Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Enable TLS Authentication

Use this section to configure TLS authentication for secure communication between a device and Juniper Routing Director.

Transport Layer Security (TLS) authentication is governed by the Insecure and Skip Verify parameters. To configure TLS authentication navigate to Inventory > Network Inventory > Add Device > Add a Device > TLS Encryption. Configure Insecure and Skip Verify as follows:

  • Insecure

    Disable Insecure to allow secure communication between device and Routing Director. By default, Insecure is cleared and the communication between a device and Routing Director is secure.

    Select Insecure only in non-production environments as selecting this option makes the device highly vulnerable to man-in-the-middle attacks.

  • Skip Verify

    • If you have a certificate from a trusted certificate authority (CA), clear this option to enforce certificate validation during TLS handshake. This option is cleared by default.

    • If you have a self-signed TLS certificate, select Skip Verify to bypass verification of the device identity.

      Note:

      Select Skip Verify only in non-production environments as selecting this option makes the device highly vulnerable to man-in-the-middle attacks.

  • Upload Certificates:

    Note: The TLS certificate, key, and certificate authority for a device depends on the device vendor. Check with your device vendor to obtain information related to TLS certificate for your device, For obtaining TLS certificate, key, and certificate authority (CA) for Cisco devices, see Get TLS Certificate,
    • Certificate—Upload the TLS certificate to Routing Director when Insecure is disabled.

    • Key Certificate—Upload the key for the certificate.

    • Certificate Authority (CA)—Upload the certificate from the CA authority.

      Once configured, the device establishes a secure, authenticated TLS connection with Routing Director.

To summarize, if you are using:

  • Self-signed certificates, disable Insecure, enable Skip Verify.and upload the self-signed certificate.

  • PKI/Trusted CA certificates, disable Insecure, and disable Skip Verify and upload the trusted certificate, key and the trusted CA certificate.

Get TLS Certificate for Cisco Devices

Get TLS Certificate

This section provides a brief overview of how to obtain a TLS certificate, key, and CA for Cisco devices. For detailed information, refer to Cisco documentation.

For a Cisco device, the TLS certificate is generated and saved in the /misc/config/grpc folder when you enable TLS on the device.

To secure a gNMI connection between Routing Director and a Cisco device, copy the ems.pem certificate from the /misc/config/grpc directory of the device to your local system, and upload it to Routing Director. Use the command below to copy the certificate to the local system:

Where, ipaddress is the management IP address of the device and username is your username on the local device.

Get Certificate Key

The format of the TLS certificate determines if a key must be uploaded or not. A certificate in the *.pem format does not need a separate key to be uploaded.

Get Certificate Authority

For a Cisco device, obtain a CA in one of the following ways:

  • Enterprise Public Key Infrastructure (PKI) where your enterprise uses its own PKI.

  • Internal private CA

  • Self-generated by the device

For information, refer to Cisco documentation.