Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configure Certificate-Based Authentication in Policy Enforcer

Users typically gain access to resources from an application or system on the basis of their username and password. You can also use certificates to authenticate and authorize sessions among various servers and users. Only one authentication mode is supported at a time and all users are authenticated using the selected authentication mode. In this use case, you’ll learn how to configure certificate-based authentication for a Policy Enforcer user.

Benefits

Certificate-based authentication over a Secure Sockets Layer (SSL) connection is the most secure type of authentication.

Before You Begin

Note:

Only mandatory fields and other required fields are included in the procedures in this use case.

Overview

Starting in Policy Enforcer Release 20.1R1, you can enable certificate-based authentication for the Policy Enforcer user.

The following topology shows Policy Enforcer configured in Junos Space Security Director. The user can configure certificate-based authentication mode and use certificates to gain access to the application.

Generate SSL certificates

Let’s learn how to generate a certification authority (CA) certificate, generate a client certificate and a private key for the SSL client, and then convert the client certificate and private key to Personal Information Exchange-pkcs#12 format for use by web browsers.

Generate a CA certificate

  1. Log in to the Linux server.
  2. Run the following command:

    openssl req -newkey rsa:4096 -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.cer

  3. Enter the PEM passphrase, for example: 1234.

    You’ll need this passphrase while you generate client certificates.

  4. Enter the following details, for example:

    • Country Name: IN

    • State or Province name: KAR

    • Locality Name: BAN

    • Organization Name: Juniper

    • Organization Unit Name: space

    • Common Name: space_user

      The certificate is issued by this name.

    • Email Address: example@juniper.com

    The CA certificate is generated.

Generate Client SSL certificates

  1. Log in to the Linux server.
  2. Run the following command to generate a private key for the SSL client, for example: client1.key.

    openssl genrsa -out client1.key 4096

  3. Run the following command to generate the certificate request, for example: client1.req.

    openssl req -new -key client1.key -out client1.req

  4. Enter the following details for client1, for example:

    • Country Name: IN

    • State or Province name: KAR

    • Locality Name: BAN

    • Organization Name: Juniper

    • Organization Unit Name: space

    • Common Name: space_user1

      The certificate is issued by this name.

    • Email Address: example1@juniper.com

  5. Enter the challenge password, for example: 12345.
  6. Run the following command to issue the client certificate using the certificate request and the CA key, for example: client1.cer.

    openssl x509 -req -in client1.req -CA ca.cer -CAkey ca.key -set_serial 101 -extensions client1 -days 365 -outform PEM -out client1.cer

  7. Enter the passphrase for the ca.key as 1234. This must be the same passphrase that you provided while creating the CA certificate in Step 3.
  8. Run the following command to convert the client certificate and private key to pkcs#12 format for use by web browsers, for example: client1.p12 (Personal Information Exchange file type).

    openssl pkcs12 -export -inkey client1.key -in client1.cer -out client1.p12

  9. Enter the export password, for example 123456.

    You’ll need this password to import the certificate to the web browser.

    The following certificates are generated:

    Similarly, generate client2.cer, client2.key, and client2.p12 certificates with the following details, for example:

    • Country Name: IN

    • State or Province name: KAR

    • Locality Name: BAN

    • Organization Name: Juniper

    • Organization Unit Name: space

    • Common Name: space_user2

      The certificate is issued by this name.

    • Email Address: example2@juniper.com

Note:

In this example, we will use the generated client1 certificates for the Junos Space user (user1) and client2 certificates for the Policy Enforcer user (pe_user).

Copy the Certificates from the Linux Server to Your Local Machine

  1. Log in to the WinSCP client to copy the certificates that you generated from the Linux server to your local machine.

    You can use any file transfer protocol client.

  2. Select the file protocol as SFTP.
  3. Enter the hostname of the Linux server, username, and password, and click Login.
  4. Select the certificate files that you generated in the Linux server, and copy the files to the preferred location on your local machine.

Upload the CA Certificate

Let’s upload the CA certificate or the root certificate to verify user certificates. The private key of the root certificate is used to sign the user certificates, which then inherits the trustworthiness of the root certificate.

To upload a CA certificate:

  1. Log in to Junos Space Network Management Platform.
  2. Select Administration > CA/CRL Certificates.

    The CA CRL Certificates page is displayed.

  3. Click the arrow next to the + icon, and select X.509 CA Certificate.

    The Upload X.509 CA Certificate File page is displayed.

  4. Browse the X.509 CA certificate file (for example: ca.cer) from your local machine that you generated in Generate SSL certificates.
  5. Click Upload.

    A success message is displayed after you upload the valid certificate. You can view the CA certificate details on the CA/CRL Certificates page.

Upload the User Certificate

Let’s upload user certificates to authenticate the Junos Space user by using certificate-based authentication. You need to upload the corresponding certificate for each user for the Junos Space server to authenticate the user. To create a user in Junos Space Network Management Platform, see Create Users in Junos Space Network Management Platform.

To upload the user certificate for an existing user, for example user1:

  1. Log in to Junos Space Network Management Platform.
  2. Select Role Based Access Control > User Accounts.

    The User Accounts page is displayed.

  3. Right-click the Junos Space user, for example: user1, and select Modify User.

    The Modify User page for user1 is displayed.

  4. In the X509 Cert File field, browse the X.509 certificate file (for example: client1.cer) from your local machine that you generated in Generate SSL certificates.
  5. Click Upload.

    A success message is displayed.

Upload X.509 Certificate File in Policy Enforcer

After you configure Policy Enforcer, a new user called pe_user is created. You must add X.509 certificate for the pe_user for seamless certificate-based authentication. Policy Enforcer authenticates with Junos Space Security Director and Junos Space Network Management Platform using certificates in the certificate-based authentication mode.

  1. Log in to Junos Space Security Director.
  2. Select Administration > Policy Enforcer > Settings.

    The Settings page is displayed.

  3. Enable Certificate Based Authentication.

    This provides seamless operation when Junos Space Network Management Platform user switches to certificate-based authentication mode.

  4. Browse the X509 certificate file, for example: client2.cer, and X509 certificate key file, for example: client2.key that you generated in Generate SSL certificates.
  5. Click OK.

After uploading the certificates on the Settings Page, navigate to Junos Space Network Management Platform, select User > Role Based Access control > User Accounts. Right-click the pe_user, and select Modify User. Here, you can view the certificate details uploaded for the pe_user.

Configure the Web Browser Settings

You must import the Personal Information Exchange-pkcs#12 file type certificate uploaded to the Junos Space user (user1) on all the supported web browser settings page. In this example, let’s upload the client1.p12 on Google Chrome to enable certificate-based authentication.

  1. Open the Google Chrome web browser.
    Note:

    You can use any supported web browser.

  2. Click on the ellipsis icon on the top-right corner of the web browser, and select Settings.
  3. Select Security and Privacy.

    The Security and Privacy page is displayed.

  4. Select Security.

    The Security page is displayed.

  5. Select Manage Certificates.

    The Certificates page is displayed.

  6. Click Import.

    The Certificate Import Wizard is displayed.

  7. Browse the personal information file type, for example: client1.p12.

    You must select the personal information file type of the same certificate that you selected for the Junos Space Network Management Platform user (user1) as in Upload the User Certificate.

  8. Click Next.
  9. Enter the password for the private key as 123456. You must use the same password that you provided in Step 9 while creating the client1 certificates.
  10. Browse the location to store the certificate.

    A summary of certificate details is displayed.

  11. Click Finish.

    A pop-up is displayed confirming the import of new private exchange key.

  12. Click OK.

    A success message is displayed and the certificate is added to your web browser settings.

Change the User Authentication Mode to Certificate-Based Authentication Mode

Now let’s change the authentication mode from password-based to complete certificate–based for users to get authenticated on the basis of their certificates.

  1. Log in to Junos Space Network Management Platform.
  2. Select Administration > Application.
  3. Right-click Network Management Platform, and select Modify Application Settings.

    The Modify Network Management Platform Settings page is displayed.

  4. Select User.

    The User page is displayed.

  5. Select the Use X509 Certificate Complete Certificate option as the authentication mode.

    The Change Summary page is displayed.

  6. Click Confirm to enable the certificate-based authentication.

    When you change the authentication mode, all existing user sessions, except that of the current administrator who is changing the authentication mode, are automatically terminated and the users are forced to log out.

Verify the Certificate-Based Authentication Mode

Purpose

Let’s verify that you can log in to Junos Space Network Management Platform using certificates.

Action

  1. Access the Junos Space Network Management Platform application.

    The following pop-up is displayed.

  2. Click OK.

    The Security Page is displayed.

  3. Click Allow.

    The user1 is logged in to the Junos Space Network Management application without providing any username and password.

Troubleshoot Authentication Issues

Problem

Description

You must follow all the steps in the previous sections to enable certificate-based authentication. However, if you are restricted from logging in by using certificate–based authentication mode, then you can change the authentication mode to password-based from the CLI.

Solution

To change the authentication mode to password-based authentication from the CLI:

  1. Log in to the CLI of the Junos Space server VIP node.

  2. Navigate to the following directory: /var/www/cgi-bin.

  3. Type the following command:

    ./setSpaceAuthMode password-based

    The authentication mode is changed to password-based, and you can login with the username and password.