Set up NSO with Provider Connectivity Assurance 25.7

This article describes how to set up Cisco Crosswork Network Services Orchestrator (NSO) to integrate with Provider Connectivity Assurance (PCA).

Overview

The configuration described in this article uses a locally installed Docker version of Cisco Network Services Orchestrator (NSO) connecting to Provider Connectivity Assurance. This setup is suitable for interacting with on-premises PCA deployments using NSO, starting with version 25.7 GA of on-premises PCA which includes the Sensor Management functionality required for interaction with NSO (and CNC)

NSO uses Network Element Drivers (NEDs) to communicate with external devices and services. A NED for Provider Connectivity Assurance is available to download from your NSO customer NED download page.

Important: Starting with NED version 3.x, YANG models are not shipped with the precompiled NED package. You must fetch the YANG models and rebuild the NED before use. See Rebuild the NED with YANG Models.

Prerequisites

Before you begin, ensure you have the following:

• Cisco NSO 6.x installed and running
• Network connectivity to Provider Connectivity Assurance
• An mTLS client certificate and private key (see Mutual TLS Certificates)

Install the NSO Docker

To install the NSO Docker:

1. Download an NSO 6.x package from https://software.cisco.com/.

Example for loading the container image on x86_64 Linux:

user@server:~/nso$ sudo docker load -i nso-6.3.4.container-image-prod.linux.x86_64.tar.gz
9da967724761: Loading layer [==================================================>]  257MB/257MB
b110bf973e51: Loading layer [==================================================>]  1.217GB/1.217GB
Loaded image: cisco-nso-prod:6.3.4
user@server:~/nso$

Start the NSO and Load the Provider Connectivity Assurance (Skylight) NED

Start the NSO

To start the NSO container:

1. Use Docker run with startup parameters as shown in the example below.
2. The username and password are used later to log in to the NSO CLI.

sudo docker run -itd --name cisco-nso \
  -v NSO-vol:/nso \
  -v NSO-log-vol:/log \
  -p 8888:8888 \
  -p 4569:4569 \
  -e ADMIN_USERNAME=admin \
  -e ADMIN_PASSWORD=admin \
  cisco-nso-prod:6.3.4

Download the NED

Download the Provider Connectivity Assurance NED from:

• Cisco Software Download: https://software.cisco.com/download/specialrelease/9952a7731f21b514856f31ac3196e486

Rebuild the NED with YANG Models

Important: Starting with NED version 3.x, YANG models are not included in the precompiled NED package. You must fetch the models and rebuild the NED before use.

Step 1: Extract the NED Package

# Extract the signed package (use --skip-verification if signature check fails)
sh ncs-6.5.2-accedian-skylight_rc-3.0.2.signed.bin

# Extract the tar.gz
tar -xzf ncs-6.5.2-accedian-skylight_rc-3.0.2.tar.gz

# Set the NED root directory
export NED_ROOT_DIR=/path/to/accedian-skylight_rc-gen-3.0

Step 2: Download YANG Models

Download YANG models using one of the following methods.

Option A: Use the built-in NSO RPC (recommended)

admin@ncs# devices device skylight rpc rpc-get-modules get-modules profile Accedian-skylight-git

Option B: Manual download from GitHub

# Clone the repository (use the release branch matching your PCA version)
git clone --depth 1 --branch release/25.07 https://github.com/Accedian/skylight-yang.git

# Copy YANG files to NED source directory
# Files must be renamed to remove the @date suffix
cd skylight-yang/skylight-gateway/accedian/public
for f in *@*.yang; do
  base=$(echo "$f" | sed 's/@[0-9-]*\.yang/.yang/')
  cp "$f" "$NED_ROOT_DIR/src/yang/$base"
done

Available release branches:

• release/25.07 (latest stable)
• release/24.09 (previous release)

Step 3: Rebuild the NED

Before building, source the NSO development environment:

source $NCS_DIR/ncsrc

The build requires make, java (JDK 11 or later), and ant.

Build from the NED source directory:

cd $NED_ROOT_DIR/src
make clean all

Or use the built-in RPC:

admin@ncs# devices device skylight rpc rpc-rebuild-package rebuild-package

Step 4: Reload the Package

admin@ncs# packages reload

For more rebuild details, see:

• README-REBUILD.md in the NED package
• Accedian Skylight NED Documentation

Import the Rebuilt NED

Copy the rebuilt NED tar.gz file into the NSO container:

user@server:~/nso$ sudo docker cp accedian-skylight_rc-rebuilt.tar.gz CONTAINERID:/nso/run/packages/

Launch the NSO CLI and Load the NED

To launch the NSO CLI and load the NED:

1. Use Docker exec to enter the NSO container.
2. Launch ncs_cli.
3. Reload packages.

user@server:~/nso$ sudo docker exec -it CONTAINERID bash
[root@542702bcc266 /]# ncs_cli -u admin -C

admin connected from 127.0.0.1 using console on 123702bcc266
admin@ncs# packages reload

>>> System upgrade is starting.
>>> Sessions in configure mode must exit to operational mode.
>>> No configuration changes can be performed until upgrade has completed.
>>> System upgrade has completed successfully.
reload-result {
    package accedian-skylight_rc
    result true
}
admin@ncs#

Configure the NSO to Talk to Provider Connectivity Assurance

Obtain mTLS Certificates

Provider Connectivity Assurance uses mutual TLS (mTLS) for authentication. Generate and sign a client certificate before you configure NSO.

Follow the full instructions at Mutual TLS Certificates.

Summary:

1. Generate a client key and CSR:

openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr \
  -subj "/CN=nso-user"

2. Sign the CSR via PCA Distribution API:

curl -sk -X POST \
  "https://<PCA_HOST>/distribution/sign-csr?certduration=2160&format=pem&requestedUsername=nso-user&assignedRoles=tenant-admin,tenant-contributor,ug_all_data_access" \
  -H "Authorization: Bearer <TOKEN>" \
  -H "Content-Type: application/octet-stream" \
  --data-binary @client.csr \
  -o client.pem

3. Validate the certificate:

curl -sk --cert client.pem --key client.key \
  "https://<PCA_HOST>/api/v1/auth/cert/validate/authorization"

Prepare the Certificate for NSO Configuration

Base64-encode the certificate and key for use in NSO configuration:

# Encode certificate (single line)
base64 -w 0 < client.pem > client.pem.b64

# Encode private key (remove headers and newlines)
cat client.key | grep -v '\-' | tr -d '\n' > client.key.b64

Device Configuration

Create a configuration file (for example, my-nso-configuration.txt) with the following content. Replace the placeholders with your values:

devices device skylight
 address        <PCA_HOSTNAME>
 port           443
 device-type generic ned-id accedian-skylight_rc
 connect-timeout 30
 state admin-state unlocked
!
! SSL/TLS settings
 ned-settings accedian-skylight_rc connection ssl accept-any false
 ned-settings accedian-skylight_rc connection ssl hostname "<PCA_HOSTNAME>"
!
! mTLS authentication (required)
 ned-settings accedian-skylight_rc connection authentication method none
 ned-settings accedian-skylight_rc connection ssl mtls client certificate <BASE64_ENCODED_CERTIFICATE>
 ned-settings accedian-skylight_rc connection ssl mtls client private-key <BASE64_ENCODED_PRIVATE_KEY>
!
! RESTCONF settings
 ned-settings accedian-skylight_rc restconf profile none
 ned-settings accedian-skylight_rc restconf model-discovery disabled
 ned-settings accedian-skylight_rc restconf capability-discovery disabled
 ned-settings accedian-skylight_rc restconf config gather-updates-into-single-patch true
 ned-settings accedian-skylight_rc restconf config update-method put
!
! Notifications
 ned-settings accedian-skylight_rc restconf notif automatic-stream-discovery enabled
 ned-settings accedian-skylight_rc restconf notif preferred-encoding json
!
! Live status and logging
 ned-settings accedian-skylight_rc live-status time-to-live 15
 ned-settings accedian-skylight_rc logger level debug
 ned-settings accedian-skylight_rc logger java true
!

Key ned-settings Explained

Load the Configuration File into NSO

1. Copy the configuration file with certificate and key into the NSO container.
2. Load configuration with load merge in NSO CLI.

user@server:~/nso$ sudo docker cp my-nso-configuration.txt CONTAINERID:/
user@server:~/nso$ sudo docker exec -it CONTAINERID bash

[root@542702bcc266 /]# ncs_cli -u admin -C

admin connected from 127.0.0.1 using console on 123702bcc266
admin@ncs# config t
admin@ncs(config)# load merge my-nso-configuration.txt
Loading.
7.26 KiB parsed in 0.05 sec (131.58 KiB/sec)
admin@ncs(config)# commit
Commit complete.

Test the Provider Connectivity Assurance Connection

admin@ncs# config t
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# sync-from
Success!

Configuration Examples

The following examples demonstrate common NSO configuration tasks for Provider Connectivity Assurance.

Set Up a Service with Two Sessions, Topology Metadata, and an Alert Policy

devices device skylight
 config
  alert-policies alert-policy demo-nso-1
   policy-name demo-nso-1-name
   description description-demo-nso
   policy-type metric
   policy metric-policy conditions alert_rule1
    metric-type delay-max
    alert-direction ds
    alert-severity critical
    triggers-on threshold 1000.0
    triggers-on comparator gte
    recovers-on threshold 1000.0
    recovers-on comparator lt
   !
  !
  metadata-config metadata-key lab
  !
  metadata-config metadata-key region
  !
  service-endpoints service-endpoint nso-demo-agent-1
   endpoint-name nso-demo-agent-1
   type ne-endpoint
   config ne-config ne-id nso-demo-agent-1
   config ne-config vlan-id 1
   config ne-config ip 192.168.0.4
  !
  service-endpoints service-endpoint nso-demo-agent-2
   endpoint-name nso-demo-agent-2
   type ne-endpoint
   config ne-config ne-id nso-demo-agent-2
   config ne-config vlan-id 1
   config ne-config ip 192.168.0.6
  !
  sessions session nso-demo-twamp-1
   session-name nso-demo-twamp-1
   session-type twamp-light
   service-endpoints nso-demo-agent-2
    session-protocol twamp-light session-reflector admin-state true reflector-udp-port 862 mode stateful
   !
   service-endpoints nso-demo-agent-1
    session-protocol twamp-light session-sender admin-state true reflector-udp-port 4002 test-packets rate 20
   !
  !
  services service nso-demo-service
   service-name nso-demo-service
   description "hello"
   sessions nso-demo-twamp-1
   metadata key-value region value Stockholm
   metadata key-value lab value assurance-demo
   alerts demo-nso-1
  !
 !
!

Create a ne-endpoint for TWAMP or Agent Tests

admin@ncs# config
Entering configuration mode terminal
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# service-endpoints service-endpoint test_ne_ep-nso1 type ne-endpoint endpoint-name test-ep_name description test config ne-config ip 86.68.86.88 ne-id pe2488_A24 vlan-id 2488
admin@ncs(config-service-endpoint-test_ne_ep-nso1)# commit
Commit complete.

Create a nid-endpoint for SAT Tests

admin@ncs# config
Entering configuration mode terminal
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# service-endpoints service-endpoint ei_P100-6989-nni_SSC186_1 type nid-endpoint endpoint-name en_P100-6989-nni_SSC186_1 group-id test123 description clone config nid-config nid-id 10.220.10.186.NN-TEST_24 sub-id P100-6989-123-Aa_24 port P100-6989-123-Aa_24-NNI

Create a TWAMP Light Session

admin@ncs# config
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# sessions session twamp-session-01 session-name twamp-session-01 description "TWAMP light session" session-type twamp-light
admin@ncs(config-session-twamp-session-01)# service-endpoints endpoint-A session-protocol twamp-light session-sender admin-state true
admin@ncs(config-session-twamp-session-01)# service-endpoints endpoint-B session-protocol twamp-light session-reflector admin-state true
admin@ncs(config-session-twamp-session-01)# commit
Commit complete.

Create an Alert Policy

admin@ncs# config
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# alert-policies alert-policy policyId1 policy-name policyName1 description "test policy" policy-type metric
admin@ncs(config-alert-policy-policyId1)# policy metric-policy conditions condId1 metric-type delay-max alert-direction ds alert-severity critical
admin@ncs(config-conditions-condId1)# triggers-on threshold 100 comparator gt duration-sec 30 ratio 10
admin@ncs(config-conditions-condId1)# recovers-on threshold 30 comparator lt duration-sec 60 ratio 20
admin@ncs(config-conditions-condId1)# commit
Commit complete.

Create a Service with Metadata and Connect It to an Alert Policy

admin@ncs# config
admin@ncs(config)# devices device skylight
admin@ncs(config-device-skylight)# config
admin@ncs(config-config)# services service my-service service-name my-service-name group-id group1
admin@ncs(config-service-my-service)# sessions twamp-session-01
admin@ncs(config-service-my-service)# alerts policyId1
admin@ncs(config-service-my-service)# metadata key-value region value Stockholm
admin@ncs(config-service-my-service)# commit
Commit complete.

Start and Stop a Session

To start a session:

admin@ncs(config-config)# sessions session twamp-session-01 start

To stop a session:

admin@ncs(config-config)# sessions session twamp-session-01 stop

Add or Remove a Session from a Service

To assign a session to a service:

admin@ncs(config-config)# services service my-service sessions twamp-session-01
admin@ncs(config-sessions-twamp-session-01)# commit
Commit complete.

To unassign a session from a service:

admin@ncs(config-config)# no services service my-service sessions twamp-session-01
admin@ncs(config-config)# commit
Commit complete.

Troubleshooting

Review these solutions if NSO fails to connect or sync with Provider Connectivity Assurance.

Connection Failed

Symptom: sync-from returns a connection error.

Resolution:

• Verify network connectivity to the PCA hostname.
• Check firewall rules for port 443.
• Verify connection ssl hostname matches the PCA FQDN.

Authentication Failed

Symptom: sync-from returns an authentication error.

Resolution:

• Verify mTLS certificate and key are correct.
• Ensure certificate is valid and not expired:
  • openssl x509 -in client.pem -noout -dates
• Validate certificate with PCA:
  • curl -sk --cert client.pem --key client.key "https://<PCA_HOST>/api/v1/auth/cert/validate/authorization"
• Confirm connection authentication method is none for mTLS mode.

NED Package Load Failed

Symptom: packages reload shows errors.

Resolution:

• Ensure the NED has been rebuilt with YANG models.
• Verify the NED package path is /nso/run/packages/.
• Check NSO logs for detailed package load errors.

References

• Accedian Skylight NED Documentation
• Mutual TLS Certificates
• Skylight YANG Models
• Cisco NSO User Guide