Configuring Secure Connections Between the SAE and JUNOS Routing Platforms
You can use TLS to protect communication between the SAE and JUNOS routing platforms.
To complete the handshaking protocol for the TLS connection, the client (JUNOS routing platform) and the server (SAE) must exchange and verify certificates. You need to create a client certificate and a server certificate. Both certificates must be signed by a certificate authority (CA). JUNOS software supports VeriSign, Inc. (http://www.verisign.com). You must then install both certificates on the SAE and on the JUNOS routing platform.
To set up the SAE and the JUNOS routing platform to use TLS, perform the following tasks:
- Creating a Server Certificate for the SAE
- Installing the Server Certificate on the SAE
- Installing the Server Certificate on the Router
- Creating a Client Certificate for the Router
- Installing the Client Certificate on the Router
- Installing the Client Certificate on the SAE
- Configuring the SAE to Use TLS
- Configuring the Keystore for TLS Certificates and Keys
Creating a Server Certificate for the SAE
The SDX software provides a sample security certificate that you must replace with a real one. You can obtain a signed certificate from a CA. The SAE stores certificates in a keystore, which is a database of keys and certificates from trusted entities.
To remove the sample certificate and create a site certificate:
- Access the SAE installation directory.
- Remove the sample certificate.
- Generate a self-signed certificate using the keytool command; for example:
cd /opt/UMC/sae
rm -f lib/jetty/saeKeystore
/opt/UMC/jre/bin/keytool -genkey -keyalg RSA -keystore
keystore/keystore.jks -keypass router -storepass router -alias sae -dname
<DN> -validity 365
The values specified for the -keystore, -keypass, -storepass, and -alias arguments must match the following values that you configure for the keystore on the SAE:
- The value of the -keystore argument must match the value of the Keystore Location field.
- The value of the -keypass and -storepass arguments must both match the value of the Keystore Password field.
See Configuring the Keystore for TLS Certificates and Keys.
Replace <DN> with the distinguished name that identifies your HTTPS server. For example, if XYM Corp in Canada has an HTTPS server with a hostname of ssp1.domain.org, then the DN might be:
"cn=ssp1.domain.org, o=XYM Corp, c=CA"
Be sure to include the quotation marks. Do not use the "#" character in DNs.
For complete documentation of the Java keytool, see:
http://java.sun.com/j2se/1.4.1/docs/tooldocs/solaris/keytool.html
- Create a certificate signing request (CSR).
/opt/UMC/jre/bin/keytool -certreq -alias sae -file server.csr -keypass router
-keystore keystore/keystore.jks -storepass router
The command creates a CSR and places it in the server.csr file.
- Send the CSR from the file /opt/UMC/sae/server.csr for signing to VeriSign, Inc. (http://www.verisign.com).
VeriSign authenticates you and returns a certificate, signed by them, that authenticates your public key.
Installing the Server Certificate on the SAE
To install the server certificate on the SAE, import the server certificate into the SAE keystore using the keytool command:
/opt/UMC/jre/bin/keytool -import -alias sae -file server.crt -keypass router -noprompt -trustcacerts -keystore keystore/keystore.jks -storepass router
Installing the Server Certificate on the Router
The TLS client (JUNOS routing platform) needs a copy of the certificate that was used to sign the SAE certificate so that it can verify the SAE certificate. To install the SAE certificate on the JUNOS routing platform:
- Include the following statements at the [
edit security certificates certificate-authority] hierarchy level. - Include the following statements at the [
system services service-deployment] hierarchy level.
[edit security certificates certificate-authority]
security{
certificates{
certificate-authority SAECert{
File /var/db/certs/cert.pem
}
}
}
system{
services{
service-Deployment{
servers {
server-address port port-number{
Security-options {
tls;
}
}
}
}
}
}
Creating a Client Certificate for the Router
For information about how to obtain a certificate for the router from a certificate authority, see Obtaining a Certificate from a Certificate Authority in the JUNOS System Basics Configuration Guide.
Installing the Client Certificate on the Router
To install the client (router) certificate on the JUNOS routing platform:
- Include the following statements at the
[edit security certificates certificate-authority]hierarchy level. - Include the following statements at the
[system services service-deployment]hierarchy level.
[edit security certificates certificate-authority]
security{
certificates{
local clientCERT { .... } ;
}
}
system{
services{
service-Deployment{
local-certificate clientCert;
}
}
}
Installing the Client Certificate on the SAE
To install the client certificate on the SAE, you must import the client (router) certificate to the SAE keystore using the keytool command. For example:
/opt/UMC/jre/bin/keytool -import -alias router -file client.crt -keypass router
-noprompt -trustcacerts -keystore keystore/keystore.jks -storepass router
Configuring the SAE to Use TLS
To configure the SAE to accept TLS connections, enter a port number in the TLS BEEP Server Port field in the JUNOS router driver configuration.
See Configuring the SAE to Manage JUNOS Routing Platforms.
Configuring the Keystore for TLS Certificates and Keys
A keystore is a database of keys and certificates from trusted entities. To use SDX Configuration Editor to configure the TLS keystore on the SAE:
- In the navigation pane, select a configuration file for the SAE that you want to configure.
- Select the Router tab, expand the JUNOS Router Driver section, and then expand the Keystore section.
- Edit or accept the default values in the fields.
See Keystore Fields for the JUNOS Router Driver.
- Select File > Save.
- Right-click the configuration file, select SDX System Configuration > Export to LDAP Directory.
Keystore Fields for the JUNOS Router Driver
In SDX Configuration Editor, you can edit the Keystore fields in the JUNOS Router Driver section in the Router pane in an SAE configuration file.
Keystore Location
- Location of the keystore that contains the key/certificate pair that the SAE sends to the router. If the SAE requires client authentication, it also specifies the location of the CA certificate that was used to sign the certificate that the router sends to the SAE.
- Value—Path and name of the keystore
- Guidelines—The value of this field must match the value of the -keystore argument that you entered with the keytool command when you created the server certificate for the SAE.
See Creating a Server Certificate for the SAE.
Keystore Password
- Password required for the keystore.
- Value—Password; must be at least six characters
- Guidelines—The value of this field must match the value of the -keypass and -storepass arguments that you entered with the keytool command when you created the server certificate for the SAE.
See Creating a Server Certificate for the SAE.
Need Client Authentication
- Yes—The SAE asks the router for a client certificate when a connection to the router is established.
- No—The SAE does not ask the router for a client certificate when a connection to the router is established.
Keystore Implementation
- JKS (JKS is the standard Java keystore implementation)
- PKCS12 (Public Key Cryptography Standard #12)