tls (NETCONF)
Syntax
tls {
client-identity client-id {
fingerprint fingerprint;
map-type (san-dirname-cn | specified);
username username;
}
default-client-identity {
map-type (san-dirname-cn | specified);
username username;
}
local-certificate local-certificate;
traceoptions {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
Hierarchy Level
[edit system services netconf]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Enable NETCONF sessions over Transport Layer Security (TLS) with mutual X.509
certificate-based authentication. To enable NETCONF sessions over TLS, you must
configure the local-certificate statement and either a
client-identity statement or the
default-client-identity statement.
Junos devices support TLS version 1.2 for NETCONF sessions over TLS. The TLS server listens for incoming NETCONF-over-TLS connections on TCP port 6513.
Options
local-certificate local-certificate |
TLS server’s local certificate ID, which must be loaded into the Junos public key infrastructure (PKI). |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 20.2R1.
Statement introduced in Junos OS Evolved Release 21.4R1.