Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enable PCEP Security

You can enforce security between the PCE (Path Computation Element) server and Path Computation Clients (PCC) by configuring a security mode for the PCEP connections. Routing Director supports the following security modes:

  • Auto Detect—Accepts PCEP connection regardless of whether you have security enabled or not.
  • Strict Disable—Accepts only non-secured PCEP connections.
  • Strict Enable—Enforces security on all PCEP sessions. If a device does not have security enabled, its connection is rejected.

To enforce security between the PCE server and PCC using Paragon Shell:

  1. Log in to a cluster node. You are logged in to Paragon Shell.
  2. Type configure to enter configuration mode.
  3. By default, the security mode is strict-disable. Set the pce_server_global_default_tls_mode parameter to auto-detect or strict-enable so that the PCEP security is enabled.
    Note:

    You can update the pce_server_global_default_tls_mode parameter before or after installing Routing Director.
  4. If you enable secured connections (auto-detect or strict-enable), you can use either system-generated certificates or custom certificates.

    If you are using system-generated certificate:

    • The server certificate (tls.crt) and private key (tls.key) are automatically generated. You can view the system-generated certificate using the following command:

    Note:

    System-generated certificates are managed by cert-manager, which automatically renews certificates 90 days before their expiration. The PCE server seamlessly detects the updated certificate, ensuring that existing PCEP sessions remain uninterrupted while continuing to operate securely.
    If you are using custom certificates for added security, use the following steps to upload a custom certificate:
    1. Set the use_custom_certificate parameter to true.
    2. Upload the custom certificate and the private key in the /root/epic/config folder of the node from which the cluster is deployed.
    3. You can view the custom certificate using the following command:
    Note: Custom certificates are not automatically renewed. You need to upload the renewed server certificate and private key at least a few days before the expiry of the certificate.
  5. Commit and quit configuration mode.
  6. Copy the certificate on the device using the following procedure:
    1. Type exit from Paragon Shell to exit to the Linux root shell.
    2. If you are using a system-generated certificate, download the certificate using the following command:
    3. Upload the certificate (system-generated or custom) to the device using the following command:
    4. Log in to the device to configure and commit the following:
    5. Load the copied certificate file.
    6. Configure the PCEP mode and commit the configuration.
    7. Delete certificate authority (CA) digital certificates from the device.
  7. Do one of the following:
    1. If you have not installed Routing director, run the following commands to configure the PCE server based on the pce_server_global_default_tls_mode setting:
    2. If you have already installed Routing director, run the following commands to redeploy only the PCE server component:

The PCEP Status column on the Device tab of the Topology page (Observability > Network ) is displayed as Up if you have enabled PCEP security and have uploaded certificates on both the server and the client.

If you encounter issues, such as a PCEP session is down, ensure that you:

  • Check the logs on both the PCE server and the client device to identify any errors related to the certificate or security configuration.
  • Ensure that the correct mode is set (Auto Detect or Strict Enable) and that the required certificates are properly configured.
  • Verify that the certificates on both the server and the client match and are valid.

  • If you have performed a disaster recovery, ensure that you enable PCEP security again.

Related Documentation