Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

primary connection (Identity Management Advanced Query)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

IPv6 address support introduced in Junos OS Release 18.3R1.

Description

Configure parameters that the SRX Series device uses to connect to the Juniper Identity Management Service (JIMS) primary server and authenticate to it to obtain an access token. JIMS requires that the SRX Series device use OAuth2 to authenticate to it before the SRX Series device is allowed to query the JIMS server for user identity information. The SRX Series device must provide the JIMS server with credentials, including a client ID and a client secret. If the client is authenticated–-in this case the SRX Series device—it is granted an access token. (See RFC 6749.) Both the client ID and the client secret must be consistent with the API client configured on the JIMS primary server.

In addition to configuring the client ID and the client secret, you configure the filename of the JIMS’s ca-certificate. The certificate enables the SRX Series device to verify the identity of JIMS and that it is trusted for the SSL connection.

If the deployment configuration consists of more than one JIMS server, a primary and secondary relationship is established. The SRX Series device always attempts to connect to the primary server. When one or more queries to the primary server fails, the system falls back to the secondary server.

Warning

Before you use this feature, you must disable any other actively used options under the [edit services user-identification] hierarchy. You cannot commit this configuration if active directory authentication and the ClearPass query and webapi functions are configured and committed.

Options

addressIP address of the primary server.
ca-certificateFilename of the JIMS primary server’s ca-certificate. Before you configure the ca-certificate filename, the administrator of the JIMS server must export the certificate to the SRX Series device. The administrator must configure the complete path and filename of the certificate on the SRX Series device, for example, ‘/var/db/RADIUSServerCertificate.crt’. If the ca-certificate is not configured, the SRX Series device cannot verify the certificate.
Note

The SRX Series device supports a self signed + BASE64 encoded X.509 certificate only.

client-idClient ID that the SRX Series provides to the Juniper Identity Management Service primary server as part of its authentication to it. The SRX Series device must authenticate to the server to obtain an access token that allows the SRX Series device to query the server for user identity information The client ID must be consistent with the API client configured on the JIMS primary server.
client-secretClient secret that the SRX Series provides to the Juniper Identity Management Service primary server as part of its authentication to it. The client secret must be consistent with the API client configured on the JIMS primary server.

Required Privilege Level