Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WANDL] How to configure a valid certificate in WANDL

0

0

Article ID: KB32059 KB Last Updated: 08 Jul 2018Version: 2.0
Summary:

WANDL supports http and https for Web GUI. To ensure your environment is secure, use an external certificate signed by CA  and upload it in WANDL.

Symptoms:

If a valid certificate is not used, the following message appears when opening the WANDL GUI using https:

"Your connection is not private
Attackers might be trying to steal your information from <FQDN> (for example, passwords, messages, or credit cards). NET:ERR_CERT_AUTHORITY_INVALID
This server could not prove that it is <FQDN> its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection."

Cause:

If a CA signed certificate is not used, data will not be encrypted when it is sent over the network, which creates a high security loop hole.

Solution:

To upload the certificate in WANDL, perform the following steps:

  1.  Ensure that you have a certificate and private key in PEM format. If the certificate is in a different format, such as PKCS12, it must be converted to PEM format.

  2. Since WANDL expects cert.pem and key.pem for certificates and private keys separately, be sure to have separate files created for the certificate and private key. If any other name is given for the certificate and private key file, replace it with cert.pem and key.pem.

  3. ​Inside the attached proxy.zip, there’s a proxy.js file. Replace /u/wandl/app/NodeJS/proxy.js with this file. Before replacing, back-up the original proxy.js using cp proxy.js proxy.js.bak.

  4. ​The certificate and key must be in x509 encoding. Verify this encoding, then rename the key to key.pem and the cert to cert.pem. ​Put these 2 files in /u/wandl/app/NodeJS/certs replacing the original cert. Before replacing cert.pem and key.pem, make a backup of these two files using cp cert.pem cert.pem.bak and cp key.pem key.pem.bak.

  5. Ensure the ownership of the proxy.js is wandl:staff

  6. ​Restart proxy.js
    /u/wandl/bin/proxy_server.sh stop
    /u/wandl/bin/proxy_server.sh start


By Default, this works with Internet Explorer. For Google Chrome and Mozilla Firefox, use the link below to import the certificate at the client machine:

https://support.globalsign.com/customer/portal/articles/1211541-install-client-digital-certificate---windows-using-chrome​ 

Patch: /library/CUSTOMERSERVICE/GLOBAL_JTAC/MEHUL/proxy.zip
 

Note: This article is only applicable to WANDL 6.2.1 and 6.3.0​

 

Modification History:

07-08-2018: Added step 5 in the Solution.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search