ONES GA 3.0
Release
  • ONES GA v3.0
    • Open Networking Enterprise Suite (ONES)
      • ONES Application
        • ONES Telemetry Collector(s) and Visibility
        • ONES Time Scale Metric Calculation
        • ONES Rule Engine
        • ONES Orchestration
        • ONE DL
        • ONES Supportability
        • ONES Security
        • ONES 3.0 Multisite
    • What's new?
    • Getting Started
      • Supported Switch Platforms and NOS
      • Scalability
      • Subscription
      • ONES Installation
        • Installation Pre-requisites
        • Download ONES Package
        • Installing ONES Application
        • ONE-DL cloud Deployment
        • Installing ONES Agents 3.0
          • ONES Telemetry Agent Installation
          • ONES Server Agent Installation
          • ONES Orchestration Agent Installation
          • Agent Less Telemetry
            • Cumulus(NVUE API)
            • Arista EOS (OpenConfig)
            • CISCO NXOS (GRPC)
        • Adding New Controller
        • Installing ONES Multisite
      • VM Deployment
        • VMware ONES Deployment
        • KVM ONES Deployment
        • Upgrade VM
    • ONES Web GUI Administration
      • Login Page
      • Adding Devices
      • Monitor
      • Inventory
        • Devices
        • Configurations
      • Rule Engine
        • Slack Channel Integration
        • Zendesk Support Integration
        • Service Now Integration
        • Rules Type
          • Add Rules: Entity
          • Add Rules: Entity by Properties
        • Alerts
      • Analytics
      • Settings
      • Integrations
        • Slack Channel Integration
        • Zendesk Support Integration
        • Service Now Integration
        • Cloud Services
          • Splunk
          • Amazon S3
      • Accounts
      • ONES Orchestration
        • VXLAN-Symmetric
          • VXLAN-Symmetric-SAG-no-mclag-vrf
          • VXLAN-Symmetric-SAG-mclag-vrf
          • VXLAN-Symmetric-SVI-no-mclag-vrf
          • VXLAN-Symmetric-SVI-mclag-vrf
          • VXLAN-Symmetric-SAG-vrf-RoCE
        • VXLAN-SVI
          • VXLAN-SVI-no-mclag-IPv6-ebgp-IPv6-SVI
          • VXLAN-SVI-no-mclag-ibgp-IPv4-Underlay
          • VXLAN-SVI-no-mclag-ebgp-IPv6-SAG
          • VXLAN-SVI-no-mclag-ebgp-IPv4-Underlay
          • VXLAN-svi-no-mclag-ebgp-BGPU-Underlay
        • VXLAN-SAG
          • VXLAN-SAG-no-mclag-ibgp-no-host
          • VXLAN-SAG-no-mclag-ibgp-BGPU-Underlay
          • VXLAN-SAG-no-mclag-ibgp-BGPU-Underlay-HostPO
          • VXLAN-SAG-no-mclag-ebgp-no-host
        • VXLAN-MGLAG
          • VXLAN-MCLAG-ibgp-sag
          • VXLAN-MCLAG-ebgp-svi.yaml
          • VXLAN-MCLAG-ipv6-ibgp-sag
          • VXLAN-MCLAG-ebgp-BGPU-IPv6SAG
          • VXLAN-MCLAG-ibgp-BGPU-IPv6svi
          • VXLAN-MCLAG-ipv4-ibgp-svi
          • VXLAN-MCLAG-ipv6-ebgp-sag
        • VXLAN-Asymmetric
          • VXLAN-Asymmetric-SAG-no-mclag
          • VXLAN-Asymmetric-SAG-mclag
          • VXLAN-Asymmetric-SVI-no-mclag
          • VXLAN-Asymmetric-SVI-mclag
        • MH-VXLAN
          • MH-VXLAN-ibgp-sag
          • MH-VXLAN-ipv6-ibgp-sag
          • MH-VXLAN-Asymmetric-SAG
          • MH-VXLAN-ebgp-BGPU-IPv6SAG
          • MH-VXLAN-ipv6-ebgp-sag
          • MH-VXLAN-Symmetric-2-SAG-vrf
        • MCLAG
          • MCLAG-IPv4-SVI-AccessHosts
          • MCLAG-ibgp-BGPU-Underlay-IPv4SVI-AccessHosts
          • MCLAG-ibgp-IPv6-Underlay-IPv6SVI-AccessHosts
          • MCLAG-IPv4-Underlay-IPv6SVI-AccessHosts
          • MCLAG-IPv6-Underlay-IPv6SVI-AccessHosts
        • L3-MCLAG
          • L3-MCLAG
          • L3-MCLAG-bgpU-combinedLink
          • L3-MCLAG-bgp-combinedLink
        • L2-LS
          • L2LS-EC-L2
          • L2LS-EC-L3-ipv4
          • L2LS-EC-L3-ipv6
        • iBGP
          • i-BGP-IPv6-CLOS-IPv6-host
          • i-BGP-IPv6-CLOS-IPv4-svi
          • i-BGP-IPv4-CLOS-L2PO-host
          • i-BGP-IPv4-CLOS-L2-host
          • i-BGP-IPv4-CLOS-IPv6-svi
          • i-BGP-IPv4-CLOS-IPv4-PO-host
          • i-BGP-BGP-U-CLOS-IPv4-svi
          • i-BGP-BGP-U-CLOS-IPv4-host
        • e-BGP
          • e-BGP-IPv6-CLOS-IPv6-host
          • e-BGP-IPv6-CLOS-IPv4-svi
          • e-BGP-IPv4-CLOS-L2-host
          • e-BGP-IPv4-CLOS-IPv6-svi
          • e-BGP-BGP-U-CLOS-IPv6-svi
          • e-BGP-BGP-U-CLOS-IPv6-host
        • BGP-PO
          • BGP-PO-SFLOW-LeafOnly-EC
          • BGP-PO-SFLOW-LeafOnly-EC-incr1
          • BGP-PO-MCLAG-SFLOW-LeafOnly-EC
        • LeafOnly-EC
        • IPCLOS-1-IPv4-SVI-AccessHosts
        • DHCP-IPCLOS-IPv4-SVI-AccessHosts
        • VXLAN-Symmetric-SAG-vrf-RoCE
    • Common Issues and Troubleshooting Steps
      • ONES Installation
        • Storage issue
      • ONES Uninstallation
        • ONES-Application
        • Telemetry Agent
        • Orchestration Agent
      • Permission Issues
        • Application Installation
      • gNMI Troubleshooting on non-SONiC Switches
    • How to contact Aviz Networks Support?
    • Backup and Recovery
Powered by GitBook
LogoLogo

Copyright © 2025 Aviz Networks, Inc. All Rights Reserved.

On this page
  • This section describes how ONES authenticates users and secures communication.
  • RBAC: Role-Based Access Control
  • Secure Access to the Application
  • Secure Access to the switch*
  • Agent Based Deployment with TLS certificate
  • Password based Agent Deployment
Export as PDF
  1. ONES GA v3.0
  2. Open Networking Enterprise Suite (ONES)
  3. ONES Application

ONES Security

PreviousONES SupportabilityNextONES 3.0 Multisite

ONES is a support application for SONiC stack. It is designed for customer's engineering team such as SRE’s, HW and SW engineering teams for their daily network diagnosis and troubleshooting needs. In addition to that ONES exposes the API to integrate with external tools or customer homegrown applications.

This section describes how ONES authenticates users and secures communication.

Features
ONES Support

Role Based Access

ONES provide RBAC support for creating dedicated user accounts. it has a superadmin account which can manage these user accounts for control and permissions

Secure Access to Application

ONES Application provides HTTPS over standard port 443 supporting both self-signed and CA-signed certificates

Secure Access to switches

Auto-discovery communication between Agent and collector using a secure channel(SSL/TLS) with certificates (self-signed and CA-signed certificates

API Access

ONES Application provides HTTPS over standard port 443 supporting both self-signed and CA-signed certificates, the API is available via time-bound authentication tokens.

RBAC: Role-Based Access Control

  • Click to get more details on RBAC

Secure Access to the Application

ONES application provides HTTPs over standard port 443 supporting both self-signed and CA signed certificates.

  • HTTPS Support CA Signed

  • HTTPS Self Signed

Secure Access to the switch*

ONES utilizes gRPC infrastructure to communicate with switch agents. TLS (Transport Layer Security) is the primary security protocol used by gRPC to secure communication between the client and the server. TLS provides authentication, confidentiality, and integrity of data. Authentication is achieved using digital certificates, which verify the identity of the client and the server.

With an added extra layer of security, ONESv3.0 support Certificate based communication between switches and ONES Controller, and all the metrics will be streamed using the certificate-based encryption

ONESv3.0 allows a user to use password based authentication between Controller and Switches, all the communication can be done by the implementation of password based agent.

Agent Based Deployment with TLS certificate

Transport Layer Security (TLS) is a crucial protocol that ensures secure communication between ONES Controller and Agent, Whenever Agent will register to ONES server and further it will start sending the update it will encapsulate all the metrics and will do the encryption based on certificate provided at the time of installation, by using this all the communication will be encrypted between ONES agent and ONES controller TLS relies on digital certificates issued by trusted Certificate Authorities (CAs) to authenticate servers and sometimes clients. These certificates validate the identity of the entities involved in the communication and establish trust in the encrypted connection.

Password based Agent Deployment

Password-based authentication can be implemented between the agent and controller, allowing all devices to register using a shared password. This method relies on OpenSSL for encrypting the communication, ensuring secure transmission of credentials and data. OpenSSL employs robust encryption algorithms to safeguard the authentication process and prevent unauthorized access.