[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Secure Connections Between the SAE and JUNOS Routing Platforms

You can use TLS to protect communication between the SAE and JUNOS routing platforms.

To complete the handshaking protocol for the TLS connection, the client (JUNOS routing platform) and the server (SAE) must exchange and verify certificates. You need to create a client certificate and a server certificate. Both certificates must be signed by a certificate authority (CA). JUNOS software supports VeriSign, Inc. (http://www.verisign.com). You must then install both certificates on the SAE and on the JUNOS routing platform.

You can use the C-Web interface to manage certificates manually, or through the Simple Certificate Enrollment Protocol (SCEP).

Certificates are in the format defined in the X.509 standard for public key infrastructure. The certificate requests are in the Public Key Cryptology Standard (PKCS) #10 format.

Tasks to set up the SAE and the JUNOS routing platform to use TLS are:

  1. Manually Obtaining Digital Certificates

Or

  1. Obtaining Digital Certificates through SCEP
  2. Installing the Server Certificate on the Router
  3. Creating a Client Certificate for the Router
  4. Installing the Client Certificate on the Router
  5. Configuring the SAE to Use TLS
  6. Configuring TLS on the SAE

Manually Obtaining Digital Certificates

You can manually add digital certificates, or you can use SCEP to help manage how you obtain certificates. See Obtaining Digital Certificates through SCEP.

To manually add a signed certificate:

  1. Create a certificate signing request.
  1. Click Manage>Request>Security>General Certificate Certificate.
  2. Enter information as described in the Help text in the main pane, and click Apply.

By default, this request creates the file /tmp/certreq.csr and encodes the file by using Privacy-Enhanced Mail (pem) encoding.

  1. Copy the file generated in Step 1 to another system, and submit the certificate signing request file generated in Step 1 to VeriSign, Inc. (http://www.verisign.com) for signing.

You can transfer the file through FTP by using the file copy command.

user@host> file copy source_file ftp://username@server[:port]/destination_file

VeriSign authenticates you and returns a certificate, signed by them, that authenticates your public key.

  1. When you receive the signed certificate, copy the file back to the SRC system to the /tmp directory.

You can transfer the file through FTP, as shown in Step 2.

  1. Add the certificate to the SRC configuration.
  1. Click Manage>Request>Security>Import Certificate.
  2. Enter information as described in the Help text in the main pane, and click Apply.

Obtaining Digital Certificates through SCEP

You can use SCEP to help manage how you obtain digital certificates, or you can manually add certificates. See Manually Obtaining Digital Certificates.

Before you can obtain certificates for your use, you must get the CA's certificate and install it in the local store of trusted certificates.

To add a signed certificate that you obtain through SCEP:

  1. Request your CA's certificate through SCEP.
  1. Click Manage>Request>Security>Get GA Certificate.
  2. Enter information as described in the Help text in the main pane, and click Apply.
  1. Request that the certificate authority automatically sign the certificate request:
  1. Click Manage>Request>Security>Enroll.
  2. Enter information as described in the Help text in the main pane, and click Apply.

Installing the Server Certificate on the Router

The TLS client (JUNOS routing platform) needs a copy of the certificate that was used to sign the SAE certificate so that it can verify the SAE certificate. To install the SAE certificate on the JUNOS routing platform:

  1. Include the following statements at the [edit security certificates certificate-authority] hierarchy level.
  2. [edit security certificates certificate-authority]
    
    security{
    
        certificates{
    
                certificate-authority SAECert{
    
                    file /var/db/certs/cert.pem;
    
                }
    
        }
    
    }
    
    
    
  3. Include the following statements at the [system services service-deployment] hierarchy level.
  4. system{
    
        services{
    
            service-deployment{
    
                    servers {
    
                        server-address port port-number{
    
                            security-options {
    
                                tls;
    
                            }
    
                        }
    
                    }
    
            }
    
        }
    
    }
    

Creating a Client Certificate for the Router

For information about how to obtain a certificate for the router from a certificate authority, see Obtaining a Certificate from a Certificate Authority in the JUNOS System Basics Configuration Guide.

Installing the Client Certificate on the Router

To install the client (router) certificate on the JUNOS routing platform:

  1. Include the following statements at the [edit security certificates certificate-authority] hierarchy level.
  2. [edit security certificates certificate-authority]
    
    security{
    
        certificates{
    
                    local clientCERT { .... } ;
    
        }
    
    }
    
    
    
  3. Include the following statements at the [system services service-deployment] hierarchy level.
  4. system{
    
        services{
    
                    service-deployment{
    
                            local-certificate clientCert;
    
                    }
    
        }
    
    }
    

Configuring the SAE to Use TLS

To configure the SAE to accept TLS connections:

  1. Click Configure, expand Shared>Network, and then click a JUNOS router.

The Device pane appears.

  1. Type a port number in the Beep Server Port box, and click Apply.

Configuring TLS on the SAE

To configure TLS on the SAE:

  1. Click Configure, expand Shared>SAE>Configuration>Driver>JUNOS, and then click Security.

The Security pane appears.

  1. Click Create, enter information as described in the Help text in the main pane, and then click Apply.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]