Changing from Router Context to Secure Context

To change a Services Router running JUNOS software from a router to a secure router, use the load factory-default configuration command to load the factory configuration. The factory configuration contains the default secure context configuration values. After changing to secure context, you can customize the configuration to suit your network.

Router-to-Secure Context Task Overview

To change from router context to secure context, you perform the following tasks:

• Make a backup of your current configuration file.
• Use the load factory-default command to load the factory configuration file for secure context.
• Assign a root password for the router. For security purposes, the factory configuration does not include a default root password. You need to assign a root password so that you are able to commit configuration changes.
• Optionally, if you want to retain remote IP-based connectivity to the Services Router after changing to router context, perform the following tasks:
  • If you have a static IP address assigned to the ge-0/0/0 interface and do not want to run autoinstallation, you must remove the system autoinstallation hierarchy from the configuration. Doing so ensures that the router is not automatically assigned an IP address of 192.168.2.1 if it cannot acquire an IP address using DHCP. You must also assign the IP address previously used to the ge-0/0/0 interface.

    For more information about autoinstallation, see Configuring Autoinstallation.

  • If you do not have remote access to the console, create a local user account to allow remote access for a non-root user account.
  • If you previously configured routing information, use your backup configuration file as a reference to configure the routing information for your network.
• Commit the configuration changes, and make the candidate configuration the running configuration.

Caution: If you do not assign an IP address for the ge-0/0/0 interface, create a local user account, and enter routing information, either from CLI configuration or using DHCP, before you commit the changes, the router is no longer remotely accessible. To manage the router, you must connect a PC or laptop to the physical console, or attach the PC or laptop to a subnet that is directly connected to the ge-0/0/0 interface, which is assigned an IP address of 192.168.2.1. Any configuration changes that you made before you issued the load override command are no longer part of the current running configuration.

Alternatively, to return the Services Router to the factory default (secure context) configuration, you can press the RESET CONFIG button. Keep in mind that pressing the RESET CONFIG button for 15 seconds or more deletes all configuration files on the Services Router, including backup configuration and rescue configuration files. The factory configuration is loaded and committed. Using the load factory-default command does not delete all configuration files. For more information about the RESET CONFIG button, see the Junos OS Administration Guide for Security Devices.

To change the router from running in router context to secure context:

1. From configuration mode in the CLI, back up your current configuration file. For example, the following command saves a copy of the configuration to a file named config_backup in the home directory of the account you used to log in:
   user@host# save config_backupWrote 127 lines of configuration to 'config_backup'
2. In configuration mode, enter the load factory-default command.
   user@host# load factory-defaultwarning: activating factory configuration
   [edit]user@host#
3. Assign a root password for the router:
   user@host# set system root-authentication plain-text-passwordNew password:Retype new password:
   [edit]user@host#

   The password does not appear as you type.

4. Do one of the following:
   • If you have a static IP assigned to the ge-0/0/0 interface and do not want to run autoinstallation, go to Step 5.
   • If you want to run autoinstallation, go to Step 8. For more information about autoinstallation, see Configuring Autoinstallation.
5. If you have an IP address assigned to the ge-0/0/0 interface, follow these steps:
   1. Delete the [system autoinstallation] hierarchy:
      user@host# delete system autoinstallation
   2. Configure the specific IP address for the ge-0/0/0 interface:
      user@host# set interfaces ge-0/0/0 unit logical-unit-number family inet address IP-address

      Replace the variables as follows:

      • logical-unit-number—Number of the logical unit. Use a value from 0 through 16,384.
      • IP-address—IP address for the ge-0/0/0 interface.
6. If you do not have console access, create a local user account. For example, the following command creates a local user account with a password that is entered as plain text in the CLI and is encrypted by JUNOS software.
   user@host# set system login user username class class-name authentication plain-text-passwordNew password: type password hereRetype new password: retype password here

   Replace the variables as follows:

   • username—Unique name of up to 64 characters that identifies the user. For details, see User Accounts.
   • class-name—Login class that defines user access and command privileges. You can define a login class or use the predefined classes. For details, see Login Classes.
7. Using your backup configuration file as a reference, configure routing as appropriate for your network.
8. Commit the configuration using one of the following methods:
   • Use the commit command to commit the configuration immediately.
     user@host# commitcommit complete
     [edit]user@host#
   • If you do not have console access, use the commit confirmed command, which, by default, activates the configuration for 10 minutes. This command allows you to verify if the configuration is working correctly. You must confirm the commit by entering commit or commit-check within 10 minutes; otherwise, the router loads the previous configuration.
     user@host# commit confirmedcommit confirmed will be automatically rolled back in 10 minutes unless confirmedcommit complete
     # commit confirmed will be rolled back in 10 minutes[edit]user@host#

     The configuration is now committed, and its configuration values comprise the running configuration.

9. Use the following methods to access the router, depending on the steps you performed:
   • If you performed Steps 1 through 8, the configuration mode prompt returns in the SSH session you used to change contexts. Use the CLI or J-Web interface to continue configuring the router. If you cannot remotely access the router with the session that you were using, connect to the console remotely or directly to the physical console port.
   • If you performed Steps 1 through 3 and Step 8, and autoinstallation successfully assigned an IP address, you can connect to the router using SSH or the J-Web interface. If you cannot access the router remotely, connect a PC or laptop to the physical console port.

     For information about autoinstallation, see Configuring Autoinstallation. For information about connecting to the CLI locally or remotely, see the J Series Services Routers Hardware Guide.