Failed to save the certificate and key pair to the specified path.
  • 18: The shadow certificate to be replaced does not exist.
  • 19: The path for storing the certificate is invalid.
  • 20: Unsupported operation.
  • 21: Failed to search for the key pair written into the specified file.
  • 22: Failed to save the certificate to the specified path.
  • 23: The file name is too long.

Replacing Certificates

This section describes how to replace certificates using the RPC method.

Table 2-236  Replacing certificates

Operation

XPATH

edit-config: default

/huawei-pki:certificate-replace

Data requirement

Table 2-237  Replacing certificates

Item

Data

Description

Realm name

default

The local certificate file local1.pem is replaced in the default realm.

Certificate type

1

Certificate file name

local1.pem

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <pki:certificate-replace xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
    <pki:files>
     <pki:realm-name>default</pki:realm-name>
     <pki:certificate-type>local</pki:certificate-type>
     <pki:file-name>local1.pem</pki:file-name>
    </pki:files>
  </pki:certificate-replace>
</rpc>

Response example

Sample of successful response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <errors>
    <errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-replace">
      <realm-name>default</realm-name>
      <error-tag>0</error-tag>
    <errors>
  <errors>
</rpc-reply>
Sample of failed response
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
  <errors>
    <errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-replace">
      <realm-name>default</realm-name>
      <error-tag>1</error-tag>
    <errors>
  <errors>
</rpc-reply>
NOTE:

Response error-tag types:

  • 0: Operation succeeded.
  • 1: Operation failed.
  • 2: The parameter is invalid.
  • 3: The realm name is invalid.
  • 4: The shadow certificate does not exist.
  • 5: Failed to replace the certificate.
  • 6: Failed to replace the key pair.
  • 7: The imported file does not exist.
  • 8: Failed to parse the imported file.
  • 9: Unsupported file format.
  • 10: The shadow certificate already exists.
  • 11: Failed to save the shadow certificate.
  • 12: Failed to search for the key pair based on certificate.
  • 13: Failed to save the shadow key pair.
  • 14: Failed to save the certificate file.
  • 15: Failed to import certificate.
  • 16: Failed to save the key pair.
  • 17: Failed to save the certificate and key pair to the specified path.
  • 18: The shadow certificate to be replaced does not exist.
  • 19: The path for storing the certificate is invalid.
  • 20: Unsupported operation.
  • 21: Failed to search for the key pair written into the specified file.
  • 22: Failed to save the certificate to the specified path.
  • 23: The file name is too long.

Configuring the Certificate Expiry Warning Time

This section provides the samples of packets for configuring the certificate expiry warning time using the merge method. The create method can also be used for the configuration of certificate expiry warning time.

Table 2-238  Configuring the certificate expiry warning time

Operation

XPATH

edit-config:merge

/huawei-pki:certificate-adoption/huawei-pki:realms/huawei-pki:certificate-expire-warning

Data requirement

Table 2-239  Configuring the certificate expiry warning time

Item

Data

Description

Realm name

default

The certificate expiry warning time in the default realm is set to 10 days.

Certificate expiry warning time

10

Request example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="2" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <pki:certificate-adoption xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
        <pki:realms>
          <pki:name>default</pki:name>
          <pki:certificate-expire-warning xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
            <pki:start-timestamp>10</pki:start-timestamp>
          </pki:certificate-expire-warning>
        </pki:realms>
      </pki:certificate-adoption>
    </config>
  </edit-config>
</rpc>

A sample of certificate expiry alarm

<eventTime>
    2017-03-29 13:31:43
</eventTime>
  <certificate-status-notification xmlns="urn:huawei:params:xml:ns:yang:huawei-pki">
    <warning-records>
      <realm-name>
        default
      </realm-name>
      <certificate-type>
        local
      </certificate-type>
      <subject-name>
        &#x2F;/CN=50
      </subject-name>
      <certificate-begin-day>
        2016-03-31 14:04:05
      </certificate-end-day>
      <certificate-begin-day>
        2017-03-31 14:14:05
      </certificate-end-day>
    </warning-records>
  </certificate-status-notification>
</notification>
Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178028

Views: 4880

Downloads: 0

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next