Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Satisfy the Prerequisites for Establishing a Connection to the Junos XML Protocol Server

A Junos XML protocol client application can choose between several protocols to connect to the Junos XML protocol server on devices running Junos OS or devices running Junos OS Evolved. To establish a connection to the server, a client application must satisfy the requirements that are applicable to all access protocols. A client application must also satisfy the requirements for the selected access protocol. The following sections outline the common and protocol-specific prerequisites.

Prerequisites for All Access Protocols

A client application must be able to log in to each device on which it establishes a connection with the Junos XML protocol server. You can create a Junos login account for the application, as described in this section. Alternatively, you can skip this section and enable authentication through RADIUS or TACACS+.

To create a local user account:

  1. Configure the user statement at the [edit system login] hierarchy level and specify a username. Additionally, configure a login class that has the permissions required for all actions to be performed by the application.
  2. (Optional) Configure the uid and full-name statements to specify a unique user ID and the user’s name.
  3. Create a text-based password for the account. Include either the plain-text-password or encrypted-password statement at the [edit system login user account-name authentication] hierarchy level.
    Note:

    A text-based password is not strictly necessary if the account accesses the Junos XML protocol server through a public/private keypair or certificate for authentication. However, we recommend that you create a password anyway. A password is required if you use the account for any other type of access, for example, to log in on the console. The password is also used if key-based or certificate-based authentication is configured but fails.

    • To enter a password as text, issue the following command. The device prompts for the password and confirmation and then encrypts the password before storing it.

    • To use a password that you previously created and hashed using MD5 or SHA1, issue the following command and provide the encrypted password:

  4. Commit the configuration.
  5. Repeat the preceding steps on each device where the client application establishes Junos XML protocol sessions.
  6. Enable the client application to access the password and provide it when the Junos XML protocol server prompts for it. You can use several possible methods, including:

    • Code the application to prompt the user for a password at startup and to store the password temporarily in a secure manner.

    • Store the password in encrypted form in a secure local-disk location or secured database and code the application to access it.

Prerequisites for Clear-Text Connections

A client application can use the Junos XML protocol-specific clear-text access protocol to communicate with the Junos XML protocol server. The clear-text protocol sends unencrypted text directly over a TCP connection without using any additional protocol (such as SSH, SSL, or Telnet).

Note:

Devices running the Junos-FIPS software do not accept Junos XML protocol clear-text connections. We recommend that you do not use the clear-text protocol in a Common Criteria environment. For more information, see the Secure Configuration Guide for Common Criteria and Junos-FIPS.

To enable client applications to use the clear-text protocol to connect to the Junos XML protocol server:

  1. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  2. Configure the xnm-clear-text statement at the [edit system services] hierarchy level to enable the Junos device to accept cleartext connections on port 3221.

    For more information about the xnm-clear-text statement, see Configure clear-text or SSL Service for Junos XML Protocol Client Applications.

  3. (Optional) Configure clear-text session options.

    Configure the connection-limit statement to limit the number of concurrent cleartext sessions; configure the rate-limit statement to limit the number of connection attempts. Both statements accept a value from 1 through 250.

    Note:

    By default, the Junos XML protocol server supports up to 75 simultaneous cleartext sessions and 150 connection attempts per minute.

  4. Commit the configuration.
  5. Repeat the steps on each device where the client application establishes Junos XML protocol sessions.

Prerequisites for SSH Connections

To enable a client application to use the SSH protocol to connect to the Junos XML protocol server, perform the following steps:

  1. Enable the application to access the SSH software.

    Obtain the SSH software and install it on the computer where the application runs. For information about obtaining and installing SSH software, see http://www.ssh.com and http://www.openssh.com.

  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. (Optional) If you want to use key-based SSH authentication for the application, create a public/private keypair and associate it with the Junos OS login account you created in Prerequisites for All Access Protocols. Perform the following steps:

    1. Working on the computer where the client application runs, issue the ssh-keygen command in a standard command shell. For more information, see the man page provided by your SSH vendor for the ssh-keygen command.

      The ssh-keygen command by default stores each public key in a file in the .ssh subdirectory of the user home directory. The filename depends on the encoding (for example RSA) and SSH version.

    2. Enable the application to access the public and private keys. One method is to run the ssh-agent program on the computer where the application runs.

    3. On the Junos device, associate the public key with the login account.

      The command copies the contents of the specified file onto the Junos device. URL is the path to the file that contains one or more public keys.

      Note:

      Alternatively, you can add an RSA public key by configuring the ssh-rsa statement at the same hierarchy level and pasting in the public key.

  4. Configure the ssh statement at the [edit system services] hierarchy level to enable the Junos device to accept SSH connections. This statement enables SSH access for all users and applications, not just Junos XML protocol client applications.
  5. Commit the configuration.
  6. Repeat Step 1 on each computer where the application runs. Repeat Step 2 through Step 5 on each device to which the application connects.

Prerequisites for Outbound SSH Connections

The outbound SSH feature allows the initiation of an SSH session between a Junos device and a network management system (NMS) where client-initiated TCP/IP connections are blocked (for example, when the device is behind a firewall). To enable outbound SSH, configure the outbound-ssh statement hierarchy on the Junos device. After you commit the configuration, the Junos device initiates outbound SSH sessions with the configured management clients. Once the outbound SSH session is initialized and the connection is established, the NMS initiates the SSH sequence as the client. The Junos device, acting as the server, authenticates the client.

Setting up outbound SSH involves:

  • Configuring the device running Junos OS or the device running Junos OS Evolved for outbound SSH

  • Configuring the management server for outbound SSH

To configure the Junos device for outbound SSH:

  1. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  2. Set the SSH protocol to v2.
  3. Generate a public/private keypair for the Junos device. This keypair is used to encrypt the data transferred across the SSH connection.
    For more information about generating keypairs, see the User Access and Authentication Administration Guide for Junos OS.
  4. To manually install the public key on the NMS, copy the public key to the NMS server.
  5. Configure the outbound-ssh statement at the [edit system services] hierarchy level.

    The options are as follows:

    • address—(Required) Hostname or IPv4 or IPv6 address of the management server. You can list multiple clients by adding each client's IP address or hostname along with the following connection parameters.

      • port port-number—Define the outbound SSH port for the client. The default is port 22.

      • retry number–Specify the number of times the device attempts to establish an outbound SSH connection. The default is three tries.

      • timeout seconds—Specify the amount of time, in seconds, that the Junos device attempts to establish an outbound SSH connection. The default is 15 seconds.

    • client client-id—(Required) Define an identifier for the outbound-ssh configuration stanza on the device. Each outbound-ssh stanza represents a single outbound SSH connection. The device does not send this attribute to the client.

    • device-id device-id—(Required) Specify a name that identifies the Junos device to the client during the initiation sequence.

    • keep-alive—(Optional) Specify that the device send keepalive messages to the management server. To configure the keepalive message, you must set both the timeout and retry attributes.

      • retry number—Specify the number of keepalive messages the device sends without receiving a response from the NMS before terminating the current SSH connection. The default is three tries.

      • timeout seconds—Specify the amount of time, in seconds, that the server waits for data before sending a keepalive signal. The default is 15 seconds.

    • reconnect-strategy (in-order | sticky)—(Optional) Specify the method the router or switch uses to reestablish a disconnected outbound SSH connection. Two methods are available:

      • in-order—Specify that the network device first attempt to establish an outbound SSH session based on the management server address list. The device attempts to establish a session with the first server on the list. If this connection is not available, the device attempts to establish a session with the next server, and so on down the list until it establishes a connection.

      • sticky—Specify that the network device first attempt to reconnect to the management server to which it was last connected. If the connection is unavailable, the device attempts to establish a connection with the next client on the list and so on down the list until it establishes a connection.

      When reconnecting to a client, the device running Junos OS attempts to reconnect to the client based on the retry and timeout values for each of the clients listed in the configuration management server list.

    • secret password—(Optional) Instruct the device to send its public SSH host key. During the initialization of the outbound SSH service, the router or switch passes its public key to the management server. This method is the recommended way of maintaining a current copy of the device’s public key.

    • services—(Required) Specify the services available for the session. Currently, NETCONF is the only service available.

  6. Commit the configuration.

To set up the configuration management server:

  1. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.

  2. Enable the application to access the SSH software.

    Obtain the SSH software and install it on the computer where the application runs. For information about obtaining and installing SSH software, see http://www.ssh.com and http://www.openssh.com.

  3. (Optional) Manually install the device's public key for use with the SSH connection.

  4. Configure the client system to receive and process initialization broadcast requests. The initialization requests use the following syntax:

    • (Recommended) If you configured the secret statement, the Junos device sends its public SSH key along with the initialization sequence. When the NMS receives the key, the client needs to determine what to do with the key. We recommend that you replace any current public SSH key for the device with the new key. This method ensures that the client always has the current key available for authentication.

    • If you did not configure the secret statement, the Junos device does not send its public SSH key along with the initialization sequence. You need to manually install the current public SSH key for the device.

Prerequisites for SSL Connections

To enable a client application to use the SSL protocol to connect to the Junos XML protocol server, perform the following steps:

  1. Enable the application to access the SSL software.

    Obtain the SSL software and install it on the computer where the application runs. For information about obtaining and installing the SSL software, see http://www.openssl.org.

  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. Use one of the following methods to obtain an authentication certificate in privacy-enhanced mail (PEM) format:

    • Request a certificate from a certificate authority (CA); these agencies usually charge a fee.

    • Generate a self-signed certificate.

      For example, working on the computer where the client application runs, issue the following openssl command in a standard command shell.

      The command generates a self-signed certificate and an unencrypted 2048-bit RSA private key, and writes them to the file called certificate-file.pem in the working directory.

  4. Import the certificate into the Junos configuration.

    The certificate-name value is a unique identifier for the certificate.

    The URL-or-path value specifies the file that contains the paired certificate and private key. Specify either the URL location on the client computer or a path on the local disk (if you copied the certificate file to the local device).

    Note:

    The CLI expects the private key in the URL-or-path file to be unencrypted. If you encrypted the key, the CLI prompts you for the passphrase associated with it, decrypts it, and stores the unencrypted version.
  5. Configure the xnm-ssl statement at the [edit system services] hierarchy level to enable the Junos device to accept SSL connections on port 3220.

    The certificate-name value is the unique name you assigned to the certificate in Step 4.

  6. (Optional) Configure SSL session options.

    Configure the connection-limit statement to limit the number of concurrent sessions; configure the rate-limit statement to limit the number of connection attempts. Both statements accept a value from 1 through 250.

    Note:

    By default, the Junos XML protocol server supports up to 75 simultaneous SSL sessions and 150 connection attempts per minute.

  7. Commit the configuration.
  8. Repeat Step 1 on each computer where the client application runs. Repeat Step 2 through Step 7 on each device to which the client application connects.

Prerequisites for Telnet Connections

To enable a client application to use the Telnet protocol to access the Junos XML protocol server, perform the steps described in this section.

Note:

Devices running the Junos-FIPS software do not accept Telnet connections. We recommend that you do not use the Telnet protocol in a Common Criteria environment. For more information, see the Secure Configuration Guide for Common Criteria and Junos-FIPS.

  1. Verify that the application can access the Telnet software. On most operating systems, Telnet is accessible in the standard distribution.
  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. Configure the telnet statement at the [edit system services] hierarchy level. This statement enables Telnet access for all users and applications, not just Junos XML protocol client applications.
  4. Repeat Step 1 on each computer where the application runs. Repeat Step 2 and Step 3 on each device to which the application connects.

Related Documentation