[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring Secure Connections Between the SAE and JUNOS Routing Platforms

You can use TLS to protect communication between the SAE and JUNOS routing platforms.

To complete the handshaking protocol for the TLS connection, the client (JUNOS routing platform) and the server (SAE) must exchange and verify certificates. You need to create a client certificate and a server certificate. Both certificates must be signed by a certificate authority (CA). JUNOS software supports VeriSign, Inc. (http://www.verisign.com). You must then install both certificates on the SAE and on the JUNOS routing platform.

You can use SRC CLI commands to manage certificates manually, or through the Simple Certificate Enrollment Protocol (SCEP).

Certificates are in the format defined in the X.509 standard for public key infrastructure. The certificate requests are in the Public Key Cryptology Standard (PKCS) #10 format.

Tasks to set up the SAE and the JUNOS routing platform to use TLS are:

  1. Manually Obtaining Digital Certificates

Or

  1. Obtaining Digital Certificates through SCEP
  2. Installing the Server Certificate on the Routing Platform
  3. Creating a Client Certificate for the Router
  4. Installing the Client Certificate on the Router
  5. Configuring the SAE to Use TLS
  6. Configuring TLS on the SAE

Manually Obtaining Digital Certificates

You can manually add digital certificates, or you can use SCEP to help manage how you obtain certificates. See Obtaining Digital Certificates through SCEP.

To manually add a signed certificate:

  1. Create a certificate signing request.
  2. user@host> request security generate-certificate-request subject subject 
    password password 
    
    
    

where:

By default, this request creates the file /tmp/certreq.csr and encodes the file by using Privacy-Enhanced Mail (pem) encoding.

  1. Copy the file generated in Step 1 to another system, and submit the certificate signing request file generated in Step 1 to VeriSign, Inc. (http://www.verisign.com) for signing.

You can transfer the file through FTP by using the file copy command.

user@host> file copy source_file ftp://username@server[:port]/destination_file

VeriSign authenticates you and returns a certificate, signed by them, that authenticates your public key.

  1. When you receive the signed certificate, copy the file back to the SRC system to the /tmp directory.

You can transfer the file through FTP, as shown in Step 2.

  1. Add the certificate to the SRC configuration.
  2. user@host> request security import-certificate file-name file-name identifier 
    identifier 
    
    
    

where:

For example, to import the file src.cer that is identified as web:

user@host> request security import-certificate file-name src.cer identifier web

  1. Verify that the certificate is part of the SRC configuration.
  2. user@host> show security certificate 
    
    web subject:CN=host
    
    
    

If there are no certificates on the system, the CLI displays the following message:

No entity certificates in key store

Obtaining Digital Certificates through SCEP

You can use SCEP to help manage how you obtain digital certificates, or you can manually add certificates. See Manually Obtaining Digital Certificates.

Before you can obtain certificates for your use, you must get the CA's certificate and install it in the local store of trusted certificates.

To add a signed certificate that you obtain through SCEP:

  1. Request your CA's certificate through SCEP.
  2. user@host> request security get-ca-certificate url url ca_identifier ca_identifier
    
    
    

where:

For example, to request a certificate from the CA authority SrcCA at a specified URL on the server security_server:

user@host> request security get-ca-certificate url 
http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe 
ca-identifier SrcCA

Version: 3
Serial Number: 5721058705923989279
Signature Algorithm: SHA1withRSA
Issuer: CN=SrcCA
Valid From: Wed Sep 06 17:00:55 EDT 2006
Valid Until: Sat Sep 03 17:10:55 EDT 2016
Subject: CN=SrcCA
Public key: RSA
Thumbprint Algorithm: SHA1
Thumbprint: 3c 57 a9 77 af 83 3 e9 c7 1e ee e2 4a e8 ff f3 89 f4 11 a9
Do you want to add the above certificate as a trusted CA [yes,no] ? (no) y

  1. Request that the certificate authority automatically sign the certificate request.
  2. user@host> request security enroll subject subject password password
    
    
    

where:

For example, to request a certificate from the CA authority SrcCA at a specified URL on the server security_server:

user@host> request security enroll url 
http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe 
identifier web ca-identifier SrcCA subject cn=myhost password mypassword 

Received certificate:
Version: 3
Serial Number: 6822890691617224432
Signature Algorithm: SHA1withRSA
Issuer: CN=SrcCA
Valid From: Tue Sep 19 16:33:11 EDT 2006
Valid Until: Thu Sep 18 16:43:11 EDT 2008
Subject: CN=myhost
Public key: RSA
Do you want to install the above certificate [yes,no] ? (no) y

  1. Verify that the certificate is part of the SRC configuration.
  2. user@host> show security certificate 
    
    web subject:CN=myhost
    
    
    

If there are no certificates on the system, the CLI displays the following message:

No entity certificates in key store

Installing the Server Certificate on the Routing Platform

The TLS client (JUNOS routing platform) needs a copy of the certificate that was used to sign the SAE certificate so that it can verify the SAE certificate. To install the SAE certificate on the JUNOS routing platform:

  1. Include the following statements at the [edit security certificates certificate-authority] hierarchy level.
  2. [edit security certificates certificate-authority]
    
    security{
    
        certificates{
    
                certificate-authority SAECert{
    
                    file /var/db/certs/cert.pem;
    
                }
    
        }
    
    }
    
    
    
  3. Include the following statements at the [system services service-deployment] hierarchy level.
  4. system{
    
        services{
    
            service-deployment{
    
                    servers {
    
                        server-address port port-number{
    
                            security-options {
    
                                tls;
    
                            }
    
                        }
    
                    }
    
            }
    
        }
    
    }
    

Creating a Client Certificate for the Router

For information about how to obtain a certificate for the router from a certificate authority, see Obtaining a Certificate from a Certificate Authority in the JUNOS System Basics Configuration Guide.

Installing the Client Certificate on the Router

To install the client (router) certificate on the JUNOS routing platform:

  1. Include the following statements at the [edit security certificates certificate-authority] hierarchy level.
  2. [edit security certificates certificate-authority]
    
    security{
    
        certificates{
    
                    local clientCERT { .... } ;
    
        }
    
    }
    
    
    
  3. Include the following statements at the [system services service-deployment] hierarchy level.
  4. system{
    
        services{
    
                    service-deployment{
    
                            local-certificate clientCert;
    
                    }
    
        }
    
    }
    

Configuring the SAE to Use TLS

To configure the SAE to accept TLS connections, enter a port number with the set beep-server-port command in the JUNOS router driver configuration.

See Configuring the SAE to Manage JUNOS Routing Platforms.

Configuring TLS on the SAE

Use the following configuration statements to configure TLS on the SAE:

shared sae configuration driver junos security {
need-client-authentication; 

certificate-identifier private-key; 
}

To configure TLS on the SAE:

  1. From configuration mode, access the configuration statement that configures security for the JUNOS TLS connection. In this sample procedure, the JUNOS driver is configured in the west-region group.
  2. user@host# edit shared sae group west-region configuration driver junos security 
    
    
    
  3. (Optional) Specify whether or not the SAE requests a client certificate from the router when a connection to the router is established.
  4. [edit shared sae group west-region configuration driver junos security]
    
    user@host# set need-client-authentication 
    
    
    
  5. Specify the name of certificate to be used for TLS communications.
  6. [edit shared sae group west-region configuration driver junos security]
    
    user@host# set certificate-identifier private-key 
    
    
    
  7. (Optional) Verify your TLS configuration.
  8. [edit shared sae group west-region configuration driver junos security]
    
    user@host# show 
    
    need-client-authentication;
    
    certificate-identifier privatekey;
    

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]