[SRX] Could not set the master password on SRX Chassis Cluster

Summary:

Starting with Junos OS Release 15.X49-D50, new CLI commands were introduced to configure a system master password and request to decrypt an encrypted secret. This article explains why some users cannot set the master password on an SRX Chassis Cluster.

Symptoms:

See the 'User Access and Authentication' of Release 15.1X49-D50 Software Features in Junos 15.1X49-D50 release Notes.

User Access and Authentication

Harden Shared Secrets in Junos OS—Starting with Junos OS Release 15.X49-D50, new CLI commands are introduced to configure a system master password and request to decrypt an encrypted secret, allowing for hardening of shared secrets, such as pre-shared keys and RADIUS passwords. Having a master password allows devices to encrypt passwords in such a way that only devices running Junos OS that have knowledge of the master password can decrypt the encrypted passwords. The following new CLI commands are available:
>request system decrypt password
>set system master-password

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/15.1x49-d50/junos-release-notes-15.1X49-D50.pdf

However, some customers report that the command can not be configured on SRX Chassis Cluster.

{primary:node0}[edit]
root@SRX1500-1# run show version
node0:
--------------------------------------------------------------------------
Hostname: SRX1500-1
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

node1:
--------------------------------------------------------------------------
Hostname: SRX1500-2
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

{primary:node0}[edit]
root@SRX1500-1# set system master-password ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  iteration-count      Define PBKDF2 iteration count (10..10000)
  pseudorandom-function  Define PBKDF2 PRF

{primary:node0}[edit]
root@SRX1500-1# set system master-password plain-text-password
                                                    ^
syntax error.

{primary:node0}[edit]
root@SRX1500-1#

Solution:

This behavior is by design. It is necessary to set the master-password before creating a chassis cluster.

Chassis Cluster Considerations

When defining a chassis cluster on SRX Series devices, be aware of the following restrictions:

For SRX Series devices, first configure the master password on each node, and then build the cluster. The same master password should be configured on each node.
In chassis cluster mode, the master password cannot be deleted.

Note: A change in the master password would mean disruption in chassis clustering; therefore you must change the password on both nodes independently.

[edit]
root@SRX-1500# run show version 
Hostname: SRX-1500
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]

[edit]
root@SRX-1500# set system master-password ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  iteration-count      Define PBKDF2 iteration count (10..10000)
  plain-text-password  Prompt for plain text password
  pseudorandom-function  Define PBKDF2 PRF

[edit]
root@SRX-1500# set system master-password plain-text-password    
Master password: 
Repeat master password: 

[edit]
root@SRX-1500# commit 
commit complete

[edit]
root@SRX-1500# ... cluster-id 1 node 0 reboot                      
Successfully enabled chassis cluster. Going to reboot now.

{primary:node0}
root@SRX-1500> show configuration system master-password 
password-configured;

Knowledge Base

User Access and Authentication

Chassis Cluster Considerations