Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Could not set the master password on SRX Chassis Cluster

0

0

Article ID: KB32014 KB Last Updated: 10 Aug 2017Version: 1.0
Summary:

Starting with Junos OS Release 15.X49-D50, new CLI commands were introduced to configure a system master password and request to decrypt an encrypted secret. This article explains why some users cannot set the master password on an SRX Chassis Cluster.

Symptoms:
See the 'User Access and Authentication' of Release 15.1X49-D50 Software Features in Junos 15.1X49-D50 release Notes.

User Access and Authentication

Harden Shared Secrets in Junos OS—Starting with Junos OS Release 15.X49-D50, new CLI commands are introduced to configure a system master password and request to decrypt an encrypted secret, allowing for hardening of shared secrets, such as pre-shared keys and RADIUS passwords. Having a master password allows devices to encrypt passwords in such a way that only devices running Junos OS that have knowledge of the master password can decrypt the encrypted passwords. The following new CLI commands are available:


>request system decrypt password
>set system master-password

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/15.1x49-d50/junos-release-notes-15.1X49-D50.pdf

However, some customers report that the command can not be configured on SRX Chassis Cluster.

{primary:node0}[edit]
root@SRX1500-1# run show version
node0:
--------------------------------------------------------------------------
Hostname: SRX1500-1
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

node1:
--------------------------------------------------------------------------
Hostname: SRX1500-2
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

{primary:node0}[edit]
root@SRX1500-1# set system master-password ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  iteration-count      Define PBKDF2 iteration count (10..10000)
  pseudorandom-function  Define PBKDF2 PRF

{primary:node0}[edit]
root@SRX1500-1# set system master-password plain-text-password
                                                    ^
syntax error.

{primary:node0}[edit]
root@SRX1500-1# 

 

Solution:

‚ÄčThis behavior is by design. It is necessary to set the master-password before creating a chassis cluster.

Chassis Cluster Considerations

When defining a chassis cluster on SRX Series devices, be aware of the following restrictions:

  • For SRX Series devices, first configure the master password on each node, and then build the cluster. The same master password should be configured on each node.
  • In chassis cluster mode, the master password cannot be deleted.

Note: A change in the master password would mean disruption in chassis clustering; therefore you must change the password on both nodes independently.
 

[edit]
root@SRX-1500# run show version 
Hostname: SRX-1500
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

[edit]
root@SRX-1500# set system master-password ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  iteration-count      Define PBKDF2 iteration count (10..10000)
  plain-text-password  Prompt for plain text password
  pseudorandom-function  Define PBKDF2 PRF

[edit]
root@SRX-1500# set system master-password plain-text-password    
Master password: 
Repeat master password: 

[edit]
root@SRX-1500# commit 
commit complete

[edit]
root@SRX-1500# ... cluster-id 1 node 0 reboot                      
Successfully enabled chassis cluster. Going to reboot now.

{primary:node0}
root@SRX-1500> show configuration system master-password 
password-configured;

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search