Knowledge Search


×
 

[SRX] Could not set the master password on SRX Chassis Cluster

  [KB32014] Show Article Properties


Summary:

Starting with Junos OS Release 15.X49-D50, new CLI commands were introduced to configure a system master password and request to decrypt an encrypted secret. This article explains why some users cannot set the master password on an SRX Chassis Cluster.

Symptoms:
See the 'User Access and Authentication' of Release 15.1X49-D50 Software Features in Junos 15.1X49-D50 release Notes.

User Access and Authentication

Harden Shared Secrets in Junos OS—Starting with Junos OS Release 15.X49-D50, new CLI commands are introduced to configure a system master password and request to decrypt an encrypted secret, allowing for hardening of shared secrets, such as pre-shared keys and RADIUS passwords. Having a master password allows devices to encrypt passwords in such a way that only devices running Junos OS that have knowledge of the master password can decrypt the encrypted passwords. The following new CLI commands are available:


>request system decrypt password
>set system master-password

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/15.1x49-d50/junos-release-notes-15.1X49-D50.pdf

However, some customers report that the command can not be configured on SRX Chassis Cluster.

{primary:node0}[edit]
root@SRX1500-1# run show version
node0:
--------------------------------------------------------------------------
Hostname: SRX1500-1
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

node1:
--------------------------------------------------------------------------
Hostname: SRX1500-2
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

{primary:node0}[edit]
root@SRX1500-1# set system master-password ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  iteration-count      Define PBKDF2 iteration count (10..10000)
  pseudorandom-function  Define PBKDF2 PRF

{primary:node0}[edit]
root@SRX1500-1# set system master-password plain-text-password
                                                    ^
syntax error.

{primary:node0}[edit]
root@SRX1500-1# 

 

Solution:

‚ÄčThis behavior is by design. It is necessary to set the master-password before creating a chassis cluster.

Chassis Cluster Considerations

When defining a chassis cluster on SRX Series devices, be aware of the following restrictions:

  • For SRX Series devices, first configure the master password on each node, and then build the cluster. The same master password should be configured on each node.
  • In chassis cluster mode, the master password cannot be deleted.

Note: A change in the master password would mean disruption in chassis clustering; therefore you must change the password on both nodes independently.
 

[edit]
root@SRX-1500# run show version 
Hostname: SRX-1500
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

[edit]
root@SRX-1500# set system master-password ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  iteration-count      Define PBKDF2 iteration count (10..10000)
  plain-text-password  Prompt for plain text password
  pseudorandom-function  Define PBKDF2 PRF

[edit]
root@SRX-1500# set system master-password plain-text-password    
Master password: 
Repeat master password: 

[edit]
root@SRX-1500# commit 
commit complete

[edit]
root@SRX-1500# ... cluster-id 1 node 0 reboot                      
Successfully enabled chassis cluster. Going to reboot now.

{primary:node0}
root@SRX-1500> show configuration system master-password 
password-configured;
Related Links: