[Contents] [Prev] [Next] [Index] [Report an Error]

Prerequisites for SSL Connections

To enable a client application to use the SSL protocol to connect to the JUNOScript server, perform the following steps:

  1. Enable the application to access the SSL software.

    If the application uses the JUNOScript Perl module provided by Juniper Networks, no action is necessary. As part of the installation procedure for the Perl module, you install a prerequisites package that includes the necessary SSL software. For instructions, see Downloading the JUNOS Module and Sample Scripts.

    If the application does not use the JUNOScript Perl module, obtain the SSL software and install it on the computer where the application runs. For information about obtaining and installing the SSL software, see http://www.openssl.org.

  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. Use one of the following two methods to obtain an authentication certificate in privacy-enhanced mail (PEM) format:
  4. Import the certificate onto the routing platform by including the local statement at the [edit security certificates] hierarchy level and the load-key-file statement at the [edit security certificates local certificate-name] hierarchy level.
    [edit]
    user@host# edit security certificates local certificate-name
     
    [edit security certificates local certificate-name]
    user@host# set load-key-file URL-or-path

    certificate-name is a name you choose to identify the certificate uniquely (for example, junoscript-ssl-client-hostname, where hostname is the computer where the client application runs).

    URL-or-path specifies the file that contains the paired certificate and private key (if you issued the openssl command in Step item, the certificate-name.pem file). Specify either the URL to its location on the client computer or a pathname on the local disk (if you have already used another method to copy the certificate file to the router’s local disk). For more information about specifying URLs and pathnames, see the JUNOS CLI User Guide.

    Note: The CLI expects the private key in the URL-or-path file to be unencrypted. If the key is encrypted, the CLI prompts you for the passphrase associated with it, decrypts it, and stores the unencrypted version.

    The set-load-key-file URL-or-path command copies the contents of the certificate file into the configuration. When you view the configuration, the CLI displays the string of characters that constitute the private key and certificate, marking them as SECRET-DATA. The load-key-file keyword is not recorded in the configuration.

  5. Configure the JUNOScript server to accept SSL connections from JUNOScript client applications on port 3220 by including the xnm-ssl statement at the [edit system services] hierarchy level.
    [edit security certificates local certificate-name]
    user@host# top
    [edit]
    user@host# set system services xnm-ssl local-certificate certificate-name

    certificate-name is the unique name you assigned to the certificate in Step item.

    By default, the JUNOScript server supports up to 75 simultaneous SSL sessions and 150 connection attempts per minute. Optionally, you can include either or both the connection-limit statement to limit the number of concurrent sessions and the rate-limit statement to limit connection attempts. Both statements accept a value from 1 through 250.

    [edit]
    user@host# set system services xnm-ssl connection-limit limit
    user@host# set system services xnm-ssl rate-limit limit

    For more information about the xnm-ssl statement, see the JUNOS System Basics Configuration Guide.

  6. Commit the configuration:
    [edit]
    user@host# commit
  7. Repeat Step item on each computer where the application runs, and Step item through Step item on each routing platform to which the application connects.
[Contents] [Prev] [Next] [Index] [Report an Error]

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.