Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Satisfy the Prerequisites for Establishing a Connection to the Junos XML Protocol Server

To enable a client application to establish a connection to the Junos XML protocol server, you must satisfy the requirements that are applicable to all access protocols as well as your specific access protocol as discussed in the following sections:

Prerequisites for All Access Protocols

A client application must be able to log in to each device on which it establishes a connection with the Junos XML protocol server. The following instructions explain how to create a Junos login account for the application. Alternatively, you can skip this section and enable authentication through RADIUS or TACACS+. For more information about creating user accounts and enabling authentication, see the Junos OS User Access and Authentication User Guide for Routing Devices .

To determine whether a login account exists on a device running Junos OS, enter the CLI configuration mode on the device and issue the following commands:

If the appropriate account does not exist, perform the following steps:

  1. Include the user statement at the [edit system login] hierarchy level and specify a username. Also include the class statement at the [edit system login user username] hierarchy level, and specify a login class that has the permissions required for all actions to be performed by the application. Optionally, include the full-name and uid statements.
  2. Create a text-based password for the account by including either the plain-text-password or encrypted-password statement at the [edit system login user account-name authentication] hierarchy level.
    Note:

    A text-based password is not strictly necessary if the account is used to access the Junos XML protocol server through SSH with public/private key pairs for authentication, but we recommend that you create one anyway. The key pair alone is sufficient if the account is used only for SSH access, but a password is required if the account is also used for any other type of access (for login on the console, for example). The password is also used—the SSH server prompts for it—if key-based authentication is configured but fails. For information about creating a public/private key pair, see Prerequisites for SSH Connections.

    To enter a password as text, issue the following command. You are prompted for the password, which is encrypted before being stored.

    To store a password that you have previously created and hashed using Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1), issue the following command:

  3. Issue the commit command.
  4. Repeat the preceding steps on each device where the client application establishes Junos XML protocol sessions.
  5. Enable the client application to access the password and provide it when the Junos XML protocol server prompts for it. There are several possible methods, including the following:
    • Code the application to prompt the user for a password at startup and to store the password temporarily in a secure manner.

    • Store the password in encrypted form in a secure local-disk location or secured database and code the application to access it.

Prerequisites for Clear-Text Connections

A client application that uses the Junos XML protocol-specific clear-text access protocol sends unencrypted text directly over a TCP connection without using any additional protocol (such as SSH, SSL, or Telnet).

Note:

Devices running the Junos-FIPS software do not accept Junos XML protocol clear-text connections. We recommend that you do not use the clear-text protocol in a Common Criteria environment. For more information, see the Secure Configuration Guide for Common Criteria and Junos-FIPS.

To enable client applications to use the clear-text protocol to connect to the Junos XML protocol server, perform the following steps:

  1. Verify that the application can access the TCP software. On most operating systems, TCP is accessible in the standard distribution. Do this on each computer where the application runs.
  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. Configure the device running Junos OS to accept clear-text connections from client applications on port 3221 by including the xnm-clear-text statement at the [edit system services] hierarchy level:

    By default, the Junos XML protocol server supports up to 75 simultaneous clear-text sessions and 150 connection attempts per minute. Optionally, you can include either or both the connection-limit statement to limit the number of concurrent sessions and the rate-limit statement to limit the number of connection attempts. Both statements accept a value from 1 through 250.

    For more information about the xnm-clear-text statement, see Configuring clear-text or SSL Service for Junos XML Protocol Client Applications.

  4. Commit the configuration:
  5. Repeat Step 2 through Step 4 on each device where the client application establishes Junos XML protocol sessions.

Prerequisites for SSH Connections

To enable a client application to use the SSH protocol to connect to the Junos XML protocol server, perform the following steps:

  1. Enable the application to access the SSH software.

    If the application uses the Junos XML protocol Perl module provided by Juniper Networks, no action is necessary. As part of the installation procedure for the Perl module, you install a prerequisites package that includes the necessary SSH software. For instructions, see Downloading the Junos XML Protocol Perl Client and Prerequisites Package.

    If the application does not use the Junos XML protocol Perl module, obtain the SSH software and install it on the computer where the application runs. For information about obtaining and installing SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .

  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. (Optional) If you want to use key-based SSH authentication for the application, create a public/private key pair and associate it with the Junos OS login account you created in Prerequisites for All Access Protocols. Perform the following steps:
    1. Working on the computer where the client application runs, issue the ssh-keygen command in a standard command shell (not the Junos OS CLI). By providing the appropriate arguments, you encode the public key with either RSA (supported by SSH versions 1 and 2) or the Digital Signature Algorithm (DSA), supported by SSH version 2. For more information, see the man page provided by your SSH vendor for the ssh-keygen command. The Junos OS uses SSH version 2 by default but also supports version 1.

    2. Enable the application to access the public and private keys. One method is to run the ssh-agent program on the computer where the application runs.

    3. On the device running Junos OS that needs to accept SSH connections from Junos XML protocol client applications, associate the public key with the Junos login account by including the load-key-file statement at the [edit system login user account-name authentication] hierarchy level. First, move to that hierarchy level:

      Issue the following command to copy the contents of the specified file onto the device running Junos OS:

      URL is the path to the file that contains one or more public keys. The ssh-keygen command by default stores each public key in a file in the .ssh subdirectory of the user home directory; the filename depends on the encoding (DSA or RSA) and SSH version. For information about specifying URLs, see the CLI User Guide.

      Alternatively, you can include one or both of the ssh-dsa and ssh-rsa statements at the [edit system login user account-name authentication] hierarchy level. We recommend using the load-key-file statement, however, because it eliminates the need to type or cut and paste the public key on the command line. For more information about the ssh-dsa and ssh-rsa statements, see the Junos OS User Access and Authentication User Guide for Routing Devices .

  4. Configure the device running Junos OS to accept SSH connections by including the ssh statement at the [edit system services] hierarchy level. This statement enables SSH access for all users and applications, not just Junos XML protocol client applications.
  5. Commit the configuration:
  6. Repeat Step 1 on each computer where the application runs, and Step 2 through Step 5 on each device to which the application connects.

Prerequisites for Outbound SSH Connections

The outbound SSH feature allows the initiation of an SSH session between devices running Junos OS and Network and System Management servers where client-initiated TCP/IP connections are blocked (for example, when the device is behind a firewall). To configure outbound SSH, you add an outbound-ssh configuration statement to the device. Once configured and committed, the device running Junos OS will begin to initiate outbound SSH sessions with the configured management clients. Once the outbound SSH session is initialized and the connection is established, the management server initiates the SSH sequence as the client and the device running Junos OS, acting as the server, authenticates the client.

Setting up outbound SSH involves:

  • Configuring the device running Junos OS for outbound SSH

  • Configuring the management server for outbound SSH.

To configure the device for outbound SSH:

  1. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  2. In the [edit system services ssh] hierarchy level, set the SSH protocol to v2:
  3. Generate/obtain a public/private key pair for the device running Junos OS. This key pair will be used to encrypt the data transferred across the SSH connection. For more information on generating key pairs, see the Junos OS User Access and Authentication User Guide for Routing Devices .
  4. If the public key will be installed on the application management system manually, transfer the public key to the NSM server.
  5. Add the following outbound-ssh statement at the [edit system services] hierarchy level:

    The options are as follows:

    • address—(Required) Hostname or IPv4 or IPv6 address of the management server. You can list multiple clients by adding each client's IP address or hostname along with the following connection parameters.

      • port port-number—Outbound SSH port for the client. The default is port 22.

      • retry number– Number of times the device attempts to establish an outbound SSH connection. The default is three tries.

      • timeout seconds—Amount of time, in seconds, that the device running Junos OS attempts to establish an outbound SSH connection. The default is 15 seconds.

    • client client-id—(Required) Identifies the outbound-ssh configuration stanza on the device. Each outbound-ssh stanza represents a single outbound SSH connection. This attribute is not sent to the client.

    • device-id device-id—(Required) Identifies the device running Junos OS to the client during the initiation sequence.

    • keep-alive—(Optional) Specify that the device send keepalive messages to the management server. To configure the keepalive message, you must set both the timeout and retry attributes.

      • retry number—Number of keepalive messages the device sends without receiving a response from the management server before the current SSH connection is terminated. The default is three tries.

      • timeout seconds—Amount of time, in seconds, that the server waits for data before sending a keepalive signal. The default is 15 seconds.

    • reconnect-strategy (in-order | sticky)—(Optional) Specify the method the router or switch uses to reestablish a disconnected outbound SSH connection. Two methods are available:

      • in-order—Specify that the router or switch first attempt to establish an outbound SSH session based on the management server address list. The router or switch attempts to establish a session with the first server on the list. If this connection is not available, the router or switch attempts to establish a session with the next server, and so on down the list until a connection is established.

      • sticky—Specify that the router or switch first attempt to reconnect to the management server that it was last connected to. If the connection is unavailable, it attempts to establish a connection with the next client on the list and so forth until a connection is made.

      When reconnecting to a client, the device running Junos OS attempts to reconnect to the client based on the retry and timeout values for each of the clients listed in the configuration management server list.

    • secret password—(Optional) Public SSH host key of the device running Junos OS. If added to the outbound-ssh statement, during the initialization of the outbound SSH service, the router or switch passes its public key to the management server. This is the recommended method of maintaining a current copy of the router’s or switch’s public key.

    • services—(Required) Specifies the services available for the session. Currently, NETCONF is the only service available.

  6. Commit the configuration:

To set up the configuration management server:

  1. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.

  2. Enable the application to access the SSH software.

    • If the application uses the Junos XML protocol Perl module provided by Juniper Networks, no action is necessary. As part of the installation procedure for the Perl module, you install a prerequisites package that includes the necessary SSH software. For instructions, see Downloading the Junos XML Protocol Perl Client and Prerequisites Package.

    • If the application does not use the Junos XML protocol Perl module, obtain the SSH software and install it on the computer where the application runs. For information about obtaining and installing SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .

  3. (Optional) Manually install the device's public key for use with the SSH connection.

  4. Configure the client system to receive and process initialization broadcast requests. The intialization requests use the following syntax:

    • If the secret attribute is configured, the device running Junos OS will send its public SSH key along with the intialization sequence (recommended method). When the key has been received, the client needs to determine what to do with the device’s public key. We recommend that you replace any current public SSH key for the device with the new key. This ensures that the client always has the current key available for authentication.

    • If the secret attribute is not configured, the device does not send its public SSH key along with the initialization sequence. You need to manually install the current public SSH key for the device.

Prerequisites for SSL Connections

To enable a client application to use the SSL protocol to connect to the Junos XML protocol server, perform the following steps:

  1. Enable the application to access the SSL software.

    If the application uses the Junos XML protocol Perl module provided by Juniper Networks, no action is necessary. As part of the installation procedure for the Perl module, you install a prerequisites package that includes the necessary SSL software. For instructions, see Downloading the Junos XML Protocol Perl Client and Prerequisites Package.

    If the application does not use the Junos XML protocol Perl module, obtain the SSL software and install it on the computer where the application runs. For information about obtaining and installing the SSL software, see http://www.openssl.org.

  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. Use one of the following two methods to obtain an authentication certificate in privacy-enhanced mail (PEM) format:
    • Request a certificate from a certificate authority; these agencies usually charge a fee.

    • Working on the computer where the client application runs, issue the following openssl command in a standard command shell (not the Junos OS CLI). The command generates a self-signed certificate and an unencrypted 1024-bit RSA private key, and writes them to the file called certificate-file.pem in the working directory. The command appears here on two lines only for legibility:

  4. Import the certificate onto the device running Junos OS by including the local statement at the [edit security certificates] hierarchy level and the load-key-file statement at the [edit security certificates local certificate-name] hierarchy level.

    certificate-name is a name you choose to identify the certificate uniquely (for example, junos-xml-protocol-ssl-client-hostname, where hostname is the computer where the client application runs).

    URL-or-path specifies the file that contains the paired certificate and private key (if you issued the openssl command in Step 3, the certificate-name.pem file). Specify either the URL to its location on the client computer or a pathname on the local disk (if you have already used another method to copy the certificate file to the device’s local disk). For more information about specifying URLs and pathnames, see the CLI User Guide.

    Note:

    The CLI expects the private key in the URL-or-path file to be unencrypted. If the key is encrypted, the CLI prompts you for the passphrase associated with it, decrypts it, and stores the unencrypted version.

    The set-load-key-file URL-or-path command copies the contents of the certificate file into the configuration. When you view the configuration, the CLI displays the string of characters that constitute the private key and certificate, marking them as SECRET-DATA. The load-key-file keyword is not recorded in the configuration.

  5. Configure the device running Junos OS to accept SSL connections from Junos XML protocol client applications on port 3220 by including the xnm-ssl statement at the [edit system services] hierarchy level.

    certificate-name is the unique name you assigned to the certificate in Step 4.

    By default, the Junos XML protocol server supports up to 75 simultaneous SSL sessions and 150 connection attempts per minute. Optionally, you can include either or both the connection-limit statement to limit the number of concurrent sessions and the rate-limit statement to limit connection attempts. Both statements accept a value from 1 through 250.

    For more information about the xnm-ssl statement, see the Junos OS User Access and Authentication User Guide for Routing Devices .

  6. Commit the configuration:
  7. Repeat Step 1 on each computer where the client application runs, and Step 2 through Step 6 on each device to which the client application connects.

Prerequisites for Telnet Connections

To enable a client application to use the Telnet protocol to access the Junos XML protocol server, perform the steps described in this section.

Devices running the Junos-FIPS software do not accept Telnet connections. We recommend that you do not use the Telnet protocol in a Common Criteria environment. For more information, see the Secure Configuration Guide for Common Criteria and Junos-FIPS.

  1. Verify that the application can access the Telnet software. On most operating systems, Telnet is accessible in the standard distribution.
  2. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
  3. Configure the device running Junos OS to accept Telnet connections by including the telnet statement at the [edit system services] hierarchy level. This statement enables Telnet access for all users and applications, not just Junos XML protocol client applications.
  4. Repeat Step 1 on each computer where the application runs, and Step 2 and Step 3 on each device to which the application connects.