[NETCONF-1205] Support private keys and trusted certificates configuration on per TLS device basis Created: 05/Dec/23  Updated: 05/Dec/23

Status: Open
Project: netconf
Component/s: netconf-client-mdsal, netconf-topology
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Medium
Reporter: Ruslan Kashapov Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to NETCONF-821 Mounting a device does not work when ... In Progress

 Description   

Current odl-netconf-device model (and netconf-node-topology as result) provides no configuration option which defines which private key and trusted certificate to be used by SslHandler when establishing TLS connection. In fact SslHandler is built using a KeyStore instance containing all the private keys and all the trusted certificates which are currently defined in a datastore.

More entries are defined in datastore the larger SslHandler instance became, the longer handshake procedure may take. Using same set of keys and certificates for any TLS device may also cause in issue when single un-parseable entry results every TLS device connection failure as described in NETCONF-821

In order to lightweight SslHandler instance, making handshake faster, configuration more clear and transparent it seems reasonable to provide per device TLS options.

Suggested following configuration options under TLS container (connection-parameters grouping):

  • leaf-list private-key-id – private key ids
  • leaf-list trusted-certificate-id – trusted certificate ids

Both expected to be optional and act as filter if defined, full set to be used if undefined
Generated at Wed Feb 07 20:16:55 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.