Preparing CSO Identity Management
Preparing CSO Identity Management is supported in Juniper Identity Management Service Release 1.1 and later.
To prepare Contrail Service Orchestration (CSO) to work with Juniper Identity Management Service, perform the following tasks from the CSO Customer Portal.
This procedure assumes that you have previously downloaded and installed Juniper Identity Management Service from the Identity Management page of CSO. If you have not yet performed installation, see Installing Juniper Identity Management Service.
Configuring JIMS-to-CSO Authentication Credentials
Configuring authentication credentials allows Juniper Identity Management Service to connect automatically to CSO to make requests for authentication information to synchronize individual users and user group updates. These are the credentials that the HTTPS server on CSO uses to authenticate incoming connections from the JIMS server.
To configure user authentication credentials for a JIMS-to-CSO configuration:
- Using a Web browser, access the URL for the CSO Customer
We recommend that you use Google Chrome Version 60 or later to access the CSO Customer Portal.
- Select Administration > Identity Management to access the Identity Management page from the CSO Customer Portal.
- Click JIMS-to–CSO Configuration to access that section of the Identity Management page. The username ID is randomly generated. You cannot change it. You will, however, need to specify a password.
- In the Password field, enter the password associated with
the new user that has the automatically generated user ID. The password
must contain one number, one uppercase letter, and one special character.
Once you specify a password and save it, you can modify the password by clicking Change Password.
- Click Save to save the authentication credentials.
Configuring SRX-to-JIMS Settings
Configuring the SRX Series device to JIMS connection and authentication credentials allows the JIMS server to send IP address, username, and group relationship information to SRX Series devices used as a CPE device in a distributed deployment. You can also configure a set of optional advanced settings for authentication timeout, and IP address and domain filters.
Before you begin, you need the following information:
The IP address of the JIMS server.
The imported Certificate Authority (CA) certificate.
The client ID to obtain an OAuth token from the JIMS server for user queries.
The client secret to obtain an OAuth token from the JIMS server for user queries.
To configure the SRX-to-JIMS configuration:
- Click SRX-to-JIMS Configuration to access that section of the Identity Management page.
- In the Identity Servers section of SRX-to-JIMS Configuration, under Primary Server, enter the IP address of the primary JIMS server. CSO uses this IP address to contact the JIMS server.
- Select the server CA certificate that the JIMS server
is to use to authenticate with the SRX Series devices and ensure a
secure data transfer. You specify one server certificate to authenticate
communication with each SRX Series device in your network.
Certificates in CSO are populated from CSO > Administration > Certificates > Import Certificate.
If you are using a secondary JIMS server, under Secondary Server repeat steps 2 and 3 for the secondary JIMS server.
- In the Client Credentials section of SRX-to-JIMS
Configuration, enter the client ID and client secret that CSO
requires to obtain an OAuth access token required for user queries.
The client ID and client secret are required values. They must match the client ID and client secret that you configure later for this CSO platform from Juniper Identity Management Service.
- In the Advanced Settings section of SRX-to-JIMS Configuration, if required, you can configure settings for authentication timeout
and IP address and domain filters.
- In the Authentication Entry Timeout text field, configure the timeout interval in minutes after which idle entries in the authentication table on CSO expire. The timeout interval begins from when the user authentication entry is added to the authentication table. This value can be between 10 and 1440 minutes, where a value of 0 means no timeout. The default value is 1440 minutes.
- In the Filter section of Advanced Settings, you have a series of selections to define filtering. You can include or exclude a specific IP address. You also have the option to filter by domain.
- When completed, click Save to save the identity management configuration settings for CSO.