Configuring the REST API
The REST API can be configured on Junos OS devices using commands available under the [edit system services rest] hierarchy level. Once configured, the REST API becomes available as the rest service, a REST-based interface that enables you to submit rpc commands to the device from a remote location, and supports GET and POST requests.
To enable the REST API on your device, you need to configure:
Control parameters— These allow you to optionally specify permitted source IP addresses and connection limits common to both HTTP and HTTPS connections.
REST API Explorer— The REST API provides a GUI called the REST API Explorer, which allows you to easily and quickly learn how to use the REST API. It is disabled by default, and can be enabled by specifying set system services rest enable-explorer. To learn more about the REST API Explorer, see Example: Using the REST API Explorer.
HTTP access— You can specify a list of addresses and TCP ports for incoming connections. HTTP connections are not secure because they exchange credentials and data in clear text, so we recommend using HTTPS.
HTTPS access (recommended)— You can specify a list of addresses and TCP ports for incoming connections, a list of preferred cipher suites, transport layer security (TLS) mutual authentication, and server certificates. HTTPS connections are secure, encrypting both credentials and information.
Trace options— You can enable tracing for lighttpd, User Interface Script Environment (juise), or both. Trace information for lighttpd is stored at
/var/chroot/rest-api/var/log/lighttpd, and trace information for juise is stored at
/var/chroot/rest-api/var/log/juise. Tracing is disabled by default.
To configure the optional control parameters for settings common to both HTTP and HTTPS connections:
- Specify set system services rest control allowed-sources [ value-list ] to set the permitted IP addresses for both HTTP and HTTPS connections. Use spaces as delimiters between values.
- Specify set system services rest control connection-limit limit to set the maximum number of allowed simultaneous connections for both HTTP and HTTPS connections. You can assign a value from 1 through 1024 (the default is 64).
To configure HTTP access:
- Specify set system services rest http addresses [ addresses ] to set the addresses on which the server listens for incoming HTTP connections.
- Specify set system services rest http port port-number to set the TCP port for incoming HTTP connections. You can assign a value from 1024 through 65535 (the default is 3000).
To configure HTTPS access:
- Specify set system services rest https addresses [ addresses ] to set the addresses on which the server listens for incoming HTTPS connections.
- Specify set system services rest https port port-number to set the TCP port for incoming HTTPS connections. You can assign a value from 1024 through 65535 (the default is 3443).
- Specify set system services rest https cipher-list[cipher-1 cipher-2 cipher-3 ... ] to configure the set of cipher suites the SSH server can use to perform encryption and decryption functions.
- Specify set system services rest https server-certificate local-certificate-identifier to configure the server certificate. See request security pki generate-certificate-request for information about creating local certificates.
- You can configure the REST API to require server authentication without client authentication, or you can configure TLS mutual authentication on both the server and client by specifying set system services rest https mutual-authentication certificate-authority certificate-authority-profile-name.
To configure trace options for lighttpd, juise, or both, specify set system services rest traceoptions flag flag. Set flag to lighttpd, juise, or all. When you specify the trace options, the command overwrites any previous trace option settings.