HTTP API configuration

Summary

This chapter describes how to enable and use HTTP API. Traffic Dictator API is available with either insecure (HTTP) or secure (HTTPS) connection. HTTP doesn’t require certificates and keys, so it’s easier to use for studying, PoC testing etc. However, best practice for production deployments is to disable HTTP and use only HTTPS.

HTTP configuration

Default configuration of HTTP API:

management api http-commands
   protocol http
      port 80

Verify that HTTP API is running:

TD1#show management api http
HTTP server statistics

Enabled:             True
Running:             True
Port:                80
Hit count:           0
Last hit:            June 05, 2024 11:14:58

It is possible to change port or shutdown the HTTP API.

management api http-commands
   protocol http
      port 8080
      shutdown

Verify:

TD1#show management api http
HTTP server statistics

Enabled:             False
Running:             False
Port:                8080
Hit count:           0
Last hit:            June 05, 2024 11:14:58

HTTPS configuration

By default, HTTPS API is not running because it requries an TLS certificate and key.

TD1#show management api https
HTTP server statistics

Enabled:             True
Running:             False
Port:                443
Hit count:           0
Last hit:            June 05, 2024 11:14:58
Certificate:         None
Key:                 None
Ciphers:             None
TLS versions:        TLSv1.3

You can use TLS certificate provided by a Certificate Authority (CA) or generate a self-signed certificate.

Generate a self-signed TLS certificate

Example command to generate a self-signed certificate and key:

bash openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout mykey.key -out mycert.crt

Adjust parameters as required.

Configure HTTPS API to use TLS cerficiate

Add the following config:

management api http-commands
   protocol https
      port 443
      certificate mycert.crt key mykey.key

Files must be in /usr/local/td/ directory, or you can specify an absolute path to certificate and key.

Verify that HTTPS API is running:

TD1#show management api https
HTTP server statistics

Enabled:             True
Running:             True
Port:                443
Hit count:           0
Last hit:            June 05, 2024 11:14:58
Certificate:         mycert.crt
Key:                 mykey.key
Ciphers:             TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
TLS versions:        TLSv1.3

Similarly to HTTP, you can change HTTPS port or shutdown the HTTPS API.

Using API

Once the API has been configured, you can connect to it and run all kinds of commands to either configure Traffic Dictator or get outputs.

Note: when using Traffic Dictator in Docker container, you might need to expose additional ports if you’re using non-standard ports. Ports 80 and 443 are exposed by default.

First, create a user if required. Or you can use RADIUS/TACACS/LDAP etc authentication. TD API relies on PAM authentication configured in the system.

bash useradd tdadmin
bash passwd tdadmin

You can use python and jsonrpclib to connect to Traffic Dictator API.

Note: when using self-signed certificate, create unverified ssl context so that the API client accepts it. Otherwise this is not required.

python3
from jsonrpclib import Server
import ssl
_create_unverified_https_context = ssl._create_unverified_context
ssl._create_default_https_context = _create_unverified_https_context

td_api = Server("https://tdadmin:td123@172.17.0.2:443/command-api")

You can use API to get the output of any show command. For example:

>>> show_ver = td_api.runCmds( 1, ["show version"])
>>> pprint(show_ver)                               
[{'customer_id': '000555',
  'customer_name': 'Vegvisir Systems',
  'expire_date': '2025-12-31',
  'hostname': 'TD1',
  'mfg_name': 'Vegvisir Systems',
  'model_name': 'Traffic Dictator',
  'start_time': 1717600431,
  'uptime': '0:08:32',
  'valid_license': True,
  'version': '1.0'}]

Also you can use API to configure Traffic Dictator. Just add configuration commands separated by comma, for example:

>>> td_api.runCmds( 1, ["configure", "router bgp 65001", "neighbor 192.168.0.102", "remote-as 65002"])
[{}, {}, {}, {}]

If any of the commands fails, you will get an error message and the subsequent commands will not be executed.

To explore available commands, use TDCLI and try autocomplete with tab or question mark to see all commands and options.

Add a large config using API

Copy-pasting many config lines to TDCLI is not the best option because it can be slow, prone to errors, and difficult to see if any of the commands fails.

Better option would be using API to add a large configuration. Let’s say you have a text config with a lot of traffic engineering policies called “policy_config.txt”. It contents look like this:

policy R1_R4_ISP1_001
   headend 1.1.1.1 topology-id 101
   endpoint 172.16.0.11 color 100
   binding-sid 15001
   priority 7 7
   install direct srte 192.168.123.101
   !
   candidate-path preference 100
      metric igp
      bandwidth 1 gbps
...

Then you can create a simple python script to push this config from a text file to TD API:

#!/usr/bin/env python3

from jsonrpclib import Server
import ssl
_create_unverified_https_context = ssl._create_unverified_context
ssl._create_default_https_context = _create_unverified_https_context

td_api = Server("https://tdadmin:td123@172.17.0.2:443/command-api")

with open("/home/dima/policy_config.txt", "r") as f:
    config_lines = f.readlines()

send_command = [
    "configure",
    "traffic-eng policies"
]

for line in config_lines:
    line = line.strip()
    if not line: continue
    if line == "!": continue
    send_command.append(line)

td_api.runCmds( 1, send_command)

Therefore, HTTP API is a powerful tool that can be used to integrate Traffic Dictator with your network automation system.