Security & Certificates

Overview

All ISE API clients implement server certificate validation to prevent Man-in-the-Middle (MITM) attacks. The internal PKI uses HOME-ROOT-CA for server certificate verification.

Security Architecture: All API connections validate the ISE server certificate against the trusted CA chain. This ensures you’re communicating with the legitimate ISE server, not an attacker intercepting traffic.

Certificate Store Structure

Certificates are managed via the .secrets directory with Age encryption for sensitive keys:

~/.secrets/certs/
├── ca/
│   ├── HOME-ROOT-CA.crt.age    # Root CA (Age-encrypted)
│   └── TEST-ROOT-CA.crt        # Test CA (unencrypted)
├── dev/
│   ├── ise-api-client.crt      # mTLS client cert
│   └── ise-api-client.key.age  # Client key (Age-encrypted)
└── prod/
    └── ...

CA Verification Implementation

class SecureISEClient:
    """
    Base client with MITM protection via CA verification.

    Security Features:
    - Server certificate validation against HOME-ROOT-CA
    - Support for Age-encrypted CA certificates
    - Automatic temp file cleanup for decrypted certs
    """

    def _get_verify_param(self) -> Union[bool, str]:
        """Get the verify parameter for requests."""
        if self._ca_cert:
            if self._ca_cert.endswith('.age'):
                return self._decrypt_ca_cert()
            return self._ca_cert

        # Default: use HOME-ROOT-CA from .secrets
        default_ca = Path.home() / '.secrets/certs/ca/HOME-ROOT-CA.crt.age'
        if default_ca.exists():
            return self._decrypt_ca_cert()

        return True  # Fall back to system CA bundle

Client Status

Client Port CA Verification Status

ERS API

9060

✓ HOME-ROOT-CA

Validated

Certs API

443

✓ HOME-ROOT-CA

Validated

MnT API

443

✓ HOME-ROOT-CA

Validated

SAML API

443

✓ HOME-ROOT-CA

Validated

DataConnect

2484

Self-signed Oracle

Special handling

DataConnect uses ISE’s internal Oracle database which presents a self-signed certificate. For this API, we explicitly allow the self-signed cert while still validating hostname.

Environment Configuration

# Load credentials with dsec
eval "$(dsec source d000 dev/network)"

# Environment variables used by netapi:
# ISE_PAN_FQDN       - ISE Primary Admin Node hostname
# ISE_API_TOKEN      - Base64(username:password)
# ISE_CA_CERT        - Path to CA cert (defaults to HOME-ROOT-CA)
# AGE_IDENTITY       - Path to age identity for decryption

# Example: ISE API call with CA validation
export ISE_CA_CERT=~/.secrets/certs/ca/HOME-ROOT-CA.crt.age
netapi ise get-endpoint C8:5B:76:C6:59:62

Always use CA certificate validation in production. Disabling SSL verification (verify_ssl=False) should only be used for initial debugging against test environments with self-signed certificates.