Configuring Secure Connections Between the SAE and JUNOS Routing Platforms
You can use TLS to protect communication between the SAE and JUNOS routing platforms.
To complete the handshaking protocol for the TLS connection, the client (JUNOS routing platform) and the server (SAE) must exchange and verify certificates. You need to create a client certificate and a server certificate. Both certificates must be signed by a certificate authority (CA). JUNOS software supports VeriSign, Inc. (
http://www.verisign.com
). You must then install both certificates on the SAE and on the JUNOS routing platform.To set up the SAE and the JUNOS routing platform to use TLS, perform the following tasks:
- Creating a Server Certificate for the SAE
- Installing the Server Certificate on the SAE
- Installing the Server Certificate on the Router
- Creating a Client Certificate for the Router
- Installing the Client Certificate on the Router
- Installing the Client Certificate on the SAE
- Configuring the SAE to Use TLS
- Configuring the Keystore for TLS Certificates and Keys
Creating a Server Certificate for the SAE
The SRC software provides a sample security certificate that you must replace with a real one. You can obtain a signed certificate from a CA. The SAE stores certificates in a keystore, which is a database of keys and certificates from trusted entities.
To remove the sample certificate and create a site certificate:
- Access the SAE installation directory.
cd /opt/UMC/sae
- Remove the sample certificate.
rm -f lib/jetty/saeKeystore
- Generate a self-signed certificate using the keytool command; for example:
/opt/UMC/jre/bin/keytool -genkey -keyalg RSA -keystorekeystore/keystore.jks -keypass router -storepass router -alias sae -dname<DN> -validity 365The values specified for the -keystore, -keypass, -storepass, and -alias arguments must match the following values that you configure for the keystore on the SAE:
- The value of the -keystore argument must match the value of the Keystore Location field.
- The value of the -keypass and -storepass arguments must both match the value of the Keystore Password field.
See Configuring the Keystore for TLS Certificates and Keys.
Replace <DN> with the distinguished name that identifies your HTTPS server. For example, if XYM Corp in Canada has an HTTPS server with a hostname of ssp1.domain.org, then the DN might be:
"cn=ssp1.domain.org, o=XYM Corp, c=CA"Be sure to include the quotation marks. Do not use the "#" character in DNs.
For complete documentation of the Java keytool, see:
http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html
- Create a certificate signing request (CSR).
/opt/UMC/jre/bin/keytool -certreq -alias sae -file server.csr -keypass router-keystore keystore/keystore.jks -storepass routerThe command creates a CSR and places it in the server.csr file.
- Send the CSR from the file /opt/UMC/sae/server.csr for signing to VeriSign, Inc. (
http://www.verisign.com
).VeriSign authenticates you and returns a certificate, signed by them, that authenticates your public key.
Installing the Server Certificate on the SAE
To install the server certificate on the SAE, import the server certificate into the SAE keystore using the keytool command:
/opt/UMC/jre/bin/keytool -import -alias sae -file server.crt -keypass router -noprompt -trustcacerts -keystore keystore/keystore.jks -storepass routerInstalling the Server Certificate on the Router
The TLS client (JUNOS routing platform) needs a copy of the certificate that was used to sign the SAE certificate so that it can verify the SAE certificate. To install the SAE certificate on the JUNOS routing platform:
- Include the following statements at the [
edit security certificates certificate-authority
] hierarchy level.[edit security certificates certificate-authority]security{certificates{certificate-authority SAECert{File /var/db/certs/cert.pem}}}- Include the following statements at the [
system services service-deployment
] hierarchy level.system{services{service-Deployment{servers {server-address port port-number{Security-options {tls;}}}}}}Creating a Client Certificate for the Router
For information about how to obtain a certificate for the router from a certificate authority, see Obtaining a Certificate from a Certificate Authority in the JUNOS System Basics Configuration Guide.
Installing the Client Certificate on the Router
To install the client (router) certificate on the JUNOS routing platform:
- Include the following statements at the
[edit security certificates certificate-authority]
hierarchy level.[edit security certificates certificate-authority]
security{certificates{local clientCERT { .... } ;}}- Include the following statements at the
[system services service-deployment]
hierarchy level.system{services{service-Deployment{local-certificate clientCert;}}}Installing the Client Certificate on the SAE
To install the client certificate on the SAE, you must import the client (router) certificate to the SAE keystore using the keytool command. For example:
/opt/UMC/jre/bin/keytool -import -alias router -file client.crt -keypass router-noprompt -trustcacerts -keystore keystore/keystore.jks -storepass routerConfiguring the SAE to Use TLS
To configure the SAE to accept TLS connections, enter a port number in the TLS BEEP Server Port field in the JUNOS router driver configuration.
See Configuring the SAE to Manage JUNOS Routing Platforms.
Configuring the Keystore for TLS Certificates and Keys
A keystore is a database of keys and certificates from trusted entities. See Chapter 7, Using JUNOS Routing Platforms in the SRC Network with the SRC CLI.