User guide

ManualsBrandsJuniper ManualsNetworkingSA6500 FIPS

Junos Pulse Secure Access Service

SA Series 4500, 6500, and FIPS Appliances

Release

7.2

Published: 2012-05-15

Summary of content (76 pages)

PAGE 2
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Copyright © 2012, Juniper Networks, Inc. All rights reserved. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.
PAGE 3
Table of Contents About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Documentation Feedback . . . . . . . . . . . . . . . . .
PAGE 4
SA Series 4500, 6500, and FIPS Appliances Chapter 8 Keystores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Initializing a Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Reinitializing the Keystore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Binary Importing and Exporting of the Keystore . . . . . . . . . . . . . . . . . . .
PAGE 5
List of Tables About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii Part 2 Planning Chapter 4 Name and Password Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
About the Documentation • Documentation and Release Notes on page vii • Supported Platforms on page vii • Documentation Conventions on page vii • Documentation Feedback on page ix • Requesting Technical Support on page ix Documentation and Release Notes ® To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/.
PAGE 8
SA Series 4500, 6500, and FIPS Appliances Table 1: Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Table 2 on page viii defines the text and syntax conventions used in this guide.
PAGE 9
About the Documentation Table 2: Text and Syntax Conventions (continued) Convention Description Examples | (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast | multicast # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies.
PAGE 10
SA Series 4500, 6500, and FIPS Appliances or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. • JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf . • Product warranties—For product warranty information, visit http://www.juniper.net/support/warranty/ .
PAGE 13
CHAPTER 1 Appliances • SA4500 and SA6500 on page 3 SA4500 and SA6500 The SA4500 and SA6500 (SA 4500/6500) are next-generation appliances featuring a number of notable hardware features. Standard Hardware The SA 4500/6500 chassis features the following hardware components: • Console port—You use the console port to initially set up the SA 4500/6500 before you fully integrate it as the secure gateway to your internal network.
PAGE 14
SA Series 4500, 6500, and FIPS Appliances Bonding ports cannot span separate networks (multi-homed). • Management port—The SA6500’s management port: • Enables seamless integration into a dedicated Management Network. • Provides continuously available management access to the Secure Access Service. • Enables you to perform management activities without impacting user traffic.
PAGE 15
Chapter 1: Appliances Related Documentation • Power supplies—The SA6500 ships with one AC power supply installed in the back of the chassis. You can add an optional second power supply to support redundancy and load-sharing features.
PAGE 17
CHAPTER 2 FIPS • SA FIPS on page 7 • SA FIPS Execution on page 8 • FIPS Overview on page 9 SA FIPS FIPS, or Federal Information Processing Standards, are National Institute of Standards and Technology regulations for handling keys and encrypting data. Juniper Networks SA FIPS is a standard SA4000 or SA6000 NetScreen Instant Virtual Extranet equipped with a FIPS-certified cryptographic module.
PAGE 18
SA Series 4500, 6500, and FIPS Appliances SA FIPS Execution When you first install a FIPS system, the Secure Access Service serial console walks you through the process of creating a security world through the serial console.
PAGE 19
Chapter 2: FIPS Related Documentation • SA FIPS on page 7 • Creating Administrator Cards on page 57 • Creating a New Security World on page 17 • Recovering an Archived Security World on page 20 FIPS Overview The Juniper Networks SA 4500 and 6500 FIPS is a standard SA4500 or SA6500 appliance equipped with a FIPS-compliant crypto card. The tamper-proof hardware security module installed on a Secure Access FIPS system is certified to meet the FIPS 140-2 level 3 security benchmark.
PAGE 20
SA Series 4500, 6500, and FIPS Appliances 10 • Joining a Cluster on page 27 • Importing Device Certificates on page 35 • Changing the Security Officer Password on page 53 • Changing the Web User Password on page 54 • Resetting the HSM Card In Case Of An Error on page 61 • Upgrading the HSM Firmware on page 55 • Binary Importing and Exporting of the Keystore on page 32 Copyright © 2012, Juniper Networks, Inc.
PAGE 23
CHAPTER 3 Network Preparation • Secure Access Appliances on page 13 Secure Access Appliances Thank you for choosing the Juniper Networks Secure Access Series appliance. You can install Secure Access and start configuring your system using the following easy steps: 1. Install the hardware 2. Perform basic setup 3.
PAGE 25
CHAPTER 4 Name and Password Restrictions • Name and Password Restrictions on page 15 Name and Password Restrictions Security officer names and usernames must adhere to the following requirements: Table 3: Security Officer Name and Username Requirements Security Officer Name and Username Requirement Description Minimum Length At least one character Maximum Length 63 characters Valid Characters Alphanumeric, underscore (_), dash (-) and period (.
PAGE 27
CHAPTER 5 Security World • Creating a New Security World on page 17 • Recovering an Archived Security World on page 20 Creating a New Security World You cannot begin using a Secure Access FIPS machine until you create a security world on it. However, in some case you may need to overwrite that security world with a new one.
PAGE 28
SA Series 4500, 6500, and FIPS Appliances To create a new security world on a stand-alone Secure Access: 1. Insert an un-formatted smart card or an administrator card containing data that you can safely overwrite into the card slot with the card contacts facing up. 2. Set the mode switch on the cryptographic module to I (initialization mode). 3. Access the Secure Access serial console and reboot the Secure Access device.
PAGE 29
Chapter 5: Security World 4. Return to the node’s System > Clustering > Status tab, select the checkbox next to disabled nodes in the Cluster Members column, and then click Enable. 5. Wait for all the cluster members to go into an "Enabled" state. 6. Set the mode switch on the cryptographic modules of cluster members that were earlier disabled to I (initialization mode). 7. Reboot each of these nodes from the serial console. 8.
PAGE 30
SA Series 4500, 6500, and FIPS Appliances To replace all administrator cards or to create a larger number of cards for a security world: 1. Create a new security world. 2. Choose Replace Administrator Card Set from the list of configuration tasks. 3. Enter the pass phrase for the security world. 4. When prompted, insert an un-formatted smart card or an administrator card whose data you can safely overwrite into the smart card reader with the contacts facing up. 5.
PAGE 31
Chapter 5: Security World To import an existing security world into a stand-alone Secure Access device: 1. Import the system configuration file that contains the archived security world and its corresponding certificate into the Secure Access device, and then initialize the security world if necessary. If the configuration file contains an archive of: • The same security world that was already present on the machine, no further configuration is required.
PAGE 32
SA Series 4500, 6500, and FIPS Appliances 7. Reboot each of these nodes from the serial console. 8. After a node joins the security world, reset its cryptographic module's mode switch to O (operational mode). Related Documentation 22 • Creating a New Security World on page 17 Copyright © 2012, Juniper Networks, Inc.
PAGE 33
PART 3 Installation • Hardware on page 25 • Clusters on page 27 • Keystores on page 31 • Device Certificates on page 35 • Initial Configuration on page 37 Copyright © 2012, Juniper Networks, Inc.
PAGE 35
CHAPTER 6 Hardware • Installing Secure Access Appliance Hardware on page 25 Installing Secure Access Appliance Hardware The Secure Access 2500, 4500 and 6500 ship with mounting ears and mid-mounts. The Secure Access 6500 includes rear mounting rails for use in a four-post mounting rack. We recommend you use the rear mounting rails when installing the Secure Access 6500 in a rack. If you require an additional mounting kit, contact Juniper Networks.
PAGE 36
SA Series 4500, 6500, and FIPS Appliances capabilities by automatically shifting traffic to the secondary port when the primary port fails. The SA 6500 appliance bonds ports as follows: • Internal port = Port 0+Port 1 • External port = Port 2+Port 3 Secure Access indicates in a message on the System > Network > Overview page whether or not the failover functionality is enabled.
PAGE 37
CHAPTER 7 Clusters • Joining a Cluster on page 27 • Deploying a Cluster in a Secure Access FIPS Environment on page 28 Joining a Cluster Joining a cluster involves using both the admin console and serial console. To join a cluster: 1. If you have not already done so, define and initialize a cluster If you are currently running stand alone appliances that you want to cluster, we recommend that before you create a cluster, you first configure system and user settings on one machine.
PAGE 38
SA Series 4500, 6500, and FIPS Appliances Related Documentation • FIPS Overview on page 9 Deploying a Cluster in a Secure Access FIPS Environment In addition to sharing state, user profile, user session, and monitoring state data, the members of a Secure Access FIPS cluster also share security world data. All cluster members share the same private key and are accessible using the same administrator cards.
PAGE 39
Chapter 7: Clusters To initialize a FIPS cluster member’s security world via the serial console: 1. Insert an administrator card that is pre-initialized with the active cluster member’s security world into the smart card slot with the contacts facing up. NOTE: If you have already performed the procedures required to configure the FIPS appliance, as described in the Quick Start Guide, you might be able to skip this step. 2.
PAGE 41
CHAPTER 8 Keystores • Initializing a Keystore on page 31 • Reinitializing the Keystore on page 31 • Binary Importing and Exporting of the Keystore on page 32 Initializing a Keystore When the FIPS appliance is powered on from a factory-reset or when its configuration is reset, the serial console requires the initialization of a keystore and a self-signed device certificate.
PAGE 42
SA Series 4500, 6500, and FIPS Appliances To reinitialize the keystore from a stand-alone node: 1. Reboot the stand-alone node. During the boot process, you are prompted to re-initialize the keystore. 2. Press y to delete the current keystore and server certificates. NOTE: If you do not press y within 10 seconds, the appliance will proceed to boot normally. To reinitialize the keystore from a cluster: 1. Reboot a node within the cluster.
PAGE 43
Chapter 8: Keystores NOTE: If you reboot the FIPS appliance without performing the serial console step above, you are prompted to import the keystore during the boot process. Enter y to import the keystore. If you do not enter y within five seconds, the FIPS appliance continues to boot normally. If this occurs, perform the serial console step after the FIPS appliance completes its boot process.
PAGE 45
CHAPTER 9 Device Certificates • Importing Device Certificates on page 35 Importing Device Certificates To import a device certificate, generate a CSR from the appliance and then import its corresponding certificate after it is validated by a CA. Each CSR request generates a new RSA key pair. NOTE: Device certificates without a CSR request from the appliance cannot be imported.
PAGE 47
CHAPTER 10 Initial Configuration • Basic Setup for Secure Access Appliances on page 37 • Licensing and Configuring Your Secure Access on page 39 Basic Setup for Secure Access Appliances When you boot an unconfigured Secure Access appliance, you need to enter basic network and machine information through the serial console to make the appliance accessible to the network. After entering these settings, you can continue configuring the appliance through the administrator Web console.
PAGE 48
SA Series 4500, 6500, and FIPS Appliances • Secondary DNS server address (optional) • Default DNS domain name (for example, acmegizmo.com) • WINS server name or address (optional) • Administrator username • Administrator password • Common machine name (for example, connect.acmegizmo.com) • Organization name (for example, Acme Gizmo, Inc .
PAGE 49
Chapter 10: Initial Configuration 6. In a browser, enter the machine’s URL followed by “/admin” to access the administrator sign-in page. The URL is in the format: https://a.b.c.d/admin, where a.b.c.d is the machine IP address you entered in step 4. When prompted with the security alert to proceed without a signed certificate, click Yes. When the administrator sign-in page appears, you have successfully connected your Secure Access appliance to the network. 7.
PAGE 51
PART 4 Maintenance • Hardware Replacement on page 43 • LED Behavior on page 49 • Passwords on page 53 • HSM Firmware on page 55 • Administrator Cards on page 57 Copyright © 2012, Juniper Networks, Inc.
PAGE 53
CHAPTER 11 Hardware Replacement • Replacing the Cooling Fans on page 43 • Replacing a Hard Drive on page 44 • Replacing IOC Modules on page 44 • Replacing a Power Supply on page 46 Replacing the Cooling Fans The SA 6500 ships with two cooling fans installed in the back of the chassis. If you need to replace one of the cooling fans, you can “hot-swap” the faulty fan for a replacement during operation in a matter of moments.
PAGE 54
SA Series 4500, 6500, and FIPS Appliances • Replacing IOC Modules on page 44 • Replacing a Power Supply on page 46 Replacing a Hard Drive The SA 6500 ships with two standard hard drives to offer component redundancy and help minimize down time. The second (redundant) hard disk maintains an exact copy of the software image and configuration information on the working hard disk. Therefore, if the working hard disk fails, the redundant hard disk immediately assumes responsibility for all operations.
PAGE 55
Chapter 11: Hardware Replacement CAUTION: Power off the device before removing or installing IOMs. IOMs are not hot-swappable. Removing a Blank IOM Faceplate To maintain proper airflow through the device, leave blank faceplates in place over slots that do not contain IOMs. Do not remove a blank faceplate unless you are installing an IOM in the empty slot. To remove a blank faceplate: 1. Unplug the power cord. 2. Loosen the thumbscrews on each side of the faceplate. 3.
PAGE 56
SA Series 4500, 6500, and FIPS Appliances Related Documentation • SA4500 and SA6500 on page 3 • Replacing a Hard Drive on page 44 • Replacing a Hard Drive on page 44 • Replacing a Power Supply on page 46 Replacing a Power Supply Removing and Installing an AC Power Supply The Juniper Networks appliance ships with one AC power supply installed in the back of the chassis. You can add an optional second power supply to support redundancy and load-sharing features.
PAGE 57
Chapter 11: Hardware Replacement Related Documentation • SA4500 and SA6500 on page 3 • Replacing the Cooling Fans on page 43 • Replacing a Hard Drive on page 44 • Replacing IOC Modules on page 44 Copyright © 2012, Juniper Networks, Inc.
PAGE 59
CHAPTER 12 LED Behavior • Device Status LED Behavior on page 49 • Ethernet Port LED Behavior on page 50 • FIPS Device Status LED Behavior on page 51 Device Status LED Behavior Startup takes approximately one minute to complete. If you want to turn the device off and on again, we recommend you wait a few seconds between shutting it down and powering it back up.
PAGE 60
SA Series 4500, 6500, and FIPS Appliances Table 5: Device Status LEDs (continued) Name Related Documentation Color State Description Solid Thermal failure • SA4500 and SA6500 on page 3 • Ethernet Port LED Behavior on page 50 • Replacing the Cooling Fans on page 43 • Replacing a Hard Drive on page 44 • Replacing IOC Modules on page 44 • Replacing a Power Supply on page 46 Ethernet Port LED Behavior The Ethernet port LEDs show the status of each Ethernet port.
PAGE 61
Chapter 12: LED Behavior FIPS Device Status LED Behavior There are three device status LEDs located on the FIPS card: • S (Status) • F (FIPS) • I (INIT) Table 7: Status LED LED Color and State Description STATUS Off Bootstrap firmware is executing Blinking green IDLE, OPERATIONAL, or FAILSAFE state Green POST or DISABLED state (driver not attached) Blinking red Error occurred during boot process Red HALTED (fatal error) state or when a low-level hardware initialization failure occurred
PAGE 63
CHAPTER 13 Passwords • Changing the Security Officer Password on page 53 • Changing the Web User Password on page 54 Changing the Security Officer Password Occasionally you may want to change the security officer password. In a cluster, you can perform this operation from any node. The new security officer password is updated to the other nodes automatically. NOTE: Changing the security officer password restarts the web server. To change the security officer password: 1.
PAGE 64
SA Series 4500, 6500, and FIPS Appliances Changing the Web User Password The web username and password are used to securely store the RSA private keys in the HSM’s encrypted database. These credentials are used by the Secure Access Service processes to carry out RSA operations. The keys will never be available for use outside the HSM. You can later change the web password but not the web username. In a cluster, you can perform this operation from any node.
PAGE 65
CHAPTER 14 HSM Firmware • Upgrading the HSM Firmware on page 55 Upgrading the HSM Firmware Some system software upgrades may also require firmware updates. Typically, firmware upgrades occur during the boot process. After the system software updates, the serial console prompts you for the keystore restore password before upgrading the HSM’s firmware. If you do not remember the password, you have the option of upgrading the firmware at a later date using the serial console.
PAGE 67
CHAPTER 15 Administrator Cards • Creating Administrator Cards on page 57 Creating Administrator Cards When you receive your Secure Access FIPS product, you receive 6 smart cards as part of the package. A smart card is a removable key device that you must use in order to gain access to some of the critical data and processes controlled by the cryptographic module. Secure Access FIPS first requires you to use one of your smart cards while initializing the cryptographic module through the serial console.
PAGE 68
SA Series 4500, 6500, and FIPS Appliances Related Documentation 58 • Create multiple administrator cards—You cannot replace an administrator card unless you have another valid card and the pass phrase for that card; the cryptographic module does not store administrator card recovery data. Therefore, we strongly recommend that you create at least one administrator card for standard administrative operations and another for backup purposes.
PAGE 71
CHAPTER 16 HSM Card • Resetting the HSM Card In Case Of An Error on page 61 Resetting the HSM Card In Case Of An Error If the FIPS card LEDs indicates an error or fault, try resetting the HSM card prior to rebooting your appliance. To reset the HSM card: 1. Connect to the serial console of the FIPS appliance you want to reset. 2. Enter 9 to select FIPS Option. 3. Enter 5 to select Reset the HSM. 4. Observe the LEDS on the FIPS card. If they do not eventually turn green, reboot your appliance.
PAGE 75
I initializing keystore (FIPS device)......................................31 K Index Symbols #, comments in configuration statements.....................ix ( ), in syntax descriptions.......................................................ix 6500, 4500.................................................................................3 < >, in syntax descriptions...................................................viii [ ], in configuration statements...........................................