Prerequisites for SSL Connections

The SSL protocol uses public-private key technology, which requires a paired private key and authentication certificate. To enable a client application to establish SSL connections, follow these steps:

1. Install the SSL client on the machine where the client application runs.

   Skip this step if the client application uses the JUNOScript Perl module described in “ Write Perl Client Applications” in the JUNOScript API Guide. As part of the Perl module installation procedure, you install a prerequisites package that includes the necessary SSL software.

2. Use one of the following two methods to obtain an authentication certificate in privacy-enhanced mail (PEM) format:
   • Request a certificate from a Certificate Authority; these agencies usually charge a fee.
   • Issue the following openssl command to generate a self-signed certificate; for information about obtaining the openssl software, see http://www.openssl.org.

     The command writes the certificate and an unencrypted 1024-bit RSA private key to the certificate-file.pem file. The command appears here on two lines only for legibility:

     % openssl req -x509 -nodes -newkey rsa:1024 \

      -keyout certificate-file .pem -out certificate-file .pem

3. Enter CLI configuration mode on the JUNOScript server and issue the following commands to import the certificate. In the first command, substitute the certificate name for the certificate-name variable. In the second command, for the URL-or-path variable, substitute the name of the file that contains the paired certificate and private key, either as a URL or as a pathname on the local disk.

   [edit]

   user@host# edit security certificates local certificate-name

   [edit security certificates local certificate-name ]

   user@host# set load-key-file URL-or-path?

   Note: The CLI expects the private key in the specified file ( URL-or-path ) to be unencrypted. If the key is encrypted, the CLI prompts for the passphrase associated with it, decrypts it, and stores the unencrypted version.

4. Issue the following commands to activate the xnm-ssl service, which listens on port 3220. In the last command, substitute the same value for the certificate-name variable as in Step item.

   [edit security certificates local certificate-name ]

   user@host# top

   [edit]

   user@host# edit system services

   [edit system services]

   user@host# set xnm-ssl local-certificate certificate-name

5. Verify that 127.0.0.1 is one of the IP addresses configured for the loopback interface, lo0, on the JUNOScript server machine. The output from the show interfaces lo0 command must include an address statement similar to the following:

   [edit system services]

   user@host# top

   [edit]

   user@host# show interfaces lo0

   unit 0 {

   family inet {

   address 127.0.0.1/32;

   }

   }

   If necessary, issue the following command to add the address at the [edit interfaces lo0 unit 0 family inet] hierarchy level:

   [edit]

   user@host# set interfaces lo0 unit 0 family inet address 127.0.0.1

6. Commit the configuration:

   [edit]

   user@host# commit

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.