Configuring Secure Connections Between the SAE and JUNOS Routing Platforms
You can use TLS to protect communication between the SAE and JUNOS routing platforms.
To complete the handshaking protocol for the TLS connection, the client (JUNOS routing platform) and the server (SAE) must exchange and verify certificates. You need to create a client certificate and a server certificate. Both certificates must be signed by a certificate authority (CA). JUNOS software supports VeriSign, Inc. (http://www.verisign.com). You must then install both certificates on the SAE and on the JUNOS routing platform.
You can use the C-Web interface to manage certificates manually, or through the Simple Certificate Enrollment Protocol (SCEP).
Certificates are in the format defined in the X.509 standard for public key infrastructure. The certificate requests are in the Public Key Cryptology Standard (PKCS) #10 format.
Tasks to set up the SAE and the JUNOS routing platform to use TLS are:
- Obtaining Digital Certificates through SCEP
- Installing the Server Certificate on the Router
- Creating a Client Certificate for the Router
- Installing the Client Certificate on the Router
- Configuring the SAE to Use TLS
- Configuring TLS on the SAE
Manually Obtaining Digital Certificates
You can manually add digital certificates, or you can use SCEP to help manage how you obtain certificates. See Obtaining Digital Certificates through SCEP.
To manually add a signed certificate:
- Click Manage>Request>Security>General Certificate Certificate.
- Enter information as described in the Help text in the main pane, and click Apply.
By default, this request creates the file
/tmp/certreq.csr
and encodes the file by using Privacy-Enhanced Mail (pem) encoding.
- Copy the file generated in Step 1 to another system, and submit the certificate signing request file generated in Step 1 to VeriSign, Inc. (http://www.verisign.com) for signing.
You can transfer the file through FTP by using the
file copy
command.user@host>file copy
source_file
ftp://
username
@
server
[:port
]/
destination_file
VeriSign authenticates you and returns a certificate, signed by them, that authenticates your public key.
- When you receive the signed certificate, copy the file back to the SRC system to the /tmp directory.
You can transfer the file through FTP, as shown in Step 2.
- Click Manage>Request>Security>Import Certificate.
- Enter information as described in the Help text in the main pane, and click Apply.
Obtaining Digital Certificates through SCEP
You can use SCEP to help manage how you obtain digital certificates, or you can manually add certificates. See Manually Obtaining Digital Certificates.
Before you can obtain certificates for your use, you must get the CA's certificate and install it in the local store of trusted certificates.
To add a signed certificate that you obtain through SCEP:
- Click Manage>Request>Security>Get GA Certificate.
- Enter information as described in the Help text in the main pane, and click Apply.
- Click Manage>Request>Security>Enroll.
- Enter information as described in the Help text in the main pane, and click Apply.
Installing the Server Certificate on the Router
The TLS client (JUNOS routing platform) needs a copy of the certificate that was used to sign the SAE certificate so that it can verify the SAE certificate. To install the SAE certificate on the JUNOS routing platform:
- Include the following statements at the [
edit security certificates certificate-authority
] hierarchy level.[edit security certificates certificate-authority]security{certificates{certificate-authority SAECert{file /var/db/certs/cert.pem;}}}- Include the following statements at the [
system services service-deployment
] hierarchy level.system{services{service-deployment{servers {server-address port port-number{security-options {tls;}}}}}}Creating a Client Certificate for the Router
For information about how to obtain a certificate for the router from a certificate authority, see Obtaining a Certificate from a Certificate Authority in the JUNOS System Basics Configuration Guide.
Installing the Client Certificate on the Router
To install the client (router) certificate on the JUNOS routing platform:
- Include the following statements at the
[edit security certificates certificate-authority]
hierarchy level.[edit security certificates certificate-authority]
security{certificates{local clientCERT { .... } ;}}- Include the following statements at the
[system services service-deployment]
hierarchy level.system{services{service-deployment{local-certificate clientCert;}}}Configuring the SAE to Use TLS
To configure the SAE to accept TLS connections:
Configuring TLS on the SAE