Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Onboard Session Smart Routers using Secure Conductor Onboarding

Onboard a Session Smart Router to the conductor securely and automatically using Secure Conductor Onboarding in Mist.

You can onboard a Session Smart Router (SSR) device to a Session Smart Conductor securely and automatically using Secure Conductor Onboarding (SCO). For vSSR, you must obtain an Endorsement Key (EK) for the router and give it to the conductor. As part of the SCO process, the router sends the EK to the conductor. The EK is read from the Trusted Platform Module (TPM). For SSR400 and SSR440 devices, secure onboarding is done using the embedded device ID certificate instead. The device is only allowed to be onboarded if each party proves possession of its private key and that the connection is trusted and authenticated. The SCO process leverages a TPM module detected on the platform for mutual authentication.

Note: To use Secure Conductor Onboarding, both the router and the conductor must be on version 7.1.3 or later of Session Smart software.

This feature is supported only on SSR400 and SSR440 series hardware, and on virtual appliances that provide TPM 2.0 support, such as AWS and Azure instances with vTPM enabled.

Secure Conductor Onboarding relies on the following components:

  • A Session Smart Conductor.

  • An SSR deployed with TPM. This can be TPM that is available on a public cloud, such as AWS, or TPM that comes standard on SSR400 and SSR440 devices.

  • A secure onboarding token generated by the Conductor.

  • A WebSocket‑based secure channel over ports 930 and 933 (secure TLS established over port 930 ensures that the client and server can trust one other).

To use Secure Conductor Onboarding to onboard your Session Smart Routers:

  1. Configure Secure Conductor Onboarding on the Session Smart Conductor. See Secure Conductor Onboarding.
  2. Onboard the SSR device to Mist, but do not assign the device to a site yet. For detailed onboarding instructions, go to the Juniper Mist Supported Hardware page, and see the Quick Start Guide for your device.
  3. From the Mist API, obtain an endorsement key (a device ID token) for the SSR and include the SSR's MAC address in it:
    1. First, insert the org ID into the API call. This is done by entering it into the URL in the browser, and will look like this:

      https://{api-host}/api/v1/orgs/c1947558-268d-4d31-xxxx-xxxxxxxxxxxx/ssr/export_idtokens

    2. Next, obtain the device's MAC address from the Mist portal so that you can include the MAC address in the request. Navigate to Organization > Inventory > WAN Edges > Properties and copy the MAC address from there.
    3. Return to the Mist API and enter the following JSON text in the Content input box for the intended SSR. Include the MAC address you just obtained in the following:
    4. Click POST to obtain the token. The response contains the endorsement key (device ID token) as shown below:

      To better understand how to use the Mist API, see Use the Django Web Interface to Make API Changes.

  4. On the conductor (via API, SSR PCLI, or SSR GUI) configure the router details (the router ID and the endorsement key), and generate a secure onboarding token which will be configured in Mist in the next step. See Basic Configuration.
  5. Back on the Mist portal, from the left menu, navigate to Organization > Site Configuration. In the Session Smart Conductor section under WAN Edges, configure the conductor’s public IP address and the Onboarding Token.

    Note: The Session Smart Conductor Address and Onboarding Token can be configured at both the organization and site level. Site level configuration will take priority.
  6. Click Save in the upper right corner.
  7. Assign the SSR to the site (the site you configured the conductor Address and Onboarding Token on in step 5). This triggers the secure onboarding workflow between router and conductor. See Assign Sites.
  8. Verify the onboarding status using the following commands on the conductor PCLI:
    Request:

    Response (you should see Auth State: completed if successful):

Related Documentation