Set Up NSO with on-prem 25.07 Provider Connectivity Assurance

Set Up NSO with Provider Connectivity Assurance

This article describes how to set up Cisco Crosswork Network Services Orchestrator (NSO) to interwork with Provider Connectivity Assurance.

Overview

The configuration described in this article uses a locally-installed Docker version of Cisco Network Services Orchestrator (NSO) connecting to Provider Connectivity Assurance. This setup is suitable for interacting with cloud-managed or on-premises PCA deployments using NSO.

NSO uses Network Element Drivers (NEDs) to communicate with external devices and services. A NED for Provider Connectivity Assurance is available to download from your NSO customer NED download page.

Important: Starting with NED version 3.x, YANG models are not shipped with the precompiled NED package. You must fetch the YANG models and rebuild the NED before use. See NED Rebuild section below.

Prerequisites

• Cisco NSO 6.x installed and running
• Network connectivity to Provider Connectivity Assurance
• mTLS client certificate and private key — see Mutual TLS Certificates

Install the NSO Docker

To install the NSO Docker:

1. Download a NSO 6.x version package from https://software.cisco.com/.

Below is an example of how to load the container on an x86 64-bit Linux system:

user@server:~/nso$ sudo docker load -i nso-6.3.4.container-image-prod.linux.x86_64.tar.gz
9da967724761: Loading layer [==================================================>]  257MB/257MB
b110bf973e51: Loading layer [==================================================>]  1.217GB/1.217GB
Loaded image: cisco-nso-prod:6.3.4
user@server:~/nso$

Start the NSO and Load the Provider Connectivity Assurance (Skylight) NED

Start the NSO

To start the NSO container:

1. Use Docker run with startup parameters as shown in the example below.

The username and password settings are later used to log in to the NSO CLI.

sudo docker run -itd --name cisco-nso \
  -v NSO-vol:/nso \
  -v NSO-log-vol:/log \
  -p 8888:8888 \
  -p 4569:4569 \
  -e ADMIN_USERNAME=admin \
  -e ADMIN_PASSWORD=admin \
  cisco-nso-prod:6.3.4

Download the NED

Download the Provider Connectivity Assurance NED from:

• Cisco Software Download: https://software.cisco.com/download/specialrelease/9952a7731f21b514856f31ac3196e486

Rebuild the NED with YANG Models

Important: Starting with NED version 3.x, YANG models are not included in the precompiled NED package. You must fetch the models and rebuild the NED before use.

Step 1: Extract the NED Package

# Extract the signed package (use --skip-verification if signature check fails)
sh ncs-6.5.2-accedian-skylight_rc-3.0.2.signed.bin

# Extract the tar.gz
tar -xzf ncs-6.5.2-accedian-skylight_rc-3.0.2.tar.gz

# Set the NED root directory
export NED_ROOT_DIR=/path/to/accedian-skylight_rc-gen-3.0

Step 2: Download YANG Models

You have two options for downloading the YANG models:

Option A: Use the Built-in NSO RPC (Recommended)

If the NED is already loaded in NSO (without YANG models), you can use the built-in downloader:

admin@ncs# devices device skylight rpc rpc-get-modules get-modules profile Accedian-skylight-git

This downloads models from the GitHub repository automatically.

Option B: Manual Download from GitHub

Clone the skylight-yang repository and copy the models:

# Clone the repository (use the release branch matching your PCA version)
git clone --depth 1 --branch release/25.07 https://github.com/Accedian/skylight-yang.git

# Copy YANG files to NED source directory
# Note: Files must be renamed to remove the @date suffix
cd skylight-yang/skylight-gateway/accedian/public
for f in *@*.yang; do
  base=$(echo "$f" | sed 's/@[0-9-]*\.yang/.yang/')
  cp "$f" "$NED_ROOT_DIR/src/yang/$base"
done

Available Release Branches:

• release/25.07 — Latest stable release
• release/24.09 — Previous release (default in NED profile)

Step 3: Rebuild the NED

Prerequisites: Building the NED requires the NSO development environment with ncsc (NCS compiler) and related tools. These are included in the NSO installation and must be sourced before building:

source $NCS_DIR/ncsrc

The build also requires make, java (JDK 11+), and ant.

From the NED source directory:

cd $NED_ROOT_DIR/src
make clean all

Or use the built-in RPC from NSO:

admin@ncs# devices device skylight rpc rpc-rebuild-package rebuild-package

Step 4: Reload the Package

admin@ncs# packages reload

For detailed rebuild instructions, see:

• README-REBUILD.md included in the NED package
• Accedian Skylight NED Documentation

Import the Rebuilt NED

To import the rebuilt NED:

1. Copy the rebuilt NED tar.gz file into the NSO container file system.

user@server:~/nso$ sudo docker cp accedian-skylight_rc-rebuilt.tar.gz CONTAINERID:/nso/run/packages/

Launch the NSO CLI and Load the NED

To launch the NSO CLI and load the NED:

1. Use Docker exec to enter into the NSO container.
2. Launch the ncs_cli.
3. Reload packages.

If the Provider Connectivity Assurance NED was placed in the proper directory, it will load and provide a result as shown below.

user@server:~/nso$ sudo docker exec -it CONTAINERID bash
[root@542702bcc266 /]# ncs_cli -u admin -C

admin connected from 127.0.0.1 using console on 123702bcc266
admin@ncs# packages reload

>>> System upgrade is starting.
>>> Sessions in configure mode must exit to operational mode.
>>> No configuration changes can be performed until upgrade has completed.
>>> System upgrade has completed successfully.
reload-result {
    package accedian-skylight_rc
    result true
}
admin@ncs#

Configure the NSO to Talk to Provider Connectivity Assurance

Obtain mTLS Certificates

Provider Connectivity Assurance uses mutual TLS (mTLS) for authentication. You must generate and sign client certificates before configuring NSO.

Follow the instructions at: Mutual TLS Certificates

Summary of the certificate generation process:

1. Generate a client key and CSR:

   openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr \
     -subj "/CN=nso-user"
   

2. Sign the CSR via PCA Distribution API:

   curl -sk -X POST \
     "https://<PCA_HOST>/distribution/sign-csr?certduration=2160&format=pem&requestedUsername=nso-user&assignedRoles=tenant-admin,tenant-contributor,ug_all_data_access" \
     -H "Authorization: Bearer <TOKEN>" \
     -H "Content-Type: application/octet-stream" \
     --data-binary @client.csr \
     -o client.pem
   

3. Validate the certificate:

   curl -sk --cert client.pem --key client.key \
     "https://<PCA_HOST>/api/v1/auth/cert/validate/authorization"
   

Prepare the Certificate for NSO Configuration

Base64-encode the certificate and key for use in NSO configuration:

# Encode the certificate
base64 -w 0 < client.pem > client.pem.b64

# Encode the private key (remove headers first)
cat client.key | grep -v '\-' | tr -d '\n' > client.key.b64

Device Configuration

Create a configuration file (e.g., my-nso-configuration.txt) with the following content, replacing placeholders with your values:

devices device skylight
 address        <PCA_HOSTNAME>
 port           443
 device-type generic ned-id accedian-skylight_rc
 connect-timeout 30
 state admin-state unlocked
!
! SSL/TLS Settings
 ned-settings accedian-skylight_rc connection ssl accept-any false
 ned-settings accedian-skylight_rc connection ssl hostname "<PCA_HOSTNAME>"
!
! mTLS Authentication (required - token auth is no longer supported)
 ned-settings accedian-skylight_rc connection authentication method none
 ned-settings accedian-skylight_rc connection ssl mtls client certificate <BASE64_ENCODED_CERTIFICATE>
 ned-settings accedian-skylight_rc connection ssl mtls client private-key <BASE64_ENCODED_PRIVATE_KEY>
!
! RESTCONF Settings
 ned-settings accedian-skylight_rc restconf profile none
 ned-settings accedian-skylight_rc restconf model-discovery disabled
 ned-settings accedian-skylight_rc restconf capability-discovery disabled
 ned-settings accedian-skylight_rc restconf config gather-updates-into-single-patch true
 ned-settings accedian-skylight_rc restconf config update-method put
!
! Notifications
 ned-settings accedian-skylight_rc restconf notif automatic-stream-discovery enabled
 ned-settings accedian-skylight_rc restconf notif preferred-encoding json
!
! Live Status and Logging
 ned-settings accedian-skylight_rc live-status time-to-live 15
 ned-settings accedian-skylight_rc logger level debug
 ned-settings accedian-skylight_rc logger java true
!

Key ned-settings Explained

Load the Configuration File into NSO

To load the configuration file into NSO:

1. Copy the configuration file with the certificate and key into the NSO container.
2. Load this configuration using load merge in the NSO CLI.

user@server:~/nso$ sudo docker cp my-nso-configuration.txt CONTAINERID:/
user@server:~/nso$ sudo docker exec -it CONTAINERID bash

[root@542702bcc266 /]# ncs_cli -u admin -C

admin connected from 127.0.0.1 using console on 123702bcc266
admin@ncs# config t
admin@ncs(config)# load merge my-nso-configuration.txt
Loading.
7.26 KiB parsed in 0.05 sec (131.58 KiB/sec)
admin@ncs(config)# commit
Commit complete.

Test the Provider Connectivity Assurance Connection

To test the Provider Connectivity Assurance connection:

admin@ncs# config t
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# sync-from
Success!

Configuration Examples

Create a ne-endpoint for TWAMP or Agent Tests

admin@ncs# config
Entering configuration mode terminal
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# service-endpoints service-endpoint test_ne_ep-nso1 type ne-endpoint endpoint-name test-ep_name description test config ne-config ip 86.68.86.88 ne-id pe2488_A24 vlan-id 2488
admin@ncs(config-service-endpoint-test_ne_ep-nso1)# commit
Commit complete.

Create a TWAMP Light Session

admin@ncs# config
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# sessions session twamp-session-01 session-name twamp-session-01 description "TWAMP light session" session-type twamp-light
admin@ncs(config-session-twamp-session-01)# service-endpoints endpoint-A session-protocol twamp-light session-sender admin-state true
admin@ncs(config-service-endpoints-endpoint-A)# exit
admin@ncs(config-session-twamp-session-01)# service-endpoints endpoint-B session-protocol twamp-light session-reflector admin-state true
admin@ncs(config-service-endpoints-endpoint-B)# exit
admin@ncs(config-session-twamp-session-01)# commit
Commit complete.

Create an Alert Policy

admin@ncs# config
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# alert-policies alert-policy policyId1 policy-name policyName1 description "test policy" policy-type metric
admin@ncs(config-alert-policy-policyId1)# policy metric-policy conditions condId1 metric-type delay-max alert-direction ds alert-severity critical
admin@ncs(config-conditions-condId1)# triggers-on threshold 100 comparator gt duration-sec 30 ratio 10
admin@ncs(config-conditions-condId1)# recovers-on threshold 30 comparator lt duration-sec 60 ratio 20
admin@ncs(config-conditions-condId1)# commit
Commit complete.

Create a Service with Metadata and Alert Policy

admin@ncs# config
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# services service my-service service-name my-service-name group-id group1
admin@ncs(config-service-my-service)# sessions twamp-session-01
admin@ncs(config-sessions-twamp-session-01)# exit
admin@ncs(config-service-my-service)# alerts policyId1
admin@ncs(config-alerts-policyId1)# exit
admin@ncs(config-service-my-service)# metadata key-value region value Stockholm
admin@ncs(config-key-value-region)# exit
admin@ncs(config-service-my-service)# commit
Commit complete.

Start and Stop a Session

To start a session:

admin@ncs(config-config)# sessions session twamp-session-01 start

To stop a session:

admin@ncs(config-config)# sessions session twamp-session-01 stop

Add/Remove a Session from a Service

To assign a session to a service:

admin@ncs(config-config)# services service my-service sessions twamp-session-01
admin@ncs(config-sessions-twamp-session-01)# commit
Commit complete.

To unassign a session from a service:

admin@ncs(config-config)# no services service my-service sessions twamp-session-01
admin@ncs(config-config)# commit
Commit complete.

Troubleshooting

Connection Failed

Symptom: sync-from returns connection error

Resolution:

• Verify network connectivity to PCA hostname
• Check firewall rules for port 443
• Verify connection ssl hostname matches the PCA FQDN

Authentication Failed

Symptom: sync-from returns authentication error

Resolution:

• Verify mTLS certificate paths are correct
• Ensure certificate is valid and not expired: openssl x509 -in client.pem -noout -dates
• Validate certificate with PCA: curl -sk --cert client.pem --key client.key "https://<PCA_HOST>/api/v1/auth/cert/validate/authorization"
• Check that connection authentication method is set to none (mTLS mode)

NED Package Load Failed

Symptom: packages reload shows errors

Resolution:

• Ensure you have rebuilt the NED with YANG models (see Rebuild the NED)
• Verify the NED package is in the correct directory: /nso/run/packages/
• Check NSO logs for detailed error messages

References

• Accedian Skylight NED Documentation
• Mutual TLS Certificates
• Skylight YANG Models
• Cisco NSO User Guide

© 2026 Cisco and/or its affiliates. All rights reserved. For more information about trademarks, please visit: Cisco trademarks. For more information about legal terms, please visit: Cisco legal terms. For legal information about Accedian Skylight products, please visit: Accedian legal terms and trademarks