secondary connection (Identity Management Advanced Query)
Syntax
secondary {
address address;
ca-profile ca-profile;
client-id client-id;
client-secret client-secret;
interface interface-name;
routing-instance routing-instance -name;
source source-address;
}
Hierarchy Level
[edit services user-identification identity-management connection]
Description
Configure parameters that the SRX Series Firewall uses to connect to the Juniper Identity Management Service (JIMS) secondary server and authenticate to it to obtain an access token. JIMS requires that the SRX Series Firewall use OAuth2 to authenticate to it before the SRX Series Firewall can query the JIMS server for user identity information. The SRX Series Firewall must provide the JIMS server with credentials, including a client ID and a client secret. If the client is authenticated-in this case the SRX Series Firewall—it is granted an access token. (See RFC 6749.) Both the client ID and the client secret must be consistent with the API client configured on the JIMS Service primary server.
In addition to configuring the client ID and the client secret, you configure a ca-certificate for the secondary server, if one exists. You configure the file name of the JIMS’s ca-certificate. The certificate enables the SRX Series Firewall to verify the identity of JIMS and that it is trusted for the SSL connection.
The SRX Series Firewall always attempts to connect to the primary server first. When one or more queries to the primary server fails, the system falls back to the secondary server.
address- Configure the IP address for the secondary JIMS server. The SRX Series Firewall requires the server IP address to connect to the server to obtain an access code that allows it to query the server for user identity information. The IP address is configured as part of a collection of information which includes the SRX Series Firewall’s client ID, client secret, and ca-certificate information.
The SRX Series Firewall uses the secondary server when the primary one fails. You configure the SRX Series Firewall to connect to the primary server separately. This feature supports only IPv4 addresses.
client-id- Client ID that the SRX Series provides to the JIMS Service secondary server as part of its authentication to it. The SRX Series Firewall must authenticate to the server to obtain an access token that allows the SRX Series Firewall to query the server for user identity information The client ID must be consistent with the API client configured on the JIMS primary server.
client-secret- Client secret that the SRX Series provides to the JIMS secondary server as part of its authentication to it. The client secret must be consistent with the API client configured on the JIMS secondary server.
Interface- Client interface name to connect with JIMS server.
routing-instanceClient routing instance name to connect with JIMS server. When the client interface connects to JIMS server, routing-instance is auto selected based on the location of interface.
sourceSource address of the request depends on the JIMS server status. If the status is online, then SRX Series Firewall gets source address otherwise the source address is auto selected.
Before you use this feature, you must disable active-directory-access and authentication-source options under the user-identification hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and webapi functions are configured and committed.
Options
| address | IP address of the secondary server. |
| ca-profile | CA profile name |
| client-id | Client ID for OAuth2 grant |
| client-secret | Client secret for OAuth2 grant |
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1X49-D100.
IPv6 address support introduced in Junos OS Release 18.3R1.
Source, interface, and routing-instance options are introduced in Junos OS Release 21.1R1.
Option ca-profile introduced in Junos OS Release 23.2R1.