Configuring Secure Connections Between the SAE and JUNOS Routing Platforms
You can use TLS to protect communication between the SAE and JUNOS routing platforms.
To complete the handshaking protocol for the TLS connection, the client (JUNOS routing platform) and the server (SAE) must exchange and verify certificates. You need to create a client certificate and a server certificate. Both certificates must be signed by a certificate authority (CA). JUNOS software supports VeriSign, Inc. (
http://www.verisign.com
). You must then install both certificates on the SAE and on the JUNOS routing platform.You can use SRC CLI commands to manage certificates manually, or through the Simple Certificate Enrollment Protocol (SCEP).
Certificates are in the format defined in the X.509 standard for public key infrastructure. The certificate requests are in the Public Key Cryptology Standard (PKCS) #10 format.
Tasks to set up the SAE and the JUNOS routing platform to use TLS are:
- Obtaining Digital Certificates through SCEP
- Installing the Server Certificate on the Routing Platform
- Creating a Client Certificate for the Router
- Installing the Client Certificate on the Router
- Configuring the SAE to Use TLS
- Configuring TLS on the SAE
Manually Obtaining Digital Certificates
You can manually add digital certificates, or you can use SCEP to help manage how you obtain certificates. See Obtaining Digital Certificates through SCEP.
To manually add a signed certificate:
- Create a certificate signing request.
user@host>request security generate-certificate-request subject
subject
password
password
subject
is the distinguished name of the SRC host; for examplecn=src1,ou=pop,o=Juniper,l=kanata, st=Ontario,c=Canada
.password
is the password received from the certificate authority for the specified subject.By default, this request creates the file
/tmp/certreq.csr
and encodes the file by using Privacy-Enhanced Mail (pem) encoding.
- Copy the file generated in Step 1 to another system, and submit the certificate signing request file generated in Step 1 to VeriSign, Inc. (
http://www.verisign.com
) for signing.You can transfer the file through FTP by using the
file copy
command.user@host>file copy
source_file
ftp://
username
@
server
[:port
]/
destination_file
VeriSign authenticates you and returns a certificate, signed by them, that authenticates your public key.
- When you receive the signed certificate, copy the file back to the SRC system to the /tmp directory.
You can transfer the file through FTP, as shown in Step 2.
- Add the certificate to the SRC configuration.
user@host>request security import-certificate file-name
file-name
identifier
identifier
file-name
is the name of the certificate file in the /tmp folder. The file must be in one of the following formats, which is indicated by the following extensions:For example, to import the file
src.cer
that is identified as web:user@host>request security import-certificate file-name src.cer identifier web
- Verify that the certificate is part of the SRC configuration.
user@host>show security certificate
web subject:CN=hostIf there are no certificates on the system, the CLI displays the following message:
No entity certificates in key storeObtaining Digital Certificates through SCEP
You can use SCEP to help manage how you obtain digital certificates, or you can manually add certificates. See Manually Obtaining Digital Certificates.
Before you can obtain certificates for your use, you must get the CA's certificate and install it in the local store of trusted certificates.
To add a signed certificate that you obtain through SCEP:
- Request your CA's certificate through SCEP.
user@host>request security get-ca-certificate url
url
ca_identifier
ca_identifier
url
is the URL of the certificate authority (which is the SCEP server).ca-identifier
is the identifier that designates the authority.For example, to request a certificate from the CA authority SrcCA at a specified URL on the server security_server:
user@host> request security get-ca-certificate url http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe ca-identifier SrcCAVersion: 3Serial Number: 5721058705923989279Signature Algorithm: SHA1withRSAIssuer: CN=SrcCAValid From: Wed Sep 06 17:00:55 EDT 2006Valid Until: Sat Sep 03 17:10:55 EDT 2016Subject: CN=SrcCAPublic key: RSAThumbprint Algorithm: SHA1Thumbprint: 3c 57 a9 77 af 83 3 e9 c7 1e ee e2 4a e8 ff f3 89 f4 11 a9Do you want to add the above certificate as a trusted CA [yes,no] ? (no) y
- Request that the certificate authority automatically sign the certificate request.
user@host>request security enroll subject
subject
password
password
subject
is the distinguished name of the SRC host; for examplecn=myhost
.password
is the password received from the certificate authority.For example, to request a certificate from the CA authority SrcCA at a specified URL on the server security_server:
user@host>request security enroll url http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe identifier web ca-identifier SrcCA subject cn=myhost password mypassword
Received certificate:Version: 3Serial Number: 6822890691617224432Signature Algorithm: SHA1withRSAIssuer: CN=SrcCAValid From: Tue Sep 19 16:33:11 EDT 2006Valid Until: Thu Sep 18 16:43:11 EDT 2008Subject: CN=myhostPublic key: RSADo you want to install the above certificate [yes,no] ? (no) y
- Verify that the certificate is part of the SRC configuration.
user@host>show security certificate
web subject:CN=myhostIf there are no certificates on the system, the CLI displays the following message:
No entity certificates in key storeInstalling the Server Certificate on the Routing Platform
The TLS client (JUNOS routing platform) needs a copy of the certificate that was used to sign the SAE certificate so that it can verify the SAE certificate. To install the SAE certificate on the JUNOS routing platform:
- Include the following statements at the [
edit security certificates certificate-authority
] hierarchy level.[edit security certificates certificate-authority]security{certificates{certificate-authority SAECert{file /var/db/certs/cert.pem;}}}- Include the following statements at the [
system services service-deployment
] hierarchy level.system{services{service-deployment{servers {server-address port port-number{security-options {tls;}}}}}}Creating a Client Certificate for the Router
For information about how to obtain a certificate for the router from a certificate authority, see Obtaining a Certificate from a Certificate Authority in the JUNOS System Basics Configuration Guide.
Installing the Client Certificate on the Router
To install the client (router) certificate on the JUNOS routing platform:
- Include the following statements at the
[edit security certificates certificate-authority]
hierarchy level.[edit security certificates certificate-authority]
security{certificates{local clientCERT { .... } ;}}- Include the following statements at the
[system services service-deployment]
hierarchy level.system{services{service-deployment{local-certificate clientCert;}}}Configuring the SAE to Use TLS
To configure the SAE to accept TLS connections, enter a port number with the set beep-server-port command in the JUNOS router driver configuration.
See Configuring the SAE to Manage JUNOS Routing Platforms.
Configuring TLS on the SAE
Use the following configuration statements to configure TLS on the SAE:
shared sae configuration driver junos security {need-client-authentication; certificate-identifier private-key;}
- From configuration mode, access the configuration statement that configures security for the JUNOS TLS connection. In this sample procedure, the JUNOS driver is configured in the west-region group.
user@host#edit shared sae group west-region configuration driver junos security
- (Optional) Specify whether or not the SAE requests a client certificate from the router when a connection to the router is established.
[edit shared sae group west-region configuration driver junos security]user@host#
set need-client-authentication
- Specify the name of certificate to be used for TLS communications.
[edit shared sae group west-region configuration driver junos security]user@host#
set certificate-identifier
private-key
- (Optional) Verify your TLS configuration.
[edit shared sae group west-region configuration driver junos security]user@host#show
need-client-authentication;certificate-identifier privatekey;