netconfcentral logo

ietf-netconf-client

HTML

ietf-netconf-client@2020-08-20



  module ietf-netconf-client {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-netconf-client";

    prefix ncc;

    import ietf-yang-types {
      prefix yang;
      reference
        "RFC 6991: Common YANG Data Types";


    }
    import ietf-tcp-client {
      prefix tcpc;
      reference
        "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";


    }
    import ietf-tcp-server {
      prefix tcps;
      reference
        "RFC DDDD: YANG Groupings for TCP Clients and TCP Servers";


    }
    import ietf-ssh-client {
      prefix sshc;
      revision-date "2020-08-20";
      reference
        "RFC EEEE: YANG Groupings for SSH Clients and SSH Servers";


    }
    import ietf-tls-client {
      prefix tlsc;
      revision-date "2020-08-20";
      reference
        "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";


    }

    organization
      "IETF NETCONF (Network Configuration) Working Group";

    contact
      "WG Web:   <http://datatracker.ietf.org/wg/netconf/>
     WG List:  <mailto:netconf@ietf.org>
     Author:   Kent Watsen <mailto:kent+ietf@watsen.net>
     Author:   Gary Wu <mailto:garywu@cisco.com>";

    description
      "This module contains a collection of YANG definitions
     for configuring NETCONF clients.

     Copyright (c) 2020 IETF Trust and the persons identified
     as authors of the code. All rights reserved.

     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Simplified
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC HHHH
     (https://www.rfc-editor.org/info/rfcHHHH); see the RFC
     itself for full legal notices.;

     The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
     'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
     'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
     are to be interpreted as described in BCP 14 (RFC 2119)
     (RFC 8174) when, and only when, they appear in all
     capitals, as shown here.";

    revision "2020-08-20" {
      description "Initial version";
      reference
        "RFC HHHH: NETCONF Client and Server Models";

    }


    feature ssh-initiate {
      description
        "The 'ssh-initiate' feature indicates that the NETCONF client
       supports initiating SSH connections to NETCONF servers.";
      reference
        "RFC 6242:
          Using the NETCONF Protocol over Secure Shell (SSH)";

    }

    feature tls-initiate {
      description
        "The 'tls-initiate' feature indicates that the NETCONF client
       supports initiating TLS connections to NETCONF servers.";
      reference
        "RFC 7589: Using the NETCONF Protocol over Transport
          Layer Security (TLS) with Mutual X.509 Authentication";

    }

    feature ssh-listen {
      description
        "The 'ssh-listen' feature indicates that the NETCONF client
       supports opening a port to listen for incoming NETCONF
       server call-home SSH connections.";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

    }

    feature tls-listen {
      description
        "The 'tls-listen' feature indicates that the NETCONF client
       supports opening a port to listen for incoming NETCONF
       server call-home TLS connections.";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

    }

    grouping netconf-client-grouping {
      description
        "A reusable grouping for configuring a NETCONF client
       without any consideration for how underlying transport
       sessions are established.

       This grouping currently doesn't define any nodes.";
    }  // grouping netconf-client-grouping

    grouping netconf-client-initiate-stack-grouping {
      description
        "A reusable grouping for configuring a NETCONF client
       'initiate' protocol stack for a single connection.";
      choice transport {
        mandatory true;
        description
          "Selects between available transports.";
        case ssh {
          if-feature ssh-initiate;
          container ssh {
            description
              "Specifies IP and SSH specific configuration
             for the connection.";
            container tcp-client-parameters {
              description
                "A wrapper around the TCP client parameters
               to avoid name collisions.";
              uses tcpc:tcp-client-grouping {
                refine remote-port {
                  default "830";
                  description
                    "The NETCONF client will attempt to connect
                   to the IANA-assigned well-known port value
                   for 'netconf-ssh' (830) if no value is
                   specified.";
                }
              }
            }  // container tcp-client-parameters

            container ssh-client-parameters {
              description
                "A wrapper around the SSH client parameters to
               avoid name collisions.";
              uses sshc:ssh-client-grouping;
            }  // container ssh-client-parameters

            container netconf-client-parameters {
              description
                "A wrapper around the NETCONF client parameters
               to avoid name collisions.";
              uses ncc:netconf-client-grouping;
            }  // container netconf-client-parameters
          }  // container ssh
        }  // case ssh

        case tls {
          if-feature tls-initiate;
          container tls {
            description
              "Specifies IP and TLS specific configuration
             for the connection.";
            container tcp-client-parameters {
              description
                "A wrapper around the TCP client parameters
               to avoid name collisions.";
              uses tcpc:tcp-client-grouping {
                refine remote-port {
                  default "6513";
                  description
                    "The NETCONF client will attempt to connect
                   to the IANA-assigned well-known port value
                   for 'netconf-tls' (6513) if no value is
                   specified.";
                }
              }
            }  // container tcp-client-parameters

            container tls-client-parameters {
              must "client-identity" {
                description
                  "NETCONF/TLS clients MUST pass some
                 authentication credentials.";
              }
              description
                "A wrapper around the TLS client parameters
               to avoid name collisions.";
              uses tlsc:tls-client-grouping;
            }  // container tls-client-parameters

            container netconf-client-parameters {
              description
                "A wrapper around the NETCONF client parameters
               to avoid name collisions.";
              uses ncc:netconf-client-grouping;
            }  // container netconf-client-parameters
          }  // container tls
        }  // case tls
      }  // choice transport
    }  // grouping netconf-client-initiate-stack-grouping

    grouping netconf-client-listen-stack-grouping {
      description
        "A reusable grouping for configuring a NETCONF client
       'listen' protocol stack for a single connection.  The
       'listen' stack supports call home connections, as
       described in RFC 8071";
      reference
        "RFC 8071: NETCONF Call Home and RESTCONF Call Home";

      choice transport {
        mandatory true;
        description
          "Selects between available transports.";
        case ssh {
          if-feature ssh-listen;
          container ssh {
            description
              "SSH-specific listening configuration for inbound
             connections.";
            container tcp-server-parameters {
              description
                "A wrapper around the TCP server parameters
               to avoid name collisions.";
              uses tcps:tcp-server-grouping {
                refine local-port {
                  default "4334";
                  description
                    "The NETCONF client will listen on the IANA-
                   assigned well-known port for 'netconf-ch-ssh'
                   (4334) if no value is specified.";
                }
              }
            }  // container tcp-server-parameters

            container ssh-client-parameters {
              description
                "A wrapper around the SSH client parameters
               to avoid name collisions.";
              uses sshc:ssh-client-grouping;
            }  // container ssh-client-parameters

            container netconf-client-parameters {
              description
                "A wrapper around the NETCONF client parameters
               to avoid name collisions.";
              uses ncc:netconf-client-grouping;
            }  // container netconf-client-parameters
          }  // container ssh
        }  // case ssh

        case tls {
          if-feature tls-listen;
          container tls {
            description
              "TLS-specific listening configuration for inbound
             connections.";
            container tcp-server-parameters {
              description
                "A wrapper around the TCP server parameters
               to avoid name collisions.";
              uses tcps:tcp-server-grouping {
                refine local-port {
                  default "4334";
                  description
                    "The NETCONF client will listen on the IANA-
                    assigned well-known port for 'netconf-ch-ssh'
                    (4334) if no value is specified.";
                }
              }
            }  // container tcp-server-parameters

            container tls-client-parameters {
              must "client-identity" {
                description
                  "NETCONF/TLS clients MUST pass some
                 authentication credentials.";
              }
              description
                "A wrapper around the TLS client parameters
               to avoid name collisions.";
              uses tlsc:tls-client-grouping;
            }  // container tls-client-parameters

            container netconf-client-parameters {
              description
                "A wrapper around the NETCONF client parameters
               to avoid name collisions.";
              uses ncc:netconf-client-grouping;
            }  // container netconf-client-parameters
          }  // container tls
        }  // case tls
      }  // choice transport
    }  // grouping netconf-client-listen-stack-grouping

    grouping netconf-client-app-grouping {
      description
        "A reusable grouping for configuring a NETCONF client
       application that supports both 'initiate' and 'listen'
       protocol stacks for a multiplicity of connections.";
      container initiate {
        if-feature ssh-initiate or tls-initiate;
        presence
          "Enables client to initiate TCP connections";
        description
          "Configures client initiating underlying TCP connections.";
        list netconf-server {
          key "name";
          min-elements 1;
          description
            "List of NETCONF servers the NETCONF client is to
           maintain simultaneous connections with.";
          leaf name {
            type string;
            description
              "An arbitrary name for the NETCONF server.";
          }

          container endpoints {
            description
              "Container for the list of endpoints.";
            list endpoint {
              key "name";
              min-elements 1;
              ordered-by user;
              description
                "A user-ordered list of endpoints that the NETCONF
               client will attempt to connect to in the specified
               sequence.  Defining more than one enables
               high-availability.";
              leaf name {
                type string;
                description
                  "An arbitrary name for the endpoint.";
              }

              uses netconf-client-initiate-stack-grouping;
            }  // list endpoint
          }  // container endpoints

          container connection-type {
            description
              "Indicates the NETCONF client's preference for how the
             NETCONF connection is maintained.";
            choice connection-type {
              mandatory true;
              description
                "Selects between available connection types.";
              container persistent {
                presence
                  "Indicates that a persistent connection is
                          to be maintained.";
                description
                  "Maintain a persistent connection to the NETCONF
                   server.  If the connection goes down, immediately
                   start trying to reconnect to the NETCONF server,
                   using the reconnection strategy.

                   This connection type minimizes any NETCONF server
                   to NETCONF client data-transfer delay, albeit at
                   the expense of holding resources longer.";
              }  // container persistent
              container periodic {
                presence
                  "Indicates that a periodic connection is
                          to be maintained.";
                description
                  "Periodically connect to the NETCONF server.

                   This connection type increases resource
                   utilization, albeit with increased delay in
                   NETCONF server to NETCONF client interactions.

                   The NETCONF client should close the underlying
                   TCP connection upon completing planned activities.

                   In the case that the previous connection is still
                   active, establishing a new connection is NOT
                   RECOMMENDED.";
                leaf period {
                  type uint16;
                  units "minutes";
                  default "60";
                  description
                    "Duration of time between periodic connections.";
                }

                leaf anchor-time {
                  type yang:date-and-time {
                    pattern
                      '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}'
                        + '(Z|[\+\-]\d{2}:\d{2})';
                  }
                  description
                    "Designates a timestamp before or after which a
                     series of periodic connections are determined.
                     The periodic connections occur at a whole
                     multiple interval from the anchor time.  For
                     example, for an anchor time is 15 minutes past
                     midnight and a period interval of 24 hours, then
                     a periodic connection will occur 15 minutes past
                     midnight everyday.";
                }

                leaf idle-timeout {
                  type uint16;
                  units "seconds";
                  default '120';
                  description
                    "Specifies the maximum number of seconds that
                     a NETCONF session may remain idle. A NETCONF
                     session will be dropped if it is idle for an
                     interval longer then this number of seconds.
                     If set to zero, then the NETCONF client will
                     never drop a session because it is idle.";
                }
              }  // container periodic
            }  // choice connection-type
          }  // container connection-type

          container reconnect-strategy {
            description
              "The reconnection strategy directs how a NETCONF client
             reconnects to a NETCONF server, after discovering its
             connection to the server has dropped, even if due to a
             reboot.  The NETCONF client starts with the specified
             endpoint and tries to connect to it max-attempts times
             before trying the next endpoint in the list (round
             robin).";
            leaf start-with {
              type enumeration {
                enum "first-listed" {
                  value 0;
                  description
                    "Indicates that reconnections should start with
                   the first endpoint listed.";
                }
                enum "last-connected" {
                  value 1;
                  description
                    "Indicates that reconnections should start with
                   the endpoint last connected to.  If no previous
                   connection has ever been established, then the
                   first endpoint configured is used.   NETCONF
                   clients SHOULD be able to remember the last
                   endpoint connected to across reboots.";
                }
                enum "random-selection" {
                  value 2;
                  description
                    "Indicates that reconnections should start with
                   a random endpoint.";
                }
              }
              default "first-listed";
              description
                "Specifies which of the NETCONF server's endpoints
               the NETCONF client should start with when trying
               to connect to the NETCONF server.";
            }

            leaf max-attempts {
              type uint8 {
                range "1..max";
              }
              default "3";
              description
                "Specifies the number times the NETCONF client tries
               to connect to a specific endpoint before moving on
               to the next endpoint in the list (round robin).";
            }
          }  // container reconnect-strategy
        }  // list netconf-server
      }  // container initiate

      container listen {
        if-feature ssh-listen or tls-listen;
        presence
          "Enables client to accept call-home connections";
        description
          "Configures the client to accept call-home TCP connections.";
        leaf idle-timeout {
          type uint16;
          units "seconds";
          default "3600";
          description
            "Specifies the maximum number of seconds that a NETCONF
           session may remain idle. A NETCONF session will be
           dropped if it is idle for an interval longer than this
           number of seconds.  If set to zero, then the server
           will never drop a session because it is idle.  Sessions
           that have a notification subscription active are never
           dropped.";
        }

        list endpoint {
          key "name";
          min-elements 1;
          description
            "List of endpoints to listen for NETCONF connections.";
          leaf name {
            type string;
            description
              "An arbitrary name for the NETCONF listen endpoint.";
          }

          uses netconf-client-listen-stack-grouping;
        }  // list endpoint
      }  // container listen
    }  // grouping netconf-client-app-grouping

    container netconf-client {
      description
        "Top-level container for NETCONF client configuration.";
      uses netconf-client-app-grouping;
    }  // container netconf-client
  }  // module ietf-netconf-client

Summary

  
  
Organization IETF NETCONF (Network Configuration) Working Group
  
Module ietf-netconf-client
Version 2020-08-20
File ietf-netconf-client@2020-08-20.yang
  
Prefix ncc
Namespace urn:ietf:params:xml:ns:yang:ietf-netconf-client
  
Cooked /cookedmodules/ietf-netconf-client/2020-08-20
YANG /src/ietf-netconf-client@2020-08-20.yang
XSD /xsd/ietf-netconf-client@2020-08-20.xsd
  
Abstract This module contains a collection of YANG definitions for configuring NETCONF clients. Copyright (c) 2020 IETF Trust and the pe...
  
Contact
WG Web:   <http://datatracker.ietf.org/wg/netconf/>
WG List:  <mailto:netconf@ietf.org>
Author:   Kent Watsen <mailto:kent+ietf@watsen.net>
Author:   Gary Wu <mailto:garywu@cisco.com>

Description

 
This module contains a collection of YANG definitions
for configuring NETCONF clients.

Copyright (c) 2020 IETF Trust and the persons identified
as authors of the code. All rights reserved.

Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info).

This version of this YANG module is part of RFC HHHH
(https://www.rfc-editor.org/info/rfcHHHH); see the RFC
itself for full legal notices.;

The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.

Groupings

Grouping Objects Abstract
netconf-client-app-grouping initiate listen A reusable grouping for configuring a NETCONF client application that supports both 'initiate' and 'listen' protocol stacks for a multiplicity of connections.
netconf-client-grouping A reusable grouping for configuring a NETCONF client without any consideration for how underlying transport sessions are established. This grouping currently doesn't define any nodes.
netconf-client-initiate-stack-grouping transport A reusable grouping for configuring a NETCONF client 'initiate' protocol stack for a single connection.
netconf-client-listen-stack-grouping transport A reusable grouping for configuring a NETCONF client 'listen' protocol stack for a single connection. The 'listen' stack supports call home connections, as described in RFC 8071

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
netconf-client container Top-level container for NETCONF client configuration.
   initiate container Configures client initiating underlying TCP connections.
      netconf-server list List of NETCONF servers the NETCONF client is to maintain simultaneous connections with.
         connection-type container Indicates the NETCONF client's preference for how the NETCONF connection is maintained.
            connection-type choice Selects between available connection types.
               periodic-connection case periodic
                  periodic container Periodically connect to the NETCONF server. This connection type increases resource utilization, albeit with increased delay in NETCONF server to NETCONF client interactions. The NETCONF client should close the underlying TCP connection upon completing ...
                     anchor-time leaf Designates a timestamp before or after which a series of periodic connections are determined. The periodic connections occur at a whole multiple interval from the anchor time. For example, for an anchor time is 15 minutes past midnight and a period inter...
                     idle-timeout leaf Specifies the maximum number of seconds that a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer then this number of seconds. If set to zero, then the NETCONF client will never drop a session because i...
                     period leaf Duration of time between periodic connections.
               persistent-connection case persistent
                  persistent container Maintain a persistent connection to the NETCONF server. If the connection goes down, immediately start trying to reconnect to the NETCONF server, using the reconnection strategy. This connection type minimizes any NETCONF server to NETCONF client data-t...
         endpoints container Container for the list of endpoints.
            endpoint list A user-ordered list of endpoints that the NETCONF client will attempt to connect to in the specified sequence. Defining more than one enables high-availability.
               name leaf An arbitrary name for the endpoint.
               transport choice Selects between available transports.
                  ssh case ssh
                     ssh container Specifies IP and SSH specific configuration for the connection.
                        netconf-client-parameters container A wrapper around the NETCONF client parameters to avoid name collisions.
                        ssh-client-parameters container A wrapper around the SSH client parameters to avoid name collisions.
                           client-identity container The credentials that the client may use, pending the SSH server's requirements, by the SSH client to authenticate to the SSH server.
                              certificate container A locally-defined or referenced certificate to be used for client identification.
                                 local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                    keystore case keystore-reference
                                       keystore-reference container A reference to a specific certificate associated with an asymmetric key stored in the Keystore.
                                          asymmetric-key leaf A reference to an asymmetric key in the Keystore.
                                          certificate leaf A reference to a specific certificate of the asymmetric key in the Keystore.
                                    local case local-definition
                                       local-definition container Container to hold the local key definition.
                                          cert-data leaf The binary certificate data for this certificate.
                                          private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                          private-key-type choice Choice between key types.
                                             cleartext-private-key case cleartext-private-key
                                                cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                             encrypted-private-key case encrypted-private-key
                                                encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                                   encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                   encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                             hidden-private-key case hidden-private-key
                                                hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                          public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                          public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                              hostbased container A locally-defined or referenced asymmetric key pair to be used for host identification.
                                 local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                    keystore case keystore-reference
                                       keystore-reference leaf A reference to an asymmetric key that exists in the Keystore. The intent is to reference just the asymmetric key without any regard for any certificates that may be associated with it.
                                    local case local-definition
                                       local-definition container Container to hold the local key definition.
                                          private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                          private-key-type choice Choice between key types.
                                             cleartext-private-key case cleartext-private-key
                                                cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                             encrypted-private-key case encrypted-private-key
                                                encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                                   encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                   encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                             hidden-private-key case hidden-private-key
                                                hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                          public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                          public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                              none leaf Indicates that 'none' algorithm is used for client identification.
                              password container A password to be used to authenicate the client's identity.
                                 password-type choice Choice between password types.
                                    cleartext-password case cleartext-password
                                       cleartext-password leaf The cleartext value of the password.
                                    encrypted-password case encrypted-password
                                       encrypted-password container A container for the encrypted password value. The format of the 'encrypted-value' node is a CMS EnvelopedData structure, per Section 8 in RFC 5652, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
                                          encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                          encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                              public-key container A locally-defined or referenced asymmetric key pair to be used for client identification.
                                 local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                    keystore case keystore-reference
                                       keystore-reference leaf A reference to an asymmetric key that exists in the Keystore. The intent is to reference just the asymmetric key without any regard for any certificates that may be associated with it.
                                    local case local-definition
                                       local-definition container Container to hold the local key definition.
                                          private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                          private-key-type choice Choice between key types.
                                             cleartext-private-key case cleartext-private-key
                                                cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                             encrypted-private-key case encrypted-private-key
                                                encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                                   encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                   encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                             hidden-private-key case hidden-private-key
                                                hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                          public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                          public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                              username leaf The username of this user. This will be the username used, for instance, to log into an SSH server.
                           keepalives container Configures the keep-alive policy, to proactively test the aliveness of the SSH server. An unresponsive TLS server is dropped after approximately max-wait * max-attempts seconds. Per Section 4 of RFC 4254, the SSH client SHOULD send an SSH_MSG_GLOBAL_REQ...
                              max-attempts leaf Sets the maximum number of sequential keep-alive messages that can fail to obtain a response from the SSH server before assuming the SSH server is no longer alive.
                              max-wait leaf Sets the amount of time in seconds after which if no data has been received from the SSH server, a TLS-level message will be sent to test the aliveness of the SSH server.
                           server-authentication container Specifies how the SSH client can authenticate SSH servers. Any combination of credentials is additive and unordered.
                              ca-certs container A set of certificate authority (CA) certificates used by the SSH client to authenticate SSH servers. A server is authenticated if its certificate has a valid chain of trust to a configured CA certificate.
                                 local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                                    local case local-definition
                                       local-definition container A container for locally configured trust anchor certificates.
                                          certificate list A trust anchor certificate.
                                             cert-data leaf The binary certificate data for this certificate.
                                             name leaf An arbitrary name for this certificate.
                                    truststore case truststore-reference
                                       truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                              ee-certs container A set of end-entity certificates used by the SSH client to authenticate SSH servers. A server is authenticated if its certificate is an exact match to a configured end-entity certificate.
                                 local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                                    local case local-definition
                                       local-definition container A container for locally configured trust anchor certificates.
                                          certificate list A trust anchor certificate.
                                             cert-data leaf The binary certificate data for this certificate.
                                             name leaf An arbitrary name for this certificate.
                                    truststore case truststore-reference
                                       truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                              ssh-host-keys container A list of SSH host keys used by the SSH client to authenticate SSH server host keys. A server host key is authenticated if it is an exact match to a configured SSH host key.
                                 local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                                    local case local-definition
                                       local-definition container A container to hold local public key definitions.
                                          public-key list A public key definition.
                                             name leaf An arbitrary name for this public key.
                                             public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                             public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                                    truststore case truststore-reference
                                       truststore-reference leaf A reference to a bag of public keys that exist in the Truststore.
                           transport-params container Configurable parameters of the SSH transport layer.
                              encryption container Parameters regarding encryption.
                                 encryption-alg leaf-list Acceptable encryption algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable encryption algorithms are implementation defined.
                              host-key container Parameters regarding host key.
                                 host-key-alg leaf-list Acceptable host key algorithms in order of descending preference. The configured host key algorithms should be compatible with the algorithm used by the configured private key. Please see Section 5 of RFC EEEE for valid combinations. If this leaf-list ...
                              key-exchange container Parameters regarding key exchange.
                                 key-exchange-alg leaf-list Acceptable key exchange algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable key exchange algorithms are implementation defined.
                              mac container Parameters regarding message authentication code (MAC).
                                 mac-alg leaf-list Acceptable MAC algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable MAC algorithms are implementation- defined.
                        tcp-client-parameters container A wrapper around the TCP client parameters to avoid name collisions.
                           keepalives container Configures the keep-alive policy, to proactively test the aliveness of the TCP peer. An unresponsive TCP peer is dropped after approximately (idle-time + max-probes * probe-interval) seconds.
                              idle-time leaf Sets the amount of time after which if no data has been received from the TCP peer, a TCP-level probe message will be sent to test the aliveness of the TCP peer. Two hours (7200 seconds) is safe value, per RFC 1122.
                              max-probes leaf Sets the maximum number of sequential keep-alive probes that can fail to obtain a response from the TCP peer before assuming the TCP peer is no longer alive.
                              probe-interval leaf Sets the time interval between failed probes. The interval SHOULD be significantly longer than one second in order to avoid harm on a congested link.
                           local-address leaf The local IP address/interface (VRF?) to bind to for when connecting to the remote peer. INADDR_ANY ('0.0.0.0') or INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to explicitly indicate the implicit default, that the server can bind to any IPv4 o...
                           local-port leaf The local IP port number to bind to for when connecting to the remote peer. The port number '0', which is the default value, indicates that any available local port number may be used.
                           proxy-server container Proxy server settings.
                              proxy-type choice Selects a proxy connection protocol.
                                 socks4 case socks4-parameters
                                    socks4-parameters container Parameters for connecting to a TCP-based proxy server using the SOCKS4 protocol.
                                       remote-address leaf The IP address of the proxy server.
                                       remote-port leaf The IP port number for the proxy server.
                                 socks4a case socks4a-parameters
                                    socks4a-parameters container Parameters for connecting to a TCP-based proxy server using the SOCKS4a protocol.
                                       remote-address leaf The IP address or hostname of the proxy server.
                                       remote-port leaf The IP port number for the proxy server.
                                 socks5 case socks5-parameters
                                    socks5-parameters container Parameters for connecting to a TCP-based proxy server using the SOCKS5 protocol.
                                       authentication-parameters container A container for SOCKS Version 5 authentication mechanisms. A complete list of methods is defined at: https://www.iana.org/assignments/socks-methods /socks-methods.xhtml.
                                          auth-type choice A choice amongst supported SOCKS Version 5 authentication mechanisms.
                                             gss-api case gss-api
                                                gss-api container Contains GSS-API configuration. Defines as an empty container to enable specific GSS-API configuration to be augmented in by future modules.
                                             username-password case username-password
                                                username-password container Contains Username/Password configuration.
                                                   password-type choice Choice between password types.
                                                      cleartext-password case cleartext-password
                                                         cleartext-password leaf The cleartext value of the password.
                                                      encrypted-password case encrypted-password
                                                         encrypted-password container A container for the encrypted password value. The format of the 'encrypted-value' node is a CMS EnvelopedData structure, per Section 8 in RFC 5652, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
                                                            encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                            encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                                   username leaf The 'username' value to use for client identification.
                                       remote-address leaf The IP address or hostname of the proxy server.
                                       remote-port leaf The IP port number for the proxy server.
                           remote-address leaf The IP address or hostname of the remote peer to establish a connection with. If a domain name is configured, then the DNS resolution should happen on each connection attempt. If the DNS resolution results in multiple IP addresses, the IP addresses are ...
                           remote-port leaf The NETCONF client will attempt to connect to the IANA-assigned well-known port value for 'netconf-ssh' (830) if no value is specified.
                  tls case tls
                     tls container Specifies IP and TLS specific configuration for the connection.
                        netconf-client-parameters container A wrapper around the NETCONF client parameters to avoid name collisions.
                        tcp-client-parameters container A wrapper around the TCP client parameters to avoid name collisions.
                           keepalives container Configures the keep-alive policy, to proactively test the aliveness of the TCP peer. An unresponsive TCP peer is dropped after approximately (idle-time + max-probes * probe-interval) seconds.
                              idle-time leaf Sets the amount of time after which if no data has been received from the TCP peer, a TCP-level probe message will be sent to test the aliveness of the TCP peer. Two hours (7200 seconds) is safe value, per RFC 1122.
                              max-probes leaf Sets the maximum number of sequential keep-alive probes that can fail to obtain a response from the TCP peer before assuming the TCP peer is no longer alive.
                              probe-interval leaf Sets the time interval between failed probes. The interval SHOULD be significantly longer than one second in order to avoid harm on a congested link.
                           local-address leaf The local IP address/interface (VRF?) to bind to for when connecting to the remote peer. INADDR_ANY ('0.0.0.0') or INADDR6_ANY ('0:0:0:0:0:0:0:0' a.k.a. '::') MAY be used to explicitly indicate the implicit default, that the server can bind to any IPv4 o...
                           local-port leaf The local IP port number to bind to for when connecting to the remote peer. The port number '0', which is the default value, indicates that any available local port number may be used.
                           proxy-server container Proxy server settings.
                              proxy-type choice Selects a proxy connection protocol.
                                 socks4 case socks4-parameters
                                    socks4-parameters container Parameters for connecting to a TCP-based proxy server using the SOCKS4 protocol.
                                       remote-address leaf The IP address of the proxy server.
                                       remote-port leaf The IP port number for the proxy server.
                                 socks4a case socks4a-parameters
                                    socks4a-parameters container Parameters for connecting to a TCP-based proxy server using the SOCKS4a protocol.
                                       remote-address leaf The IP address or hostname of the proxy server.
                                       remote-port leaf The IP port number for the proxy server.
                                 socks5 case socks5-parameters
                                    socks5-parameters container Parameters for connecting to a TCP-based proxy server using the SOCKS5 protocol.
                                       authentication-parameters container A container for SOCKS Version 5 authentication mechanisms. A complete list of methods is defined at: https://www.iana.org/assignments/socks-methods /socks-methods.xhtml.
                                          auth-type choice A choice amongst supported SOCKS Version 5 authentication mechanisms.
                                             gss-api case gss-api
                                                gss-api container Contains GSS-API configuration. Defines as an empty container to enable specific GSS-API configuration to be augmented in by future modules.
                                             username-password case username-password
                                                username-password container Contains Username/Password configuration.
                                                   password-type choice Choice between password types.
                                                      cleartext-password case cleartext-password
                                                         cleartext-password leaf The cleartext value of the password.
                                                      encrypted-password case encrypted-password
                                                         encrypted-password container A container for the encrypted password value. The format of the 'encrypted-value' node is a CMS EnvelopedData structure, per Section 8 in RFC 5652, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
                                                            encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                            encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                                   username leaf The 'username' value to use for client identification.
                                       remote-address leaf The IP address or hostname of the proxy server.
                                       remote-port leaf The IP port number for the proxy server.
                           remote-address leaf The IP address or hostname of the remote peer to establish a connection with. If a domain name is configured, then the DNS resolution should happen on each connection attempt. If the DNS resolution results in multiple IP addresses, the IP addresses are ...
                           remote-port leaf The NETCONF client will attempt to connect to the IANA-assigned well-known port value for 'netconf-tls' (6513) if no value is specified.
                        tls-client-parameters container A wrapper around the TLS client parameters to avoid name collisions.
                           client-identity container Identity credentials the TLS client MAY present when establishing a connection to a TLS server. If not configured, then client authentication is presumed to occur a protocol layer above TLS. When configured, and requested by the TLS server when establis...
                              auth-type choice A choice amongst available authentication types.
                                 certificate case certificate
                                    certificate container Specifies the client identity using a certificate.
                                       local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                          keystore case keystore-reference
                                             keystore-reference container A reference to a specific certificate associated with an asymmetric key stored in the Keystore.
                                                asymmetric-key leaf A reference to an asymmetric key in the Keystore.
                                                certificate leaf A reference to a specific certificate of the asymmetric key in the Keystore.
                                          local case local-definition
                                             local-definition container Container to hold the local key definition.
                                                cert-data leaf The binary certificate data for this certificate.
                                                private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                                private-key-type choice Choice between key types.
                                                   cleartext-private-key case cleartext-private-key
                                                      cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                                   encrypted-private-key case encrypted-private-key
                                                      encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                                         encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                         encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                                   hidden-private-key case hidden-private-key
                                                      hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                                public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                                public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                                 psk case psk
                                    psk container Specifies the client identity using a PSK (pre-shared or pairwise-symmetric key).
                                       id leaf The key 'psk_identity' value used in the TLS 'ClientKeyExchange' message.
                                       local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                          keystore case keystore-reference
                                             keystore-reference leaf A reference to an symmetric key that exists in the Keystore.
                                          local case local-definition
                                             local-definition container Container to hold the local key definition.
                                                key-format leaf Identifies the symmetric key's format. Implementations SHOULD ensure that the incoming symmetric key value is encoded in the specified format.
                                                key-type choice Choice between key types.
                                                   cleartext-key case cleartext-key
                                                      cleartext-key leaf The binary value of the key. The interpretation of the value is defined by the 'key-format' field.
                                                   encrypted-key case encrypted-key
                                                      encrypted-key container A container for the encrypted symmetric key value. The interpretation of the 'encrypted-value' node is via the 'key-format' node
                                                         encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                         encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                                   hidden-key case hidden-key
                                                      hidden-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                 raw-public-key case raw-private-key
                                    raw-private-key container Specifies the client identity using a raw private key.
                                       local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                          keystore case keystore-reference
                                             keystore-reference leaf A reference to an asymmetric key that exists in the Keystore. The intent is to reference just the asymmetric key without any regard for any certificates that may be associated with it.
                                          local case local-definition
                                             local-definition container Container to hold the local key definition.
                                                private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                                private-key-type choice Choice between key types.
                                                   cleartext-private-key case cleartext-private-key
                                                      cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                                   encrypted-private-key case encrypted-private-key
                                                      encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                                         encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                         encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                                   hidden-private-key case hidden-private-key
                                                      hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                                public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                                public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                           hello-params container Configurable parameters for the TLS hello message.
                              cipher-suites container Parameters regarding cipher suites.
                                 cipher-suite leaf-list Acceptable cipher suites in order of descending preference. The configured host key algorithms should be compatible with the algorithm used by the configured private key. Please see Section 5 of RFC FFFF for valid combinations. If this leaf-list is not...
                              tls-versions container Parameters regarding TLS versions.
                                 tls-version leaf-list Acceptable TLS protocol versions. If this leaf-list is not configured (has zero elements) the acceptable TLS protocol versions are implementation- defined.
                           keepalives container Configures the keepalive policy for the TLS client.
                              peer-allowed-to-send leaf Indicates that the remote TLS server is allowed to send HeartbeatRequest messages, as defined by RFC 6520 to this TLS client.
                              test-peer-aliveness container Configures the keep-alive policy to proactively test the aliveness of the TLS server. An unresponsive TLS server is dropped after approximately max-wait * max-attempts seconds. The TLS client MUST send HeartbeatRequest messages, as defined by RFC 6520.
                                 max-attempts leaf Sets the maximum number of sequential keep-alive messages that can fail to obtain a response from the TLS server before assuming the TLS server is no longer alive.
                                 max-wait leaf Sets the amount of time in seconds after which if no data has been received from the TLS server, a TLS-level message will be sent to test the aliveness of the TLS server.
                           server-authentication container Specifies how the TLS client can authenticate TLS servers. Any combination of credentials is additive and unordered. Note that no configuration is required for PSK (pre-shared or pairwise-symmetric key) based authentication as the key is necessarily the ...
                              ca-certs container A set of certificate authority (CA) certificates used by the TLS client to authenticate TLS server certificates. A server certificate is authenticated if it has a valid chain of trust to a configured CA certificate.
                                 local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                                    local case local-definition
                                       local-definition container A container for locally configured trust anchor certificates.
                                          certificate list A trust anchor certificate.
                                             cert-data leaf The binary certificate data for this certificate.
                                             name leaf An arbitrary name for this certificate.
                                    truststore case truststore-reference
                                       truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                              ee-certs container A set of server certificates (i.e., end entity certificates) used by the TLS client to authenticate certificates presented by TLS servers. A server certificate is authenticated if it is an exact match to a configured server certificate.
                                 local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                                    local case local-definition
                                       local-definition container A container for locally configured trust anchor certificates.
                                          certificate list A trust anchor certificate.
                                             cert-data leaf The binary certificate data for this certificate.
                                             name leaf An arbitrary name for this certificate.
                                    truststore case truststore-reference
                                       truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                              psks leaf Indicates that the TLS client can authenticate TLS servers using configure PSKs (pre-shared or pairwise-symmetric keys). No configuration is required since the PSK value is the same as PSK value configured in the 'client-identity' node.
                              raw-public-keys container A set of raw public keys used by the TLS client to authenticate raw public keys presented by the TLS server. A raw public key is authenticated if it is an exact match to a configured raw public key.
                                 local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                                    local case local-definition
                                       local-definition container A container to hold local public key definitions.
                                          public-key list A public key definition.
                                             name leaf An arbitrary name for this public key.
                                             public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                             public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                                    truststore case truststore-reference
                                       truststore-reference leaf A reference to a bag of public keys that exist in the Truststore.
         name leaf An arbitrary name for the NETCONF server.
         reconnect-strategy container The reconnection strategy directs how a NETCONF client reconnects to a NETCONF server, after discovering its connection to the server has dropped, even if due to a reboot. The NETCONF client starts with the specified endpoint and tries to connect to it m...
            max-attempts leaf Specifies the number times the NETCONF client tries to connect to a specific endpoint before moving on to the next endpoint in the list (round robin).
            start-with leaf Specifies which of the NETCONF server's endpoints the NETCONF client should start with when trying to connect to the NETCONF server.
   listen container Configures the client to accept call-home TCP connections.
      endpoint list List of endpoints to listen for NETCONF connections.
         name leaf An arbitrary name for the NETCONF listen endpoint.
         transport choice Selects between available transports.
            ssh case ssh
               ssh container SSH-specific listening configuration for inbound connections.
                  netconf-client-parameters container A wrapper around the NETCONF client parameters to avoid name collisions.
                  ssh-client-parameters container A wrapper around the SSH client parameters to avoid name collisions.
                     client-identity container The credentials that the client may use, pending the SSH server's requirements, by the SSH client to authenticate to the SSH server.
                        certificate container A locally-defined or referenced certificate to be used for client identification.
                           local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                              keystore case keystore-reference
                                 keystore-reference container A reference to a specific certificate associated with an asymmetric key stored in the Keystore.
                                    asymmetric-key leaf A reference to an asymmetric key in the Keystore.
                                    certificate leaf A reference to a specific certificate of the asymmetric key in the Keystore.
                              local case local-definition
                                 local-definition container Container to hold the local key definition.
                                    cert-data leaf The binary certificate data for this certificate.
                                    private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                    private-key-type choice Choice between key types.
                                       cleartext-private-key case cleartext-private-key
                                          cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                       encrypted-private-key case encrypted-private-key
                                          encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                             encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                             encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                       hidden-private-key case hidden-private-key
                                          hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                    public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                    public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                        hostbased container A locally-defined or referenced asymmetric key pair to be used for host identification.
                           local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                              keystore case keystore-reference
                                 keystore-reference leaf A reference to an asymmetric key that exists in the Keystore. The intent is to reference just the asymmetric key without any regard for any certificates that may be associated with it.
                              local case local-definition
                                 local-definition container Container to hold the local key definition.
                                    private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                    private-key-type choice Choice between key types.
                                       cleartext-private-key case cleartext-private-key
                                          cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                       encrypted-private-key case encrypted-private-key
                                          encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                             encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                             encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                       hidden-private-key case hidden-private-key
                                          hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                    public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                    public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                        none leaf Indicates that 'none' algorithm is used for client identification.
                        password container A password to be used to authenicate the client's identity.
                           password-type choice Choice between password types.
                              cleartext-password case cleartext-password
                                 cleartext-password leaf The cleartext value of the password.
                              encrypted-password case encrypted-password
                                 encrypted-password container A container for the encrypted password value. The format of the 'encrypted-value' node is a CMS EnvelopedData structure, per Section 8 in RFC 5652, encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690.
                                    encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                    encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                        public-key container A locally-defined or referenced asymmetric key pair to be used for client identification.
                           local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                              keystore case keystore-reference
                                 keystore-reference leaf A reference to an asymmetric key that exists in the Keystore. The intent is to reference just the asymmetric key without any regard for any certificates that may be associated with it.
                              local case local-definition
                                 local-definition container Container to hold the local key definition.
                                    private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                    private-key-type choice Choice between key types.
                                       cleartext-private-key case cleartext-private-key
                                          cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                       encrypted-private-key case encrypted-private-key
                                          encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                             encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                             encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                       hidden-private-key case hidden-private-key
                                          hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                    public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                    public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                        username leaf The username of this user. This will be the username used, for instance, to log into an SSH server.
                     keepalives container Configures the keep-alive policy, to proactively test the aliveness of the SSH server. An unresponsive TLS server is dropped after approximately max-wait * max-attempts seconds. Per Section 4 of RFC 4254, the SSH client SHOULD send an SSH_MSG_GLOBAL_REQ...
                        max-attempts leaf Sets the maximum number of sequential keep-alive messages that can fail to obtain a response from the SSH server before assuming the SSH server is no longer alive.
                        max-wait leaf Sets the amount of time in seconds after which if no data has been received from the SSH server, a TLS-level message will be sent to test the aliveness of the SSH server.
                     server-authentication container Specifies how the SSH client can authenticate SSH servers. Any combination of credentials is additive and unordered.
                        ca-certs container A set of certificate authority (CA) certificates used by the SSH client to authenticate SSH servers. A server is authenticated if its certificate has a valid chain of trust to a configured CA certificate.
                           local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                              local case local-definition
                                 local-definition container A container for locally configured trust anchor certificates.
                                    certificate list A trust anchor certificate.
                                       cert-data leaf The binary certificate data for this certificate.
                                       name leaf An arbitrary name for this certificate.
                              truststore case truststore-reference
                                 truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                        ee-certs container A set of end-entity certificates used by the SSH client to authenticate SSH servers. A server is authenticated if its certificate is an exact match to a configured end-entity certificate.
                           local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                              local case local-definition
                                 local-definition container A container for locally configured trust anchor certificates.
                                    certificate list A trust anchor certificate.
                                       cert-data leaf The binary certificate data for this certificate.
                                       name leaf An arbitrary name for this certificate.
                              truststore case truststore-reference
                                 truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                        ssh-host-keys container A list of SSH host keys used by the SSH client to authenticate SSH server host keys. A server host key is authenticated if it is an exact match to a configured SSH host key.
                           local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                              local case local-definition
                                 local-definition container A container to hold local public key definitions.
                                    public-key list A public key definition.
                                       name leaf An arbitrary name for this public key.
                                       public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                       public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                              truststore case truststore-reference
                                 truststore-reference leaf A reference to a bag of public keys that exist in the Truststore.
                     transport-params container Configurable parameters of the SSH transport layer.
                        encryption container Parameters regarding encryption.
                           encryption-alg leaf-list Acceptable encryption algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable encryption algorithms are implementation defined.
                        host-key container Parameters regarding host key.
                           host-key-alg leaf-list Acceptable host key algorithms in order of descending preference. The configured host key algorithms should be compatible with the algorithm used by the configured private key. Please see Section 5 of RFC EEEE for valid combinations. If this leaf-list ...
                        key-exchange container Parameters regarding key exchange.
                           key-exchange-alg leaf-list Acceptable key exchange algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable key exchange algorithms are implementation defined.
                        mac container Parameters regarding message authentication code (MAC).
                           mac-alg leaf-list Acceptable MAC algorithms in order of descending preference. If this leaf-list is not configured (has zero elements) the acceptable MAC algorithms are implementation- defined.
                  tcp-server-parameters container A wrapper around the TCP server parameters to avoid name collisions.
                     keepalives container Configures the keep-alive policy, to proactively test the aliveness of the TCP peer. An unresponsive TCP peer is dropped after approximately (idle-time + max-probes * probe-interval) seconds.
                        idle-time leaf Sets the amount of time after which if no data has been received from the TCP peer, a TCP-level probe message will be sent to test the aliveness of the TCP peer. Two hours (7200 seconds) is safe value, per RFC 1122.
                        max-probes leaf Sets the maximum number of sequential keep-alive probes that can fail to obtain a response from the TCP peer before assuming the TCP peer is no longer alive.
                        probe-interval leaf Sets the time interval between failed probes. The interval SHOULD be significantly longer than one second in order to avoid harm on a congested link.
                     local-address leaf The local IP address to listen on for incoming TCP client connections. INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when the server is to listen on all IPv4 or IPv6 addresses, respectively.
                     local-port leaf The NETCONF client will listen on the IANA- assigned well-known port for 'netconf-ch-ssh' (4334) if no value is specified.
            tls case tls
               tls container TLS-specific listening configuration for inbound connections.
                  netconf-client-parameters container A wrapper around the NETCONF client parameters to avoid name collisions.
                  tcp-server-parameters container A wrapper around the TCP server parameters to avoid name collisions.
                     keepalives container Configures the keep-alive policy, to proactively test the aliveness of the TCP peer. An unresponsive TCP peer is dropped after approximately (idle-time + max-probes * probe-interval) seconds.
                        idle-time leaf Sets the amount of time after which if no data has been received from the TCP peer, a TCP-level probe message will be sent to test the aliveness of the TCP peer. Two hours (7200 seconds) is safe value, per RFC 1122.
                        max-probes leaf Sets the maximum number of sequential keep-alive probes that can fail to obtain a response from the TCP peer before assuming the TCP peer is no longer alive.
                        probe-interval leaf Sets the time interval between failed probes. The interval SHOULD be significantly longer than one second in order to avoid harm on a congested link.
                     local-address leaf The local IP address to listen on for incoming TCP client connections. INADDR_ANY (0.0.0.0) or INADDR6_ANY (0:0:0:0:0:0:0:0 a.k.a. ::) MUST be used when the server is to listen on all IPv4 or IPv6 addresses, respectively.
                     local-port leaf The NETCONF client will listen on the IANA- assigned well-known port for 'netconf-ch-ssh' (4334) if no value is specified.
                  tls-client-parameters container A wrapper around the TLS client parameters to avoid name collisions.
                     client-identity container Identity credentials the TLS client MAY present when establishing a connection to a TLS server. If not configured, then client authentication is presumed to occur a protocol layer above TLS. When configured, and requested by the TLS server when establis...
                        auth-type choice A choice amongst available authentication types.
                           certificate case certificate
                              certificate container Specifies the client identity using a certificate.
                                 local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                    keystore case keystore-reference
                                       keystore-reference container A reference to a specific certificate associated with an asymmetric key stored in the Keystore.
                                          asymmetric-key leaf A reference to an asymmetric key in the Keystore.
                                          certificate leaf A reference to a specific certificate of the asymmetric key in the Keystore.
                                    local case local-definition
                                       local-definition container Container to hold the local key definition.
                                          cert-data leaf The binary certificate data for this certificate.
                                          private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                          private-key-type choice Choice between key types.
                                             cleartext-private-key case cleartext-private-key
                                                cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                             encrypted-private-key case encrypted-private-key
                                                encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                                   encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                   encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                             hidden-private-key case hidden-private-key
                                                hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                          public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                          public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                           psk case psk
                              psk container Specifies the client identity using a PSK (pre-shared or pairwise-symmetric key).
                                 id leaf The key 'psk_identity' value used in the TLS 'ClientKeyExchange' message.
                                 local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                    keystore case keystore-reference
                                       keystore-reference leaf A reference to an symmetric key that exists in the Keystore.
                                    local case local-definition
                                       local-definition container Container to hold the local key definition.
                                          key-format leaf Identifies the symmetric key's format. Implementations SHOULD ensure that the incoming symmetric key value is encoded in the specified format.
                                          key-type choice Choice between key types.
                                             cleartext-key case cleartext-key
                                                cleartext-key leaf The binary value of the key. The interpretation of the value is defined by the 'key-format' field.
                                             encrypted-key case encrypted-key
                                                encrypted-key container A container for the encrypted symmetric key value. The interpretation of the 'encrypted-value' node is via the 'key-format' node
                                                   encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                   encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                             hidden-key case hidden-key
                                                hidden-key leaf A hidden key. How such keys are created is outside the scope of this module.
                           raw-public-key case raw-private-key
                              raw-private-key container Specifies the client identity using a raw private key.
                                 local-or-keystore choice A choice between an inlined definition and a definition that exists in the Keystore.
                                    keystore case keystore-reference
                                       keystore-reference leaf A reference to an asymmetric key that exists in the Keystore. The intent is to reference just the asymmetric key without any regard for any certificates that may be associated with it.
                                    local case local-definition
                                       local-definition container Container to hold the local key definition.
                                          private-key-format leaf Identifies the private key's format. Implementations SHOULD ensure that the incoming private key value is encoded in the specified format.
                                          private-key-type choice Choice between key types.
                                             cleartext-private-key case cleartext-private-key
                                                cleartext-private-key leaf The value of the binary key The key's value is interpreted by the 'private-key-format' field.
                                             encrypted-private-key case encrypted-private-key
                                                encrypted-private-key container A container for the encrypted asymmetric private key value. The interpretation of the 'encrypted-value' node is via the 'private-key-format' node
                                                   encrypted-by container An empty container enabling references to other keys that encrypt these keys to be augmented in. The referenced key MAY be a symmetric or an asymmetric key.
                                                   encrypted-value leaf The value, encrypted using the referenced symmetric or asymmetric key.
                                             hidden-private-key case hidden-private-key
                                                hidden-private-key leaf A hidden key. How such keys are created is outside the scope of this module.
                                          public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                          public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                     hello-params container Configurable parameters for the TLS hello message.
                        cipher-suites container Parameters regarding cipher suites.
                           cipher-suite leaf-list Acceptable cipher suites in order of descending preference. The configured host key algorithms should be compatible with the algorithm used by the configured private key. Please see Section 5 of RFC FFFF for valid combinations. If this leaf-list is not...
                        tls-versions container Parameters regarding TLS versions.
                           tls-version leaf-list Acceptable TLS protocol versions. If this leaf-list is not configured (has zero elements) the acceptable TLS protocol versions are implementation- defined.
                     keepalives container Configures the keepalive policy for the TLS client.
                        peer-allowed-to-send leaf Indicates that the remote TLS server is allowed to send HeartbeatRequest messages, as defined by RFC 6520 to this TLS client.
                        test-peer-aliveness container Configures the keep-alive policy to proactively test the aliveness of the TLS server. An unresponsive TLS server is dropped after approximately max-wait * max-attempts seconds. The TLS client MUST send HeartbeatRequest messages, as defined by RFC 6520.
                           max-attempts leaf Sets the maximum number of sequential keep-alive messages that can fail to obtain a response from the TLS server before assuming the TLS server is no longer alive.
                           max-wait leaf Sets the amount of time in seconds after which if no data has been received from the TLS server, a TLS-level message will be sent to test the aliveness of the TLS server.
                     server-authentication container Specifies how the TLS client can authenticate TLS servers. Any combination of credentials is additive and unordered. Note that no configuration is required for PSK (pre-shared or pairwise-symmetric key) based authentication as the key is necessarily the ...
                        ca-certs container A set of certificate authority (CA) certificates used by the TLS client to authenticate TLS server certificates. A server certificate is authenticated if it has a valid chain of trust to a configured CA certificate.
                           local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                              local case local-definition
                                 local-definition container A container for locally configured trust anchor certificates.
                                    certificate list A trust anchor certificate.
                                       cert-data leaf The binary certificate data for this certificate.
                                       name leaf An arbitrary name for this certificate.
                              truststore case truststore-reference
                                 truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                        ee-certs container A set of server certificates (i.e., end entity certificates) used by the TLS client to authenticate certificates presented by TLS servers. A server certificate is authenticated if it is an exact match to a configured server certificate.
                           local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                              local case local-definition
                                 local-definition container A container for locally configured trust anchor certificates.
                                    certificate list A trust anchor certificate.
                                       cert-data leaf The binary certificate data for this certificate.
                                       name leaf An arbitrary name for this certificate.
                              truststore case truststore-reference
                                 truststore-reference leaf A reference to a certificate bag that exists in the Truststore.
                        psks leaf Indicates that the TLS client can authenticate TLS servers using configure PSKs (pre-shared or pairwise-symmetric keys). No configuration is required since the PSK value is the same as PSK value configured in the 'client-identity' node.
                        raw-public-keys container A set of raw public keys used by the TLS client to authenticate raw public keys presented by the TLS server. A raw public key is authenticated if it is an exact match to a configured raw public key.
                           local-or-truststore choice A choice between an inlined definition and a definition that exists in the Truststore.
                              local case local-definition
                                 local-definition container A container to hold local public key definitions.
                                    public-key list A public key definition.
                                       name leaf An arbitrary name for this public key.
                                       public-key leaf The binary value of the public key. The interpretation of the value is defined by 'public-key-format' field.
                                       public-key-format leaf Identifies the public key's format. Implementations SHOULD ensure that the incoming public key value is encoded in the specified format.
                              truststore case truststore-reference
                                 truststore-reference leaf A reference to a bag of public keys that exist in the Truststore.
      idle-timeout leaf Specifies the maximum number of seconds that a NETCONF session may remain idle. A NETCONF session will be dropped if it is idle for an interval longer than this number of seconds. If set to zero, then the server will never drop a session because it is id...

Notifications

Notification Abstract
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...
certificate-expiration A notification indicating that the configured certificate is either about to expire or has already expired. When to send notifications is an implementation specific decision, but it is RECOMMENDED that a notification be sent once a month for 3 months, th...