Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Setting up Secure Web Management (HTTPS access) on an interface

0

0

Article ID: KB4718 KB Last Updated: 26 Jun 2020Version: 9.0
Summary:

This article provides information on how to setup Secure Web Management on an Interface.

Web management via HTTP is convenient to the administrator, but the information is sent in clear text (including passwords). A user, with a protocol analyzer, can easily obtain the username and password. This creates a need for secure WebUI connections. Secure web management gives you the functionality to manage your ScreenOS firewall via the WebUI using SSL certificates. This article assumes that you have already generated an SSL certificate through a Certificate Authority and loaded it onto your firewall.

Solution:

To set up secure web management on an interface, perform the following steps:

Step one: Open the WebUI. For more information, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.

Step two: From the ScreenOS options menu, click Configuration, select Admin, and click Management.

Step three: Enable the SSl checkbox, and from the Certificate drop-down menu, click to choose your SSL certificate.

Note: Choose the strongest cipher as many of the old ciphers may not be supported by the new browsers.

Step four: Click Apply.

Step five: From the ScreenOS options menu, click Network, and then click Interfaces.


 

Step six: From the interface list, choose the interface from which you wish to enable secure web management, click Edit.

Note: For this example, we chose to enable secure web management for the ethernet3 interface. 

Step seven: From Management Services, click to select SSL.

Step eight: Click OK.

Step nine: Enter your management IP address into a browser to access the firewall via secure web management.
Note: To log into your firewall you must use HTTPS.





 

Using the CLI

If using default certificate:

set ssl enable
set ssl encrypt 3des sha-1
set interface "ethernet0/0" manage ssl

If not using default certificate:

set ssl enable
set ssl encrypt 3des sha-1
set ssl cert-hash 26BF63C4A8F00BECB13DE22843DD37E2027D039C  (Please see note below)
set interface "ethernet0/0" manage ssl

To get the certificate Hash value, use command 'show pki x509 cert <ID>' and locate the value ''subject name hash:'

Example:

get pki x509 cert 160956424

-001 160956424 LOCAL CERT friendly name <8>
                           CN=self-signed,CN=abcd,CN=SSG520.,CN=dsa-key,CN=73877838,CN=
                           JN1117557ADA,CN=1.1.1.1,OU=netscreen,O=juniper,L=prestige,ST
                           =karnataka,
                           Expire on 06-01-2021 07:45(UTC time), Issued By:
                           CN=self-signed,CN=abcd,CN=SSG520.,CN=dsa-key,CN=73877838,CN=
                           JN1117557ADA,CN=1.1.1.1,OU=netscreen,O=juniper,L=prestige,ST
                           =karnataka,
Serial Number: <9b3f959ea06098698313af052c3c4c09>
subject alt name extension:
email(1): (kk@juniper.com)
fqdn(2): (SSG520.)
ipaddr(7): (1.1.1.1)
no renew
finger print (md5) <a4bfda0c 6478c8da 9357094b 4c1f19c5>
finger print (sha) <ef6b9548 f4fdf6af b06436c5 a0de4897 9f3429ac>
subject name hash: <7ca91e6c 86f5bd9c 34c032ba 11d61098 e4f7ca50>  (This is the cert-hash value)
use count: <1>
flag <00000000>

 

Certificate ID can be located using the following command:


get pki x509 list cert

Getting OTHER PKI OBJECT ...
IDX        ID num          X509 Certificate Subject Distinguish Name
================================================================================
0000   207093764      CA CERT friendly name <4>
                         OU=Class 3 Public Primary Certification Authority,O=VeriSign
                         , Inc.,C=US,
                         Expire on 08-01-2028 23:59(UTC time), Issued By:
                         OU=Class 3 Public Primary Certification Authority,O=VeriSign
                         , Inc.,C=US,

0001  160956424      LOCAL CERT friendly name <8>
                         CN=self-signed,CN=abcd,CN=SSG520.,CN=dsa-key,CN=73877838,CN=
                         JN1117557ADA,CN=1.1.1.1,OU=netscreen,O=juniper,L=prestige,ST
                         =karnataka,
                         Expire on 06-01-2021 07:45(UTC time), Issued By:
                         CN=self-signed,CN=abcd,CN=SSG520.,CN=dsa-key,CN=73877838,CN=
                         JN1117557ADA,CN=1.1.1.1,OU=netscreen,O=juniper,L=prestige,ST
                         =karnataka,
0002   207093766     CA CERT friendly name <6>
                         CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at http
                         s://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=V
                         eriSign, Inc.,C=US,
                         Expire on 01-18-2015 23:59(UTC time), Issued By:
                         OU=Class 3 Public Primary Certification Authority,O=VeriSign
                         , Inc.,C=US,
================================================================================

ID num is the Certificate ID

Modification History:
2020-06-26: Updated the WebUI snapshots.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search