The NVUE REST API supports HTTP basic authentication, and the same underlying authentication methods for username and password that the NVUE CLI supports. User accounts work the same on both the API and the CLI.

NVOS includes a self-signed certificate and private key to use on the server so that it works out of the box. The switch generates the self-signed certificate and private key when it boots for the first time. The X.509 certificate with the public key is in /etc/ssl/certs/nvue.pem and the corresponding private key is in /etc/ssl/private/nvue.key .

NVIDIA recommends you use your own certificates and keys. For the steps to generate self-signed certificates and keys, refer to the Ubuntu Certificates and Security documentation.

NVOS lets you manage CA certificates (such as DigiCert or Verisign) and entity (end-point) certificates. Both a CA certificate and an entity certificate can contain a chain of certificates.

You can import certificates onto the switch (fetch certificates from an external source), set which certificate you want to use for the NVUE REST API, and show information about a certificate, such as the serial number, and the date and time during which the certificate is valid.

Note You can import a maximum of 25 entity certificates and a maximum of 25 CA certificates.

The certificate you import contains sensitive private key information. NVIDIA recommends that you use a secure transport such as SFTP, SCP, or HTTPS.

To import an entity certificate, run an nv action import system security certificate <cert-id> command.

To import a CA certificate, run an nv action import system security ca-certificate <cert-id> command.

If the certificate is passphrase protected, you need to include the passphrase.

You must provide a certificate ID ( <cert-id> ) to uniquely identify the certificate you import.

The following example imports a CA certificate with a public key and calls the certificate tls-cert-1 . The certificate is passphrase protected with mypassphrase . The public key is a Base64 ASCII encoded PEM string.

Copy Copied! nvos @switch :~$ nv action import system security ca-certificate tls-cert- 1 passphrase mypassphrase data "<public-key>"

The following example imports an entity certificate bundle and calls the certificate tls-cert-1 . The certificate bundle is passphrase protected with mypassphrase .

A certificate bundle must be in .PFX or .P12 format.

Copy Copied! nvos @switch :~$ nv action import system security certificate tls-cert- 1 passphrase mypassphrase uri-bundle scp:

The following example imports an entity certificate with the public key URI scp://user@pass:1.2.3.4 and private key URI scp://user@pass:1.2.3.4 , and calls the certificate tls-cert-1 . The certificate is not passphrase protected.

A CA certificate must be in .pem, .p7a, or .p7c format.

Copy Copied! nvos @switch :~$ nv action import system security certificate tls-cert- 1 uri- public -key scp:





You can configure the NVUE REST API to use a specific certificate.

The following example configures the API to use the certificate tls-cert-1 :

Copy Copied! nvos @switch :~$ nv set system api certificate tls-cert- 1 nvos @switch :~$ nv config apply

The following example configures the API to use the self-signed certificate:

Copy Copied! nvos @switch :~$ nv set system api certificate self-signed nvos @switch :~$ nv config apply

To unset the certificate to use with the NVUE REST API:

Copy Copied! nvos @switch :~$ nv unset system api certificate tls-cert- 1





To delete an entity certificate and the key data stored on the switch, run the nv action delete system security certificate <cert-id> command.

To delete a CA certificate and the key data stored on the switch, run the nv action delete system security ca-certificate <cert-id> command.

The following command deletes the certificate tls-cert-1 :

Copy Copied! nvos @switch :~$ nv action delete system security certificate tls-cert- 1





To show all the entity certificates on the switch, run the nv show system security certificate command.

To show all the CA certificates on the switch, run the nv show system security ca-certificate command.

The following example shows all the entity certificates on the switch:

Copy Copied! nvos @switch :~$ nv show system security certificate

To show the applications that are using a specific entity certificate, run the nv show system security certificate <cert-id> installed command.

To show the applications that are using a specific CA certificate, run the nv show system security ca-certificate <cert-id> installed command.

The following example shows the applications that are using a specific entity certificate.

Copy Copied! nvos @switch :~$ nv show system security certificate tls-cert- 1 installed

To show detailed information about a specific entity certificate, run the nv show system security certificate <cert-id> dump command.

To show detailed information about a specific CA certificate, run the nv show system security ca-certificate <cert-id> dump command.

The following example shows detailed information about the CA certificate tls-cert-1 :

Copy Copied! nvos @switch :~$ nv show system security ca-certificate tls-cert- 1 dump

You can secure the API by configuring:

A listening address; see API Port and Listening Address below.

Control plane ACLs; see the following example.

This example shows how to create ACLs to allow users from the management subnet and the local switch to communicate with the switch using REST APIs, and restrict all other access.

Copy Copied! nvos @switch :~$ nv set acl API-PROTECT type ipv4 nvos @switch :~$ nv set acl API-PROTECT rule 10 action permit nvos @switch :~$ nv set acl API-PROTECT rule 10 match ip .protocol tcp .dest-port 8765 .source-ip 192.168 . 200.0 / 24 nvos @switch :~$ nv set acl API-PROTECT rule 10 remark "Allow the Management Subnet to talk to API" nvos @switch :~$ nv set acl API-PROTECT rule 20 action permit nvos @switch :~$ nv set acl API-PROTECT rule 20 match ip .protocol tcp .dest-port 8765 .source-ip 127.0 . 0.1 nvos @switch :~$ nv set acl API-PROTECT rule 20 remark "Allow the local switch to talk to the API" nvos @switch :~$ nv set acl API-PROTECT rule 30 action deny nvos @switch :~$ nv set acl API-PROTECT rule 30 match ip .protocol tcp .dest-port 8765 nvos @switch :~$ nv set acl API-PROTECT rule 30 remark "Block everyone else from talking to the API" nvos @switch :~$ nv set system control-plane acl API-PROTECT inbound



