Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

secondary connection (Identity Management Advanced Query)

Syntax

Hierarchy Level

Description

Configure parameters that the SRX Series device uses to connect to the Juniper Identity Management Service (JIMS) secondary server and authenticate to it to obtain an access token. JIMS requires that the SRX Series device use OAuth2 to authenticate to it before the SRX Series device can query the JIMS server for user identity information. The SRX Series device must provide the JIMS server with credentials, including a client ID and a client secret. If the client is authenticated-in this case the SRX Series device—it is granted an access token. (See RFC 6749.) Both the client ID and the client secret must be consistent with the API client configured on the JIMS Service primary server.

In addition to configuring the client ID and the client secret, you configure a ca-certificate for the secondary server, if one exists. You configure the file name of the JIMS’s ca-certificate. The certificate enables the SRX Series device to verify the identity of JIMS and that it is trusted for the SSL connection.

The SRX Series device always attempts to connect to the primary server first. When one or more queries to the primary server fails, the system falls back to the secondary server.

address- Configure the IP address for the secondary JIMS server. The SRX Series device requires the server IP address to connect to the server to obtain an access code that allows it to query the server for user identity information. The IP address is configured as part of a collection of information which includes the SRX Series device’s client ID, client secret, and ca-certificate information.

The SRX Series device uses the secondary server when the primary one fails. You configure the SRX Series device to connect to the primary server separately. This feature supports only IPv4 addresses.

ca-certificate- File name of the ca-certificate for the secondary server. Before you configure the ca-certificate file name, the administrator of the JIMS server must export the certificate and import it to the SRX Series device. The administrator must configure the complete path and file name of the certificate on the SRX Series device, for example, ‘/var/db/RADIUSServerCertificate.crt’. If the ca-certificate is not configured, the SRX Series device can not verify the JIMS certificate.

The SRX Series device supports a self-signed + BASE64 encoded X.509 certificate only.

client-id- Client ID that the SRX Series provides to the JIMS Service secondary server as part of its authentication to it. The SRX Series device must authenticate to the server to obtain an access token that allows the SRX Series device to query the server for user identity information The client ID must be consistent with the API client configured on the JIMS primary server.

client-secret- Client secret that the SRX Series provides to the JIMS secondary server as part of its authentication to it. The client secret must be consistent with the API client configured on the JIMS secondary server.

Interface- Client interface name to connect with JIMS server.

routing-instanceClient routing instance name to connect with JIMS server. When the client interface connects to JIMS server, routing-instance is auto selected based on the location of interface.

sourceSource address of the request depends on the JIMS server status. If the status is online, then SRX Series device gets source address otherwise the source address is auto selected.

Warning:

Before you use this feature, you must disable active-directory-access and authentication-source options under the user-identification hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and webapi functions are configured and committed.

Options

address

IP address of the secondary server.

ca-certificate

Ca-certificate file name

client-id

Client ID for OAuth2 grant

client-secret

Client secret for OAuth2 grant

Required Privilege Level

  1. services—To view this statement in the configuration.

  2. services-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

IPv6 address support introduced in Junos OS Release 18.3R1.

Source, interface, and routing-instance options are introduced in Junos OS Release 21.1R1.