The JUNOScript server communicates with client
applications within the context of a JUNOScript session. The server and client explicitly establish a connection and session
before exchanging data, and close the session and connection when
they are finished. The streams of JUNOScript and JUNOS XML tag elements
emitted by the JUNOScript server and a client application must each
constitute a well-formed XML document by obeying the structural rules
defined in the document type definition (DTD) for the kind of information
they are exchanging. The client application must emit tag elements
in the required order and only in the allowed contexts.
Client applications access the JUNOScript server
using one of the protocols listed in Supported Access Protocols. To authenticate with the JUNOScript server, they use either a JUNOScript-specific
mechanism or the protocol’s standard authentication mechanism,
depending on the protocol. After authentication, the JUNOScript server
uses the JUNOS login usernames and classes already configured on the
routing platform to determine whether a client application is authorized
to make each request.
For information about establishing a connection
and JUNOScript session, see the following sections:
To connect to the JUNOScript server, client applications
can use the access protocols and associated authentication mechanisms
listed in Table 5.
Table 5: Supported
Access Protocols and Authentication Mechanisms
Access Protocol
Authentication Mechanism
clear-text, a JUNOScript-specific protocol for sending unencrypted
text over a Transmission Control Protocol (TCP) connection
JUNOScript-specific
SSH
Standard SSH
Outbound SSH
Outbound SSH
Secure Sockets Layer (SSL)
JUNOScript-specific
Telnet
Standard Telnet
The SSH and SSL protocols are preferred because
they encrypt security information (such as passwords) before transmitting
it across the network. Outbound SSH allows you to create an encrypted
connection to the router in situations where you cannot connect to
the router using standard SSH. The clear-text and Telnet protocols
do not encrypt information.
To enable a client application to establish a connection
to the JUNOScript server, you must satisfy the requirements discussed
in the following sections:
A client application must be able to log in to
each routing platform on which it establishes a connection with the
JUNOScript server. The following instructions explain how to create
a JUNOS login account for the application; for detailed information,
see the chapter about configuring user access in the JUNOS
System Basics Configuration Guide. Alternatively, you can
skip this section and enable authentication through RADIUS or TACACS+;
for instructions, see the chapter about system authentication in the JUNOS System Basics Configuration Guide.
To determine whether a JUNOS login account exists,
enter CLI configuration mode on the routing platform and issue the
following commands:
[edit]
user@host# edit system login
[edit system login]
user@host# show user account-name
If the appropriate account does not exist, perform
the following steps:
Include the user statement at
the [edit system login] hierarchy level. Also include
the class statement to specify a JUNOS login class that has
the permissions required for all actions to be performed by the application.
Optionally, include the full-name and uid statements,
which are described in the chapter about configuring user access in
the JUNOS System Basics Configuration Guide.
[edit system login]
user@host# set user account-name class class-name
Create a text-based password for the account by including
either the plain-text-password or encrypted-password statement at the [edit system login user account-name authentication] hierarchy level.
[edit system login]
user@host# edit user account-name authentication
Note:
A text-based password is not strictly necessary
if the account is used to access the JUNOScript server through SSH with public/private key pairs for authentication,
but we recommend that you create one anyway. The key pair alone is
sufficient if the account is used only for SSH access, but a password
is required if the account is also used for any other type of access
(for login on the console, for example). The password is also used—the
SSH server prompts for it—if key-based authentication is configured
but fails. For information about creating a public/private key pair,
see Prerequisites for SSH Connections.
To enter a password as text, issue the following
command. You are prompted for the password, which is encrypted before
being stored.
[edit system login user account-name authentication]
user@host# set plain-text-password
New password: password
Retype new password: password
To store a password that you have previously created
and hashed using Message Digest 5 (MD5) or Secure Hash Algorithm 1
(SHA-1), issue the following command:
[edit system login user account-name authentication]
user@host# set encrypted-password "password"
Issue the commit command.
[edit system login user account-name authentication]
user@host# top
[edit]
user@host# commit
Repeat the preceding steps on each routing platform where
the client application establishes JUNOScript sessions.
Enable the client application to access
the password and provide it when the JUNOScript server prompts for
it. There are several possible methods, including the following:
Code the application to prompt the user for a password
at startup and to store the password temporarily in a secure manner.
Store the password in encrypted form in a secure local-disk
location or secured database and code the application to access it.
Prerequisites for Clear-Text Connections
A client application that uses the JUNOScript-specific
clear-text protocol sends unencrypted text directly over a TCP connection
without using any additional protocol (such as SSH, SSL, or Telnet).
Routers running the JUNOS-FIPS software do not
accept JUNOScript clear-text connections. We recommend that you do
not use the clear-text protocol in a Common Criteria environment.
For more information, see the Secure Configuration Guide
for Common Criteria and JUNOS-FIPS.
To enable client applications to use the clear-text
protocol to connect to the JUNOScript server, perform the following steps:
Verify that the application can access
the TCP software. On most operating systems, TCP is accessible in
the standard distribution.
Configure the JUNOScript server to accept clear-text connections
from JUNOScript client applications on port 3221 by including the xnm-clear-text statement at the [edit system services] hierarchy level:
[edit]
user@host# set system services xnm-clear-text
By default, the JUNOScript server supports up to 75
simultaneous clear-text sessions and 150 connection attempts per minute.
Optionally, you can include either or both the connection-limit statement to limit the number of concurrent sessions and the rate-limit statement to limit connection attempts. Both statements
accept a value from 1 through 250.
[edit]
user@host# set system services xnm-clear-text
connection-limit limit
user@host# set system services xnm-clear-text
rate-limit limit
For more information about the xnm-clear-text statement, see the JUNOS System Basics Configuration Guide.
Commit the configuration:
[edit]
user@host# commit
Repeat Step on each
computer where the application runs, and Step through Step on each routing
platform to which the application connects.
Prerequisites for SSH Connections
To enable a client application to use the SSH protocol
to connect to the JUNOScript server, perform the following steps:
Enable the application to access the
SSH software.
If the application uses the JUNOScript Perl module
provided by Juniper Networks, no action is necessary. As part of the
installation procedure for the Perl module, you install a prerequisites
package that includes the necessary SSH software. For instructions,
see Downloading the JUNOScript
Perl Client and Prerequisites Package.
If the application does not use the JUNOScript
Perl module, obtain the SSH software and install it on the computer
where the application runs. For information about obtaining and installing
SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .
(Optional) If you want to use key-based SSH authentication
for the application, create a public/private key pair and associate
it with the JUNOS Software login account you created in Prerequisites
for All Access Protocols. Perform the following steps:
Working on the computer where the client application runs,
issue the ssh-keygen command in a standard command shell
(not the JUNOS CLI). By providing the appropriate arguments, you encode
the public key with either RSA (supported by SSH versions 1 and 2)
or the Digital Signature Algorithm (DSA), supported by SSH version
2. For more information, see the man page provided by your SSH vendor
for the ssh-keygen command. The JUNOS Software uses SSH version
2 by default but also supports version 1.
% ssh-keygen options
Enable the application to access the public and private
keys. One method is to run the ssh-agent program on the computer
where the application runs.
Working in configuration mode on the routing platform
that needs to accept SSH connections from JUNOScript client applications,
associate the public key with the JUNOS login account by including
the load-key-file statement at the [edit system login
user account-name authentication] hierarchy level. First, move to that hierarchy level:
[edit]
user@host# edit system login user account-name authentication
Issue the following command to copy the contents
of the specified file onto the routing platform:
[edit system login user account-name authentication]
user@host# set load-key-file URL
URL is the path to the
file that contains one or more public keys. The ssh-keygen command by default stores each public key in a file in the .ssh subdirectory of the user home directory; the filename depends on
the encoding (DSA or RSA) and SSH version. For information about specifying
URLs, see the JUNOS CLI User Guide.
Alternatively, you can include one or both of the ssh-dsa and ssh-rsa statements at the [edit system
login user account-name authentication] hierarchy
level. We recommend using the load-key-file statement, however,
because it eliminates the need to type or cut and paste the public
key on the command line. For more information about the ssh-dsa and ssh-rsa statements, see the JUNOS System
Basics Configuration Guide.
Configure the routing platform to accept SSH connections
by including the ssh statement at the [edit system services] hierarchy level. This statement enables SSH access for all users
and applications, not just JUNOScript client applications.
[edit system login user account-name authentication]
user@host# top
[edit]
user@host# set system services ssh
Commit the configuration:
[edit]
user@host# commit
Repeat Step on each
computer where the application runs, and Step through Step on each routing
platform to which the application connects.
Prerequisites for Outbound SSH
Connections
The outbound SSH feature allows the initiation
of an SSH session between routers running JUNOS Software and Network
and System Management servers where client-initiated TCP/IP connections
are blocked (for example, when the router is behind a
firewall). To configure outbound SSH, you add an outbound-ssh configuration statement to the router. Once configured and committed,
the router will begin to initiate outbound SSH sessions with the configured
management clients. Once the outbound SSH session is initialized and
the connection is established, the Network and System Management server
initiates the SSH sequence as the client and the router running JUNOS
Software, acting as the server, authenticates the client.
Setting up outbound SSH involves:
Configuring the router running JUNOS Software for outbound
SSH
Configuring the management server for outbound SSH.
In the [edit system services ssh] hierarchy level,
set the SSH protocol to v2:
[edit system services ssh] set protocol-version v2
Generate/obtain a public/private key pair for the router
running JUNOS Software. This key pair will be used to encrypt the
data transferred across the SSH connection. For more information on
generating key pairs, see the System Basics Configuration Guide.
If the public key will be installed on the application
management system manually, transfer the public key to the NSM server.
Add the following outbound-ssh statement at the [edit system services] hierarchy level:
application-id—(Required) Identifies the outbound-ssh configuration stanza on the router. Each outbound-ssh stanza represents a single outbound SSH connection. This attribute
is not sent to the client.
device-id—(Required) Identifies the router
to the client during the initiation sequence.
secret—(Optional) The router's public SSH
host key. If this statement is added to the outbound-ssh configuration
hierarchy, the router will pass its public key to the management server
during the initialization of the outbound SSH service. This is the
recommended method of maintaining a current copy of the router's public
key.
keep-alive—(Optional) When configured,
the router sends keepalive messages to the management server. To configure
the keepalive message, you must set both the timeout and retry attributes.
retry—The number of keepalive messages
the router sends without receiving a response from the client before
the current SSH connection is disconnected. The default is three messages.
timeout—The amount of time, in seconds,
that the router waits for data before sending a keepalive signal.
The default is 15 seconds.
reconnect-strategy—(Optional) Specifies
the method that the router uses to reestablish a disconnected outbound
SSH connection.. The two methods available are sticky and in-order:
sticky—Specifies that the router attempt
to reconnect to the management server to which it was last connected.
If the connection is unavailable, the router attempts to establish
a connection with the next client on the list, and so on down the
list until a connection is established.
in-order—Specifies that the router attempt
to establish an outbound SSH session based on the management server
address list. The router attempts to establish a session with the
first server on the list. If this connection is not available, the
router attempts to establish a session with the next server, and so
on down the list until a connection is established.
When reconnecting to a client, the router attempts to
reconnect to the client based on the retry and timeout values for each of the clients listed.
services—(Required) Specifies the services
available for the session. Currently, NETCONF is the only service
available.
address—(Required) The host name or the
IPv4 address of the NSM application server. You can list multiple
clients by adding each client's IP address or host name along with
the connection parameters listed below.
port—The port that the client uses for
the outbound SSH connection. The default port is 22.
retry—The number of times the router attempts
to establish an outbound SSH connection before giving up. The default
is three.
timeout—The amount of time, in seconds,
that the router attempts to establish an outbound SSH connection before
giving up. The default is 15 seconds.
Commit the configuration:
[edit]
user@host# commit
To set up the Network and Systems Management Server:
Enable the application to access the SSH software.
If the application uses the JUNOScript Perl
module provided by Juniper Networks, no action is necessary. As part
of the installation procedure for the Perl module, you install a prerequisites
package that includes the necessary SSH software. For instructions,
see Downloading the JUNOScript
Perl Client and Prerequisites Package.
If the application does not use the JUNOScript
Perl module, obtain the SSH software and install it on the computer
where the application runs. For information about obtaining and installing
SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .
(Optional) Manually install the router's public key for
use with the SSH connection.
Configure the client system to receive an process initialization
broadcast requests. The intialization requests use the following syntax:
If the secret attribute is configured, the router running
JUNOS Software will send its public SSH key along with the intialization
sequence (recommended method). When the key has been received, the
client needs to determine what to do with the router’s public
key. Juniper recommends that you replace any current public SSH key
for the router with the new key. This ensures that the client always
has the current key available for authentication.
If the secret attribute is not configured, the router
does not send its public SSH key along with the initialization sequence.
You need to manually install the current public SSH key for the router.
To enable a client application to use the SSL protocol to connect
to the JUNOScript server, perform the following steps:
Enable the application to access the
SSL software.
If the application uses the JUNOScript Perl module
provided by Juniper Networks, no action is necessary. As part of the
installation procedure for the Perl module, you install a prerequisites
package that includes the necessary SSL software. For instructions,
see Downloading the JUNOScript
Perl Client and Prerequisites Package.
If the application does not use the JUNOScript Perl module,
obtain the SSL software and install it on the computer where the application
runs. For information about obtaining and installing the SSL software,
see http://www.openssl.org/ .
Use one of the following two methods
to obtain an authentication certificate in privacy-enhanced mail (PEM)
format:
Request a certificate from a certificate authority; these
agencies usually charge a fee.
Working on the computer where the client application runs,
issue the following openssl command in a standard command
shell (not the JUNOS CLI). The command generates a self-signed certificate
and an unencrypted 1024-bit RSA private key, and writes them to the
file called certificate-file.pem in
the working directory. The command appears here on two lines only
for legibility:
Import the certificate onto the routing
platform by including the local statement at the [edit
security certificates] hierarchy level and the load-key-file statement at the [edit security certificates local certificate-name] hierarchy level.
[edit]
user@host# edit security certificates local certificate-name
[edit security certificates local certificate-name]
user@host# set load-key-file URL-or-path
certificate-name is
a name you choose to identify the certificate uniquely (for example, junoscript-ssl-client-hostname, where hostname is the computer where the client
application runs).
URL-or-path specifies the file
that contains the paired certificate and private key (if you issued
the openssl command in Step , the certificate-name.pem file). Specify
either the URL to its location on the client computer or a pathname
on the local disk (if you have already used another method to copy
the certificate file to the router’s local disk). For more information
about specifying URLs and pathnames, see the JUNOS CLI User
Guide.
Note:
The CLI expects the private key in the URL-or-path file to be unencrypted. If the key is encrypted, the CLI prompts
you for the passphrase associated with it, decrypts it, and stores
the unencrypted version.
The set-load-key-file URL-or-path command copies the contents of the certificate file into the configuration.
When you view the configuration, the CLI displays the string of characters
that constitute the private key and certificate, marking them as SECRET-DATA. The load-key-file keyword is not recorded
in the configuration.
Configure the JUNOScript server to accept SSL connections
from JUNOScript client applications on port 3220 by including the xnm-ssl statement at the [edit system services] hierarchy level.
[edit security certificates local certificate-name]
user@host# top
[edit]
user@host# set system services xnm-ssl local-certificate certificate-name
certificate-name is
the unique name you assigned to the certificate in Step .
By default, the JUNOScript server supports up to 75 simultaneous
SSL sessions and 150 connection attempts per minute. Optionally, you
can include either or both the connection-limit statement
to limit the number of concurrent sessions and the rate-limit statement to limit connection attempts. Both statements accept a
value from 1 through 250.
[edit]
user@host# set system services xnm-ssl connection-limit limit
user@host# set system services xnm-ssl rate-limit limit
For more information about the xnm-ssl statement,
see the JUNOS System Basics Configuration Guide.
Commit the configuration:
[edit]
user@host# commit
Repeat Step on each
computer where the application runs, and Step through Step on each
routing platform to which the application connects.
Prerequisites for Telnet Connections
To enable a client application to use the Telnet protocol to
access the JUNOScript server, perform the steps described in this
section.
Routers running the JUNOS-FIPS software do not accept Telnet
connections. We recommend that you do not use the Telnet protocol
in a Common Criteria environment. For more information, see the Secure Configuration Guide for Common Criteria and JUNOS-FIPS.
Verify that the application can access
the Telnet software. On most operating systems, Telnet is accessible
in the standard distribution.
Configure the routing platform to accept
Telnet connections by including the telnet statement at the [edit system services] hierarchy level. This statement enables Telnet
access for all users and applications, not just JUNOScript client applications.
[edit]
user@host# set system services telnet
Repeat Step on each
computer where the application runs, and Step and Step on each routing
platform to which the application connects.
Connecting to the JUNOScript Server
For a client application to connect to the JUNOScript server
and open a session, you must first satisfy the prerequisites described
in Prerequisites for Establishing a Connection.
When the prerequisites are satisfied, an application written
in Perl can most efficiently establish a connection and open a session
by using the JUNOScript Perl module provided by Juniper Networks.
For more information, see Writing Perl Client Applications.
A client application that does not use the JUNOScript Perl module
connects to the JUNOScript server by opening a socket or other communications
channel to the JUNOScript server machine (routing platform), invoking
one of the remote-connection routines appropriate for the programming
language and access protocol that the application uses.
What the client application does next depends on which access
protocol it is using:
If using the clear-text or SSL protocol, the client application
does the following:
If using the SSH or Telnet protocol, the client application
does the following:
Uses the protocol’s built-in authentication mechanism
to authenticate.
Issues the junoscript command to request that
the JUNOScript server convert the connection into a JUNOScript session.
For a C programming language example, see Writing C Client Applications.
The JUNOScript XML API and JUNOS XML API are primarily intended
for use by client applications; however, for testing you can establish
an interactive JUNOScript session and type commands in a shell window.
To connect to the JUNOScript server from CLI operational mode, issue
the junoscript interactive command (the interactive option causes the JUNOScript server to echo what you type):
user@host> junoscript interactive
To begin a JUNOScript session over the connection,
emit the initialization PI and tag that are described in Emitting the
Initialization PI and Tag. You can then type sequences of tag elements
that represent operational and configuration operations, which are
described in Requesting Information, Changing Configuration Information, and Committing a Configuration. To eliminate typing
errors, save complete tag element sequences in a file and use a cut-and-paste
utility to copy the sequences to the shell window.
Note:
When you close the connection to the JUNOScript server (for
example, by emitting the <request-end-session/> and </junoscript> tags), the routing platform completely closes
your connection instead of returning you to the CLI operational mode
prompt. For more information about ending a JUNOScript session, see Ending a JUNOScript Session and Closing the Connection.
Starting the JUNOScript Session
Each JUNOScript session begins with a handshake
in which the JUNOScript server and the client application specify
the versions of XML and the JUNOScript API they are using. Each party
parses the version information emitted by the other, using it to determine
whether they can communicate successfully. The following sections
describe how to start a JUNOScript session:
When the JUNOScript session begins, the client
application emits an <?xml?> PI and an opening <junoscript> tag, as described in the following sections:
The client application begins by emitting an <?xml?> PI.
Note:
In the following example (and in all examples in
this document of tag elements emitted by a client application), bold
font is used to highlight the part of the tag sequence that is discussed
in the text.
<?xml version="version" encoding="encoding"?>
The attributes are as follows. For a list of the
attribute values that are acceptable in the current version of the
JUNOScript API, see Supported Software Versions.
version—The version of XML with which tag
elements emitted by the client application comply
encoding—The standardized character set
that the client application uses and can understand
In the following example of a client application’s <?xml?> PI, the version="1.0" attribute indicates
that the application is emitting tag elements that comply with the
XML 1.0 specification. The encoding="us-ascii" attribute
indicates that the client application is using the 7-bit ASCII character
set standardized by the American National Standards Institute (ANSI).
For more information about ANSI standards, see http://www.ansi.org/ .
<?xml version="1.0" encoding="us-ascii"?>
Note:
If the application fails to emit the <?xml?> PI before emitting the opening <junoscript> tag, the
JUNOScript server emits an error message and immediately closes the
session and connection. For more information, see Emitting
the Opening <junoscript> Tag.
Emitting
the Opening <junoscript> Tag
The client application then emits its opening <junoscript> tag, which has the following syntax (and appears
here on two lines only for legibility):
The attributes are as follows. For a list of the
attribute values that are acceptable in the current version of the
JUNOScript API, see Supported Software Versions.
version—(Required) Specifies the version
of the JUNOScript API that the client application is using.
hostname—(Optional) Names the machine on
which the client application is running. The information is used only
when diagnosing problems. The JUNOScript API does not include support
for establishing trusted-host relationships or otherwise altering
JUNOScript server behavior depending on the client hostname.
junos:key—(Optional) Requests that the
JUNOScript server indicate whether a child configuration element is
an identifier for its parent element. The only acceptable value is key. For more information, see Requesting an Indicator for Identifiers.
release—(Optional) Identifies the JUNOS
Software release (and by implication, the JUNOS XML API) for which
the client application is designed. The value of this attribute indicates
that the client application can interoperate successfully with a JUNOScript
server that also supports that version of the JUNOS XML API. In other
words, it indicates that the client application emits request tag
elements from that API and knows how to parse response tag elements
from it. If the application does not include this attribute, the JUNOScript
server emits tag elements from the JUNOS XML API that it supports.
For more information, see Verifying Software Compatibility.
For the value of the release attribute,
use the standard notation for JUNOS Software version numbers. For
example, the value 10.0R1 represents the initial version
of JUNOS Release 10.0.
In the following example of a client application’s
opening <junoscript> tag, the version="1.0" attribute
indicates that it is using JUNOScript version 1.0. The hostname="client1" attribute indicates that the client application is running on the
machine called client1. The release="10.0R1" attribute indicates that the routing platform is running the initial
version of JUNOS Release 10.0.
Note:
If the application fails to emit the <?xml?> PI before emitting the opening <junoscript> tag, the
JUNOScript server emits an error message similar to the following
and immediately closes the session and connection:
<rpc-reply> <xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" \
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<message> communication error while exchanging credentials
</message> </xnm:error>
</rpc-reply> <!- - session end at YYYY-MM-DD hh:mm:ss TZ - -> </junoscript>
The attributes are as follows. For a list of the
attribute values that are acceptable in the current version of the
JUNOScript API, see Supported Software Versions.
version—The version of XML with which tag
elements emitted by the JUNOScript server comply
encoding—The standardized character set
that the JUNOScript server uses and can understand
In the following example of a JUNOScript server’s <?xml?> PI, the version="1.0" attribute indicates
that the server is emitting tag elements that comply with the XML
1.0 specification. The encoding="us-ascii" attribute indicates
that the server is using the 7-bit ASCII character set standardized
by ANSI. For more information about ANSI standards, see http://www.ansi.org/ .
<?xml version="1.0" encoding="us-ascii"?>
Parsing the JUNOScriptServer’s Opening <junoscript>
Tag
The server then emits its opening <junoscript> tag, which has the following form (the tag appears on multiple lines
only for legibility):
hostname—The name of the routing platform
on which the JUNOScript server is running.
os—The operating system of the routing
platform on which the JUNOScript server is running. The value is always JUNOS.
release—The identifier for the version
of the JUNOS Software from which the JUNOScript server is derived
and that it is designed to understand. It is presumably in use on
the routing platform where the JUNOScript server is running. The value
of the release attribute uses the standard notation for Juniper
Networks software version numbers. For example, the value 10.0R1 represents the initial version of JUNOS Release 10.0.
schemaLocation—The XML namespace for the
XML Schema-language representation of the JUNOS configuration hierarchy.
version—The version of the JUNOScript API
that the JUNOScript server is using.
xmlns—The XML namespace for the tag elements
enclosed by the <junoscript> tag element that do not have
a prefix on their names (that is, the default namespace for JUNOS
XML tag elements). The value is a URL of the form http://xml.juniper.net/xnm/version/xnm, where version is a string such as 1.1.
xmlns:junos—The XML namespace for the tag
elements enclosed by the <junoscript> tag element that
have the junos: prefix on their names. The value is a URL
of the form http://xml.juniper.net/junos/release-code/junos, where release-code is
the standard string that represents a release of the JUNOS Software.
For example, the value 10.0R1 represents the initial
version of JUNOS Release 10.0.
In the following example of a JUNOScript server’s
opening <junoscript> tag, the version attribute
indicates that the server is using JUNOScript version 1.0, and the hostname attribute indicates that the routing platform’s
name is big-router. The os and release attributes
indicate that the routing platform is running the initial version
of JUNOS Release 10.0. The xmlns and xmlns:xnm attributes indicate that the default namespace for JUNOS XML tag
elements and the namespace for tag elements that have the xnm: prefix is http://xml.juniper.net/xnm/1.1/xnm . The xmlns:junos attribute indicates that the namespace for tag elements
that have the junos: prefix is http://xml.juniper.net/junos/10.0R1/junos . The tag appears on multiple lines only for legibility.
Exchanging <?xml?> and <junoscript> tag elements enables a client application and the JUNOScript server
to determine if they are running different versions of the software
used during a JUNOScript session. Different versions are sometimes
incompatible, and by JUNOScript convention the party running the later
version of software determines how to handle any incompatibility.
For fully automated performance, include code in the client application
that determines if its version of software is later than that of the
JUNOScript server. Decide which of the following options is appropriate
when the application’s version is more recent, and implement
the corresponding response:
Ignore the version difference, and do not alter standard
behavior to accommodate the JUNOScript server’s version. A version
difference does not always imply incompatibility, so this is often
a valid response.
Alter standard behavior to provide backward compatibility
to the JUNOScript server. If the client application is running a later
version of the JUNOS Software, for example, it can choose to emit
only tag elements that represent the software features available in
the JUNOScript server’s version of the JUNOS Software.
End the JUNOScript session and terminate the connection.
This is appropriate if you decide that accommodating the JUNOScript
server’s version of software is not practical. For instructions,
see Ending a JUNOScript Session and Closing the Connection.
Supported Software Versions
Table 6 lists
the versions of software supported by version 1.0 of the JUNOScript
API and specifies the PI or opening tag and attribute used to convey
version information during JUNOScript session initialization.
A client application that uses the clear-text or
SSL protocol must now authenticate with the JUNOScript server. (Applications
that use the SSH or Telnet protocol use the protocol’s built-in
authentication mechanism before emitting initialization tag elements,
as described in Connecting to the JUNOScript Server.)
The client application begins the authentication
process by emitting the <request-login> tag element within
an <rpc> tag element. In the <request-login> tag element, it encloses the <username> tag element
to specify the JUNOS account (username) under which to establish the
connection. The account must already be configured on the JUNOScript
server machine, as described in Prerequisites
for All Access Protocols.
You can choose whether or not the application provides the account
password as part of the initial tag sequence.
Providing the Password with the Username
To provide the password along with the username,
the application emits the following tag sequence:
This tag sequence is appropriate if the application
automates access to routing platform information and does not interact
with users, or obtains the password from a user before beginning the
authentication process.
Providing Only the Username
To omit the password and specify only the username,
the application emits the following tag sequence:
This tag sequence is appropriate if the application
does not obtain the password until the authentication process has
already begun. In this case, the JUNOScript server returns the <challenge> tag element within an <rpc-reply> tag element to request the password associated with the username.
The tag element encloses the Password: string, which the
client application can forward to the screen as a prompt for a user.
The echo="no" attribute in the opening <challenge> tag specifies that the password string typed by the user does not
echo on the screen. The tag sequence is as follows:
After it receives the username and password, the
JUNOScript server emits the <authentication-response> tag
element to indicate whether the authentication attempt is successful.
Server Response When Authentication
Succeeds
If the password is correct, the authentication
attempt succeeds and the JUNOScript server emits the following tag
sequence:
The <message> tag element contains
the JUNOS username under which the connection is established.
The <login-name> tag element contains
the username that the client application provided to an authentication
utility such as RADIUS or TACACS+. This tag element appears only if
the username differs from the username contained in the <message> tag element.
If the password is not correct or the <request-login> tag element is otherwise malformed, the authentication attempt fails
and the JUNOScript server emits the following tag sequence:
The error-message string in the <message> tag element explains why the
authentication attempt failed. The JUNOScript server emits the <challenge> tag element up to two more times before rejecting
the authentication attempt and closing the connection.
