Starting with Junos OS Release 15.X49-D50, new CLI commands were introduced to configure a system master password and request to decrypt an encrypted secret. This article explains why some users cannot set the master password on an SRX Chassis Cluster.
See the '
User Access and Authentication' of Release 15.1X49-D50 Software Features in Junos 15.1X49-D50 release Notes.
User Access and Authentication
Harden Shared Secrets in Junos OS—Starting with Junos OS Release 15.X49-D50, new CLI commands are introduced to configure a system master password and request to decrypt an encrypted secret, allowing for hardening of shared secrets, such as pre-shared keys and RADIUS passwords. Having a master password allows devices to encrypt passwords in such a way that only devices running Junos OS that have knowledge of the master password can decrypt the encrypted passwords. The following new CLI commands are available:
>request system decrypt password
>set system master-password
https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/15.1x49-d50/junos-release-notes-15.1X49-D50.pdf
However, some customers report that the command can not be configured on SRX Chassis Cluster.
{primary:node0}[edit]
root@SRX1500-1# run show version
node0:
--------------------------------------------------------------------------
Hostname: SRX1500-1
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]
node1:
--------------------------------------------------------------------------
Hostname: SRX1500-2
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]
{primary:node0}[edit]
root@SRX1500-1# set system master-password ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
iteration-count Define PBKDF2 iteration count (10..10000)
pseudorandom-function Define PBKDF2 PRF
{primary:node0}[edit]
root@SRX1500-1# set system master-password plain-text-password
^
syntax error.
{primary:node0}[edit]
root@SRX1500-1#
This behavior is by design. It is necessary to set the master-password before creating a chassis cluster.
Chassis Cluster Considerations
When defining a chassis cluster on SRX Series devices, be aware of the following restrictions:
- For SRX Series devices, first configure the master password on each node, and then build the cluster. The same master password should be configured on each node.
- In chassis cluster mode, the master password cannot be deleted.
Note: A change in the master password would mean disruption in chassis clustering; therefore you must change the password on both nodes independently.
[edit]
root@SRX-1500# run show version
Hostname: SRX-1500
Model: srx1500
Junos: 15.1X49-D80.4
JUNOS Software Release [15.1X49-D80.4]
[edit]
root@SRX-1500# set system master-password ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
iteration-count Define PBKDF2 iteration count (10..10000)
plain-text-password Prompt for plain text password
pseudorandom-function Define PBKDF2 PRF
[edit]
root@SRX-1500# set system master-password plain-text-password
Master password:
Repeat master password:
[edit]
root@SRX-1500# commit
commit complete
[edit]
root@SRX-1500# ... cluster-id 1 node 0 reboot
Successfully enabled chassis cluster. Going to reboot now.
{primary:node0}
root@SRX-1500> show configuration system master-password
password-configured;