No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NETCONF YANG API Reference

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

NETCONF YANG API Reference
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
PKI

PKI

Data Model

The PKI configuration model file is huawei-pki.yang.

Table 3-1328 PKI data model

Object

Description

/huawei-pki:certificate-adoption/huawei-pki:realms/huawei-pki:name

Creates a PKI realm. The value is a string of 1 to 63 case-insensitive characters without spaces.

/huawei-pki:certificate-operation

Imports or deletes certificates:

  • realm-name: PKI realm name. Only the default realm is supported.
  • certificate-type: certificate type. Only CA and local certificates are supported.
    • 0: CA certificate.
    • 1: local certificate.
  • file-name: certificate file name. The value is a string of 1 to 64 case-insensitive characters without spaces or question marks (?).
  • file-format: certificate format. Only the PEM format is supported. This parameter does not need to be configured during certificate deletion.
  • operation-type: certificate operation type. Only the import operation is supported.
    • 0: import.
    • 2: delete.
  • password: The password is required only for certificate import. The value is a string of 6 to 32 case-sensitive characters without question marks (?).

/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:realm-name

/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:certificate-type

/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:file-name

/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:file-format

/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:operation-type

/huawei-pki:certificate-operation/huawei-pki:files/huawei-pki:password

/huawei-pki:certificate-replace

Replaces certificates.

  • realm-name: PKI realm name, Only the default realm is supported.
  • certificate-type: certificate type.
  • file-name: certificate file name.

/huawei-pki:certificate-replace/huawei-pki:files/huawei-pki:realm-name

/huawei-pki:certificate-replace/huawei-pki:files/huawei-pki:certificate-type

/huawei-pki:certificate-replace/huawei-pki:files/huawei-pki:file-name

/huawei-pki:certificate-adoption/huawei-pki:realms/huawei-pki:certificate-check-method

Configures the method of checking whether a certificate in the PKI realm is revoked. By default, the system checks using CRLs whether a certificate in the PKI realm is revoked.

Currently, the method can only be configured as none.

Creating a PKI realm

This section provides a sample of creating a PKI realm using the merge method. You can also create a PKI realm using the create method.

Table 3-1329 Creating a PKI realm

Operation

XPATH

edit-config: merge

/huawei-pki:certificate-adoption/huawei-pki:realms/huawei-pki:name

Data requirement
Table 3-1330 Creating a PKI realm

Item

Data

Description

Realm name

abc

-

Request example
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <pki:certificate-adoption xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
        <pki:realms xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation= "merge">
          <pki:name>abc</pki:name>
        </pki:realms>
      </pki:certificate-adoption>
    </config>
  </edit-config>
</rpc>
Response example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="57bf89cf-a285-11e7-8896-c347ae12af3a">
  <ok/>
</rpc-reply>

Importing Certificates

This section describes how to import certificates using the RPC method.

Table 3-1331 Importing certificates

Operation

XPATH

edit-config: default

/huawei-pki:certificate-operation

Data requirement
Table 3-1332 Importing certificates

Item

Data

Description

Realm name

default

The local certificate file local.pem is imported to the default realm using the password huawei@1234.

Certificate type

1

Certificate file name

local.pem

Certificate format

PEM

Certificate operation type

0

Password

huawei@1234

Request example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="789ec580-b033-11e5-8151-ca8da1b643b5">
  <pki:certificate-operation xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
    <pki:files>
     <pki:realm-name>default</pki:realm-name>
     <pki:certificate-type>1</pki:certificate-type>
     <pki:file-name>local.pem</pki:file-name>
     <pki:file-format>pem</pki:file-format>
     <pki:operation-type>0</pki:operation-type>
     <pki:password>huawei@1234</pki:password>
    </pki:files>
  </pki:certificate-operation>
</rpc>
Response example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="789ec580-b033-11e5-8151-ca8da1b643b5">
  <errors>
    <errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-operation">
      <realm-name>default</realm-name>
      <error-tag>0</error-tag>
    <errors>
  <errors>
</rpc-reply>
NOTE:

Response error-tag types:

  • 0: Operation succeeded.
  • 1: Operation failed.
  • 2: The parameter is invalid.
  • 3: The realm name is invalid.
  • 4: The shadow certificate does not exist.
  • 5: Failed to replace the certificate.
  • 6: Failed to replace the key pair.
  • 7: The imported file does not exist.
  • 8: Failed to parse the imported file.
  • 9: Unsupported file format.
  • 10: The shadow certificate already exists.
  • 11: Failed to save the shadow certificate.
  • 12: Failed to search for the key pair based on certificate.
  • 13: Failed to save the shadow key pair.
  • 14: Failed to save the certificate file.
  • 15: Failed to import certificate.
  • 16: Failed to save the key pair.
  • 17: Failed to save the certificate and key pair to the specified path.
  • 18: The shadow certificate to be replaced does not exist.
  • 19: The path for storing the certificate is invalid.
  • 20: Unsupported operation.
  • 21: Failed to search for the key pair written into the specified file.
  • 22: Failed to save the certificate to the specified path.
  • 23: The file name is too long.
  • 24: The file to be deleted does not exist.
  • 25: The format of the file to be deleted is not supported.
  • 26: Failed to obtain the key to be deleted.
  • 27: Failed to obtain the CRL file path.
  • 28: Failed to read the CRL file.
  • 29: Failed to save the CRL file.
  • 30: Failed to import the CRL file.
  • 31: Failed to enable CRL check.
  • 32: The certificate in the memory already exists.
  • 33: Failed to delete the certificate.
  • 34: Failed to delete the CRL file.
  • 35: Failed to delete the key.
  • 36: Failed to replace the CRL file.
  • 37: Failed to create the virtual system storage path.
  • 38: The CRL file in the memory already exists.
  • 39: Failed to disable CRL check.

Deleting certificates

This section describes how to delete certificates using the RPC method.

Table 3-1333 Deleting certificates

Operation

XPATH

edit-config: default

/huawei-pki:certificate-operation

Data requirement
Table 3-1334 Deleting certificates

Item

Data

Description

Realm name

abc

The local certificate file local.pem is deleted in the PKI realm abc.

Certificate type

1

Certificate file name

local.pem

Certificate operation type

2

Request example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="789ec580-b033-11e5-8151-ca8da1b643b5">
  <pki:certificate-operation xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
    <pki:files>
     <pki:realm-name>abc</pki:realm-name>
     <pki:certificate-type>1</pki:certificate-type>
     <pki:file-name>local.pem</pki:file-name>
     <pki:operation-type>2</pki:operation-type>
    </pki:files>
  </pki:certificate-operation>
</rpc>
Response example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="789ec580-b033-11e5-8151-ca8da1b643b5">
  <errors>
    <errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-operation">
      <realm-name>abc</realm-name>
      <error-tag>0</error-tag>
    <errors>
  <errors>
</rpc-reply>
NOTE:

Response error-tag types:

  • 0: Operation succeeded.
  • 1: Operation failed.
  • 2: The parameter is invalid.
  • 3: The realm name is invalid.
  • 4: The shadow certificate does not exist.
  • 5: Failed to replace the certificate.
  • 6: Failed to replace the key pair.
  • 7: The imported file does not exist.
  • 8: Failed to parse the imported file.
  • 9: Unsupported file format.
  • 10: The shadow certificate already exists.
  • 11: Failed to save the shadow certificate.
  • 12: Failed to search for the key pair based on certificate.
  • 13: Failed to save the shadow key pair.
  • 14: Failed to save the certificate file.
  • 15: Failed to import certificate.
  • 16: Failed to save the key pair.
  • 17: Failed to save the certificate and key pair to the specified path.
  • 18: The shadow certificate to be replaced does not exist.
  • 19: The path for storing the certificate is invalid.
  • 20: Unsupported operation.
  • 21: Failed to search for the key pair written into the specified file.
  • 22: Failed to save the certificate to the specified path.
  • 23: The file name is too long.
  • 24: The file to be deleted does not exist.
  • 25: The format of the file to be deleted is not supported.
  • 26: Failed to obtain the key to be deleted.
  • 27: Failed to obtain the CRL file path.
  • 28: Failed to read the CRL file.
  • 29: Failed to save the CRL file.
  • 30: Failed to import the CRL file.
  • 31: Failed to enable CRL check.
  • 32: The certificate in the memory already exists.
  • 33: Failed to delete the certificate.
  • 34: Failed to delete the CRL file.
  • 35: Failed to delete the key.
  • 36: Failed to replace the CRL file.
  • 37: Failed to create the virtual system storage path.
  • 38: The CRL file in the memory already exists.
  • 39: Failed to disable CRL check.

Replacing Certificates

This section describes how to replace certificates using the RPC method.

Table 3-1335 Replacing certificates

Operation

XPATH

edit-config: default

/huawei-pki:certificate-replace

Data requirement
Table 3-1336 Replacing certificates

Item

Data

Description

Realm name

default

The local certificate file local1.pem is replaced in the default realm.

Certificate type

1

Certificate file name

local1.pem

Request example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="64cc33de-b073-11e5-aa23-b7e6d9617fa8">
  <pki:certificate-replace xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
    <pki:files>
     <pki:realm-name>default</pki:realm-name>
     <pki:certificate-type>local</pki:certificate-type>
     <pki:file-name>local1.pem</pki:file-name>
    </pki:files>
  </pki:certificate-replace>
</rpc>>
Response example

Sample of successful response

<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="64cc33de-b073-11e5-aa23-b7e6d9617fa8">
  <errors>
    <errors xmlns="urn:huawei:params:xml:ns:yang:huawei-pki:certificate-replace">
      <realm-name>default</realm-name>
      <error-tag>0</error-tag>
    <errors>
  <errors>
</rpc-reply>
NOTE:

Response error-tag types:

  • 0: Operation succeeded.
  • 1: Operation failed.
  • 2: The parameter is invalid.
  • 3: The realm name is invalid.
  • 4: The shadow certificate does not exist.
  • 5: Failed to replace the certificate.
  • 6: Failed to replace the key pair.
  • 7: The imported file does not exist.
  • 8: Failed to parse the imported file.
  • 9: Unsupported file format.
  • 10: The shadow certificate already exists.
  • 11: Failed to save the shadow certificate.
  • 12: Failed to search for the key pair based on certificate.
  • 13: Failed to save the shadow key pair.
  • 14: Failed to save the certificate file.
  • 15: Failed to import certificate.
  • 16: Failed to save the key pair.
  • 17: Failed to save the certificate and key pair to the specified path.
  • 18: The shadow certificate to be replaced does not exist.
  • 19: The path for storing the certificate is invalid.
  • 20: Unsupported operation.
  • 21: Failed to search for the key pair written into the specified file.
  • 22: Failed to save the certificate to the specified path.
  • 23: The file name is too long.
  • 24: The file to be deleted does not exist.
  • 25: The format of the file to be deleted is not supported.
  • 26: Failed to obtain the key to be deleted.
  • 27: Failed to obtain the CRL file path.
  • 28: Failed to read the CRL file.
  • 29: Failed to save the CRL file.
  • 30: Failed to import the CRL file.
  • 31: Failed to enable CRL check.
  • 32: The certificate in the memory already exists.
  • 33: Failed to delete the certificate.
  • 34: Failed to delete the CRL file.
  • 35: Failed to delete the key.
  • 36: Failed to replace the CRL file.
  • 37: Failed to create the virtual system storage path.
  • 38: The CRL file in the memory already exists.
  • 39: Failed to disable CRL check.

Configuring the certificate check mode

This section provides a sample of configuring the certificate check mode using the merge method. You can also configure the certificate check mode using the create method.

Table 3-1337 Configuring the certificate check mode

Operation

XPATH

edit-config: merge

/huawei-pki:certificate-adoption/huawei-pki:realms/huawei-pki:certificate-check-method

Data requirement

Configuring the certificate check mode

Item

Data

Description

Realm name

abc

The certificate check method is set to none in PKI realm abc.

Certificate check mode

none

Request example
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <pki:certificate-adoption xmlns:pki="urn:huawei:params:xml:ns:yang:huawei-pki">
        <pki:realms xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="merge">
          <pki:name xc:operation="merge">abc</pki:name>
          <pki:certificate-check-method>none</pki:certificate-check-method>
        </pki:realms>
      </pki:certificate-adoption>
    </config>
  </edit-config>
</rpc>
Response example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="57bf89cf-a285-11e7-8896-c347ae12af3a">
  <ok/>
</rpc-reply>
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100022096

Views: 8202

Downloads: 69

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next