grpc-ssl.md

TLS for gRPC on Junos 24.4

CA for lab testing

Lab testing ca with certificates

root@pe2:~ # pwd
/root

root@pe2:~ # ls -lisa ca/
total 36
302400 1 drwxr-xr-x  2 root wheel  512 Jul  4 15:34 .
364224 1 drwxr-xr-x  4 root wheel  512 Jul  4 15:27 ..
364234 4 -rw-r--r--  1 root wheel 3520 Jul  4 14:25 ca.crt
302401 4 -rw-r--r--  1 root wheel 3495 Jul  4 15:34 onms-core.crt
302402 4 -rw-r--r--  1 root wheel 3134 Jul  4 15:34 onms-core.csr
302403 7 -rw-------  1 root wheel 6392 Jul  4 15:34 onms-core.key
364229 4 -rw-r--r--  1 root wheel 3447 Jul  4 14:25 pe2.crt
364232 4 -rw-r--r--  1 root wheel 3085 Jul  4 14:25 pe2.csr
364233 7 -rw-------  1 root wheel 6392 Jul  4 14:25 pe2.key

Local PKI

root@pe2# show security
certificates {
    certification-authority grpc {
        ca-name grpc;
    }
}
pki {
    ca-profile grpc {
        ca-identity grpc;
    }
}

root@pe2> show security pki ca-certificate
LSYS: root-logical-system
  CA profile: grpc
Certificate identifier: grpc
  Issued to: 10.10.50.154, Issued by: C = ES, ST = Madrid, L = Madrid, O = HPE Lab, OU = HPE Lab, CN = 10.10.50.154, emailAddress = [email protected]
  Validity:
    Not before: 07- 4-2025 13:39 UTC
    Not after: 04-23-2028 13:39 UTC
  Public key algorithm: rsaEncryption(8192 bits)
  Keypair Location: Keypair generated locally

root@pe2> show security pki local-certificate
LSYS: root-logical-system
Certificate identifier: pe2
  Issued to: 10.10.50.154, Issued by: C = ES, ST = Madrid, L = Madrid, O = HPE Lab, OU = HPE Lab, CN = 10.10.50.154, emailAddress = [email protected]
  Validity:
    Not before: 07- 4-2025 13:56 UTC
    Not after: 07- 2-2035 13:56 UTC
  Public key algorithm: rsaEncryption(8192 bits)
  Keypair Location: Keypair generated locally

Switch configuration

## Last commit: 2025-07-04 15:25:37 UTC by root
version 24.4R1.9;
system {
    host-name pe2;
    root-authentication {
        encrypted-password "NOTHINGTOSEEGOAWAY"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
            protocol-version v2;
        }
        extension-service {
            request-response {
                grpc {
                    ssl {
                        port 50051;
                        local-certificate pe2;
                        hot-reloading;
                        use-pki;
                    }
                }
            }
        }
    }
    arp {
        aging-timer 5;
    }
    name-server {
        8.8.8.8;
        9.9.9.9;
    }
    syslog {
        file interactive-commands {
            interactive-commands any;
        }
        file messages {
            any notice;
            authorization info;
        }
    }
}
logical-systems {
    pe2;
}
services {
    analytics {
        export-profile opennms {
            local-address 10.10.50.154;
            local-port 21111;
            reporting-rate 10;
            format gpb-gnmi;
            transport grpc;
        }
        sensor cpu-utilization {
            export-name opennms;
            resource /components/component/cpu/utilization;
        }
        sensor if-stats {
            export-name opennms;
            resource /interfaces/interface/state/counters;
        }
        resource;
    }
}
security {
    certificates {
        certification-authority grpc {
            ca-name grpc;
        }
    }
    pki {
        ca-profile grpc {
            ca-identity grpc;
        }
    }
}
interfaces {
    ge-0/0/0 {
        description "Link from PE2 to p-router";
        unit 0 {
            family inet {
                address 172.16.1.232/24;
            }
        }
    }
    ge-0/0/1 {
        description "Link from PE2 to CE2 for L3vpn";
        unit 0 {
            family inet;
        }
    }
    ge-0/0/2 {
        description "Link from PE2 to p-router";
        mtu 4000;
        unit 0 {
            family inet {
                address 10.1.34.2/24;
            }
            family mpls;
        }
    }
    ge-0/0/3 {
        description "Link from PE2 to CE2 for L3vpn";
        unit 0 {
            family inet {
                address 172.16.2.2/30;
            }
        }
    }
    fxp0 {
        unit 0 {
            family inet {
                address 10.10.50.154/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.0.3/32;
            }
        }
    }
}
snmp {
    community ????? {
        authorization read-only;
    }
}
policy-options {
    policy-statement adv_direct {
        term 1 {
            from {
                protocol direct;
                route-filter 172.16.0.0/16 orlonger;
            }
            then accept;
        }
    }
    policy-statement allow-all {
        term 1 {
            then accept;
        }
    }
}
routing-instances {
    CE2_L3vpn {
        instance-type vrf;
        protocols {
            bgp {
                group CE2 {
                    type external;
                    export allow-all;
                    peer-as 65420;
                    neighbor 172.16.2.1;
                }
            }
        }
        interface ge-0/0/1.0;
        interface ge-0/0/3.0;
        route-distinguisher 192.168.0.3:12;
        vrf-target target:65412:12;
    }
}
routing-options {
    router-id 192.168.0.3;
    autonomous-system 65412;
}
protocols {
    bgp {
        group ibgp {
            type internal;
            local-address 192.168.0.3;
            family inet-vpn {
                unicast;
            }
            export allow-all;
            neighbor 192.168.0.1;
        }
    }
    mpls {
        label-switched-path lsp_to_pe1 {
            to 192.168.0.1;
        }
        interface ge-0/0/0.0;
        interface ge-0/0/2.0;
    }
    ospf {
        traffic-engineering;
        area 0.0.0.0 {
            interface lo0.0 {
                passive;
            }
            interface ge-0/0/0.0;
            interface ge-0/0/2.0;
        }
    }
    rsvp {
        interface lo0.0;
        interface ge-0/0/0.0;
        interface ge-0/0/2.0;
    }
    source-packet-routing;
}