Configure gRPC Services

The gNMI, gNOI, and gRIBI interfaces use the gRPC Remote Procedure Call framework for transport. The gRPC server runs on the network device and listens for connection requests on a specified port. The gRPC client application runs on a remote network management system (NMS) and establishes a gRPC channel with the server on the specified host and port. The client executes RPCs through the SSL-encrypted gRPC session to perform network service operations. Figure 1 illustrates a simple connection between a gRPC client and server.

gRPC channels use channel credentials to handle authentication between the server and the client. Standard channel credentials use X.509 digital certificates for authenticating the server and the client. A digital certificate provides a way of authenticating users through a trusted third-party called a certificate authority or certification authority (CA). The CA verifies the identity of a certificate holder and “signs” the certificate to attest that it has not been forged or altered. The X.509 standard defines the format for the certificate. Digital certificates can be used to establish a secure connection between two endpoints through certificate validation. To establish a gRPC channel, each endpoint (device or application) that requires authentication must supply an X.509 certificate in the exchange.

Junos devices support both server-only authentication as well as mutual authentication for SSL and TLS-based gRPC sessions. When server-only authentication is configured, the server provides its public key certificate when the channel is established. The client uses the server's Root CA certificate to authenticate the server. When mutual authentication is configured, the client also provides its certificate when it connects to the server, and the server validates the certificate. If the certificate validation is successful, the client is allowed to make calls. We recommend that you configure mutual authentication and use CA-signed certificates for the strongest security, although self-signed certificates are accepted.

A public key infrastructure (PKI) supports the distribution and identification of public encryption keys, enabling users to both securely exchange data over networks such as the Internet and verify the identity of the other party. For gRPC-based services, the Junos PKI must contain the certificate for the local device acting as the gRPC server. If you use mutual authentication, the Junos PKI must also contain the Root CA certificates required to validate the certificates of any gRPC clients that connect to the device.

Table 1 outlines the general requirements for server-only authentication and mutual authentication when a gRPC client connects to the device to perform gRPC-based services. The gRPC server's certificate must define either the server’s hostname in the Common Name (CN) field, or it must define the server’s IP address in the Subject Alternative Name (subjectAltName or SAN) IP Address field. The client application must use the same value to establish the connection to the server. If the certificate defines the SubjectAltName IP Address field, the Common Name field is ignored during authentication.

Table 1: Requirements for Server-Only and Mutual Authentication for gRPC Sessions

Requirements	Server-Only Authentication	Mutual Authentication
Certificates	The server must have an X.509 public key certificate. If the client connects to the server's IP address instead of the hostname, the server's certificate must include the subjectAltName (SAN) IP address extension field with the IP address of the server.	The server and client must each have an X.509 public key certificate. If the client connects to the server's IP address instead of the hostname, the server's certificate must include the subjectAltName (SAN) IP address extension field with the IP address of the server.
Junos PKI	The server's local certificate must be loaded in the Junos PKI.	The server's local certificate and each client's Root CA certificate must be loaded in the Junos PKI.
Channel credentials	The client must pass in the server's Root CA certificate when the gRPC channel is established.	The client must pass in their certificate and key and the server's Root CA certificate when the gRPC channel is established.

Channel credentials are attached to the gRPC channel and enable the client application to access the service. Call credentials, on the other hand, are attached to a specific service operation (RPC request) and provide information about the person who is using the client application. Call credentials are sent per request, that is, for each RPC call. To execute gRPC-based operations on Junos devices, you must provide call credentials in the request. The user must either have a user account defined locally on the device, or the user must be authenticated by a TACACS+ server, which then maps the user to a user template account that is defined locally on the device. You can provide the call credentials (username and password) in the RPC's metadata argument. If authentication is successful, the Junos device executes the RPC request using the account privileges of the specified user.

Note:

As an alternative to passing in call credentials for every RPC executed on a Junos device, you can use the Juniper Extension Toolkit jnx_authentication_service API to log in to the device once at the start of the gRPC session, and all subsequent RPCs executed in the channel are authenticated. You can download the JET Client IDL library from the Juniper Networks download site.

By default, Junos devices authorize an authenticated gRPC client to execute all gRPC RPCs. You can optionally configure a gRPC user's login class to explicitly allow or deny specific gRPC RPCs. To specify the RPCs, you configure the allow-grpc-rpc-regexps and deny-grpc-rpc-regexps statements and define regular expressions that match the RPCs. See Configure gRPC RPC Authorization for more information.

gRPC-based services use an API connection setting based on Secure Socket Layer (SSL) or Transport Layer Security (TLS) technology. For these connections, you must specify a local certificate that identifies the gRPC server.

After you enable gRPC services and specify a local certificate, the network device uses server-only authentication. You can then optionally configure mutual authentication by completing the steps described in Configure Mutual (Bidirectional) Authentication for gRPC Services.

You can configure your network device for gRPC services and specify the local certificate used for server authentication at one of the following hierarchy levels:

• [edit system services http servers]—Use this statement hierarchy to configure one or more gRPC servers that host different sets of services on unique ports. Additionally, each server can support different listening addresses, certificates, and routing instances.

• [edit system services extension-service request-response grpc ssl]—Use this statement hierarchy when you require only a single gRPC server that supports all gRPC services on the same listening address and port.

To configure the device for gRPC services, follow the instructions for the hierarchy level that meets your environment's requirements.

• [edit system services http servers]
• [edit system services extension-service request-response grpc ssl]

You can configure mutual (bidirectional) authentication for gRPC sessions, which authenticates both the network device as the gRPC server and the NMS as the gRPC client using certificates. The Junos device uses the credentials provided by the external client to authenticate the client and authorize a connection.

You can configure mutual authentication on Junos devices using one of the following options:

• Configure the mutual authentication settings directly in the configuration.

• Set up server-only authentication initially, and then use the gNOI CertificateManagement service to load the necessary CA certificates on the device.

If you configure mutual authentication directly in the device configuration, the device configuration takes precedence over any setup done using the gNOI services.

Before you begin:

• Load the certificate and key for the network device acting as the gRPC server into the device's PKI as described in Load the gRPC Server's Local Certificate in the Junos PKI.

• Enable gRPC services and configure the local server authentication as described in Enable gRPC Services.

The following sections discuss the different methods for configuring mutual authentication. You can use whichever method works best for your environment.

• Configure Mutual Authentication in the Device Configuration
• Configure Mutual Authentication Using the gNOI CertificateManagement Service