diff --git a/docs/config_radsec.md b/docs/config_radsec.md index 441b00f2d9..b861b31463 100644 --- a/docs/config_radsec.md +++ b/docs/config_radsec.md @@ -5,14 +5,9 @@ sidebar_label: Configuring RADIUS over TLS RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic to remote RADIUS servers connected over TLS. RADSEC allows RADIUS authentication, authorization, and accounting data to be passed safely across untrusted networks. -In this section: -- Configuring RADSEC -- Signing and Importing Webserver Certificates -- Syslog over TLS +## RADSEC Configuration - Existing Certificate -## Configuring RADSEC - -Use the following information to configure RADIUS over TLS (RADSEC). +Use the following information to configure RADIUS over TLS (RADSEC) using an existing certificate. #### 1. Configure the RADSEC server. @@ -29,7 +24,7 @@ admin@t327-dut1.cond (radius-server[name=radsec])# server-name t327-dut1.opensta admin@t327-dut1.cond (radius-server[name=radsec])# top ``` -#### 2. Configure the trusted CA certificate. +#### 2. Configure the Trusted CA Certificate. The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. @@ -42,7 +37,11 @@ Enter plain for content (Press CTRL-D to finish): ``` -#### 3. Configure a client certificate to be used for the RADIUS client. +:::note +The `trusted-ca-certificate` is a list and may contain different CA roots used for different certificates. In that case, naming them all `ca_root` would not be suitable. In that case, choose a name that is meaningful to the user and CA, eg: `globalsign_root`. +::: + +#### 3. Configure a Client Certificate to be used for the RADIUS client. Repeat the previous step to create a client certificate named `radsec`. @@ -78,5 +77,174 @@ Account 'test1' successfully created When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. +## RADSEC Configuration - Generate Certificate + +Use the following examples to generate a client certificate for use on the device. + +#### 1. Generate the Signing Request + +Use the `create certificate request client` command to generate the signing request. + +``` +admin@conductor-node-1.Conductor# create certificate request client radsec +Country name (2 letter code): US +State or province name (full name): MA +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): +Subject Alternative Name - IP Address: +% Error: Could not create request: Subject Alternative Name (DNS or IP address) is required +admin@conductor-node-1.Conductor# create certificate request client radsec +Country name (2 letter code): US +State or province name (full name): MA +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): dut1 +Subject Alternative Name - IP Address: 10.27.32.203 + +Request successfully generated: + +-----BEGIN CERTIFICATE REQUEST----- +MIIC1jCCAb4CAQAwTjENMAsGA1UEAwwEZHV0MTELMAkGA1UEBhMCVVMxETAPBgNV +BAcMCFdlc3Rmb3JkMRAwDgYDVQQKDAdKdW5pcGVyMQswCQYDVQQIDAJNQTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8WwHXP/z49sFsxpN5L9THO5y8N +f/as8Nn6XUyG86YyxcR5IYL5gKR5//EunoVjLAUCHgBqxwaUa3enhNEQS97N4Bcs +E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMT8XbS +XF/zmGBI1/4aRbeqL5VMDPO+9DNRxXMgqBs2y48WanGvZeZTP5B/sSczlhOSxHnu +DxNYQ7+rZs9NpKzktCXOSA8nsz +. +. +. +wp4dOHuKsnf+ZsfNK4AGUYdh3qEa1/xJxyug1R3AGjItbkUzbJpR6hp7B0YYWV87 +QALMf6F0SKBDXg++ +-----END CERTIFICATE REQUEST----- +``` + +#### 2. Configure the Trusted CA Certificate + +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. + +Create a root certificate named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# configure authority trusted-ca-certificate ca_root +*admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqfzVmeFPMA+Jc +53MlVF3LoYZAkqh1Dz3+HFnegcAU3/tCGSdfJad/PeF5KEQDDnF0vc9XbfS2/wJC +wHAt15TH3iarSPE3dV3L0c1tyOFaMUNLAd3nsPArR0w/1YAfr1cAN0rEUZ4WmkZK +vyFx6AsuVm5MpXR4z7U4j955sqRkWsi3I1hLtMPzuWEJA/AbpTCxb1k2xJDQWira +/NALlz6NPVRcngBt56ZDhMNmy/g2zGEcmitEqMUOS7apvRk6hZK94dfjSQe4iEpX +Sdd6vvZxdrWGV10lmDDH0SPtmGBE+34r1UNIbp/XVRh6KxiNcjFVNBwlwqATmTYh +xkXAPw1pAgMBAAECggEACZ3YNLnnvBOiAmx5larvCWvIZz7+am/cJseRmBfIbkT9 +5ooFqvu0OVyTqaJIR8XaR2PnXH6StXmntnqDpHWQTqUvlbGANIqWsyiig26zFCEu +IAXwr0TKRERzKAWT4lwmOAGi4LuQa6Ty/wdNyx9z9f6hBQi2C5Rnm9OdkE6vsAtJ +NbNcsV+bvedfLoJqG1MM3sh3LT3RAltaM0ntw3PdFiMVcQIJgGr85nVJcg4SCUkh +JKlfUE83IqkwAd1V0jn/2yopCmQBLrpyqlRu2MmwFiIS+IUcoReemNK8mlfd8hbR +. +. +. +2P6CP4iOY1EjsxNssrLJKkxXdagYeZo5X2KOIqZ8FeVli4BM0mqX96UPN2zV3dNP +eN1DF6VSLghh30ITUauYdQ++ +-----END PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIVAJHxzhL42q7io2PBDPR+TCeBsyQgMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI1WhcNMjUxMDIyMTYzODI1WjBRMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqn81ZnhT +zAPiXOdzJVRdy6GGQJKodQ89/hxZ3oHAFN/7QhknXyWnfz3heShEAw5xdL3PV230 +tv8CQpHKHjWWQzG1MM3sh3LT3RAltaM0NT6shNXE3va46f3zotWBd6PK9jC/Tpme +. +. +. +qynFiqlV0UDGgH+e8hCp41Seva5vBGYvwMVHPU80rhoAsTh1BNpM1r9xbvDQs5ui +3QyeFCt/O0A= +-----END CERTIFICATE----- +``` + +#### 3. Import the Client Certificate + +After the certificate is signed and returned, it is imported into the SSR for use by the client using the `import certificate client` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. + +The following example shows an valid self-signed certificate being imported: + +``` +admin@conductor-node-1.Conductor# import certificate client radsec +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFrn/2q4mijt14 +gjmN2agDfu6sykg4OJ2NDy4IRrBYilExRJHllAndtc04rp7EQ544Z+/J/dNJrmXK +GnHvm/Rg0UdKnbFrw5aentpx3rFefdaf8nlJLW5rFH1wxDqUhE+y5q+s+8k3ESt0 +9L/26OxTQP11t5Vh/BEkK5iVHLDBGyHntUvEnM5tFWL7+NvefhuZ6McvY7GPDR8c +bkuNHXlv9laeXQlI6IiiYum8waQDnJBGEx2wPTUguZJWP0YgxLinKiCDIINNEf+Y +dGqxf7I/h01yH4nDGR3nad30fAN+10chzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 +91wL39G5AgMBAAECggEAE2/xDSQYyG8bv7muRxBbwNw+Q6cwKrcGZtRTRmUM+ee/ +zAReBCDmR3KU1zn0SoALkqhFn6rhl6EaSSEIivLeuJZbWC7hPyNgMACWohOvhQcC +. +. +. +WiYWxHz5Q4wUxV5uTJR3Jq5rzcHr1shyVDT+aFf9tyNdcLFfbziZ1y/EfAPkOOoH +jLD4SXCWbmRxHYVMn3yhqK4= +-----END PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIVAL1k460IeyrQWoU82ZVHZ2asUrTuMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI4WhcNMjUwMTIwMTYzODI4WjBVMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxGzAZBgNVBAMMEmNsaWVu +dC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWu +f/ariaKO3XiCOY3ZqAN+7qzKSDg4nY0PLghGsFiKUTFEkeWUCd21zTiunsRDnjhn +78n900muZcoace+b9GDRR0qdsWvDlp6e2nHesV591p/yeUktbmsUfXDEOpSET7Lm +r6z7yTcRK3T0v/bo7FNA/XW3lWH8ESQrmJUcsMEbIee1S8Sczm0VYvv4295+G5no +xy9jsY8NHxxuS40deW/2Vp5dCUjoiKJi6bzBpAOckEYTHbA9NSC5klY/RiDEuKcq +IIMgg00R/5h0arF/sj/fL0cKofSeAgu11z1891d1sc0OMwdiGak9VHQr0gA9vIa5 +. +. +. +9cgLsL60tukLdwxH5S6gAw/MSm6ABYjdv +-----END CERTIFICATE----- + +/usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280. + return rust_x509.load_pem_x509_certificates(data) +✔ Importing... +Certificate imported successfully +Would you like to add the certificate to your configuration? [y/N]: y +Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all +% Warning: +1. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate radius + content + +2. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate conductor-radius + content + +Certificate imported successfully +Would you like to clean up the temporary certificate and key files? [Y/n]: Y +``` + +#### 4. Configure the Device to Accept the Client Certificate + +Use the following example command to configure your device to accept the certificate. +` configure authority router ComboWest node combo-west radius client-certificate-name radsec` diff --git a/docs/config_reference_guide.md b/docs/config_reference_guide.md index 47867f7f57..99ec18e34b 100644 --- a/docs/config_reference_guide.md +++ b/docs/config_reference_guide.md @@ -2086,8 +2086,8 @@ This controls which repository or repositories a router will use to retrieve sof | Element | Type | Description | | --- | --- | --- | -| offline-mode | boolean | Default: false. Controls whether the router will only be able to retrieve software upgrade images via its conductor.| -| source-type | enumeration | Valid values: conductor-only, prefer-conductor, internet-only. Default: internet-only. To use the conductor as a proxy server to reach the SSR public internet repository, set this to `conductor-only` or `prefer-conductor`. To reach it via the public internet and not use the conductor as a proxy, set it to `internet-only`.| +| offline-mode | boolean | Default: `false`. Set this to `true` to limit the router to only retrieve software upgrade images from its conductor.| +| source-type | enumeration | Valid values: `conductor-only`, `prefer-conductor`, `internet-only`. Default: `internet-only`. To use the conductor as a proxy server to reach the SSR public internet repository, set this to `conductor-only` or `prefer-conductor`. To reach it via the public internet and not use the conductor as a proxy, set it to `internet-only`.| ## reverse-packet-session-resiliency @@ -2708,7 +2708,7 @@ By default, an SSR retrieves software from a public software repository hosted b | Element | Type | Description | | --- | --- | --- | | max-bandwidth | enumeration | Valid values: unlimited, 1-999999999999. This value is in bits/second. This represents the bandwidth limiter applied to software downloads. | -| repository | sub-element | Which repository/repositories the SSR will use.| +| [repository](#repository) | sub-element | Which repository/repositories the SSR will use.| ## ssh-keepalive diff --git a/docs/config_syslog_tls.md b/docs/config_syslog_tls.md new file mode 100644 index 0000000000..435dbba2b9 --- /dev/null +++ b/docs/config_syslog_tls.md @@ -0,0 +1,187 @@ +--- +title: Configuring Syslog Over TLS +sidebar_label: Configuring Syslog Over TLS +--- + +Syslog over TLS allows the secure transportation of system log messages from the syslog client to the syslog server. TLS uses certificates to authenticate and encrypt the communication. + +## Syslog over TLS Configuration - Existing Certificate + +Use the following information to configure Syslog over TLS using an existing certificate. + +#### 1. Configure the Trusted CA Certificate. + +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. + +Create a root certificate named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root +admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +:::note +The `trusted-ca-certificate` is a list and may contain different CA roots used for different certificates. In that case, naming them all `ca_root` would not be suitable. In that case, choose a name that is meaningful to the user and CA, eg: `globalsign_root`. +::: + +#### 2. Configure a Client Certificate to be used for the Syslog Client. + +Repeat the previous step to create a client certificate named `syslog`. + +``` +admin@conductor-node-1.Conductor# config authority client-certificate syslog +admin@conductor-node-1.Conductor (client-certificate[name=syslog])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +#### 3. Configure the Syslog Server at the Authority level to use the configured client certificate. + +The following configuration example will add a syslog server named `syslog` that will use the previously configured client certificate. + +``` +*admin@t327-dut1.cond# configure authority router cond system syslog server 192.168.1.100 6514 +*admin@t327-dut1.cond (server[ip-address=192.168.1.100][port=6514])# up +*admin@t327-dut1.cond (syslog)# client-certificate-name syslog +*admin@t327-dut1.cond (syslog)# protocol tls +*admin@t327-dut1.cond (syslog)# ocsp strict +*admin@t327-dut1.cond (syslog)# facility any +*admin@t327-dut1.cond (syslog)# severity info +*admin@t327-dut1.cond (syslog)# top +``` + +To complete the process, `validate` and `commit` the changes. After the confiuration changes have been committed, the SSR will send the syslog to 192.168.1.100:6514 over TLS. + +## Syslog over TLS Configuration - Generate Certificate + +Use the following examples to generate a client certificate for use on the device. + +#### 1. Generate the Signing Request + +Use the `create certificate request client` command to generate the signing request. + +``` +admin@conductor-node-1.Conductor# create certificate request client syslog +Country name (2 letter code): US +State or province name (full name): MA +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): +Subject Alternative Name - IP Address: +% Error: Could not create request: Subject Alternative Name (DNS or IP address) is required +admin@conductor-node-1.Conductor# create certificate request client syslog +Country name (2 letter code): US +State or province name (full name): MA +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): dut1 +Subject Alternative Name - IP Address: 10.27.32.203 + +Request successfully generated: + +-----BEGIN CERTIFICATE REQUEST----- +MIIC1jCCAb4CAQAwTjENMAsGA1UEAwwEZHV0MTELMAkGA1UEBhMCVVMxETAPBgNV +BAcMCFdlc3Rmb3JkMRAwDgYDVQQKDAdKdW5pcGVyMQswCQYDVQQIDAJNQTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8WwHXP/z49sFsxpN5L9THO5y8N +f/as8Nn6XUyG86YyxcR5IYL5gKR5//EunoVjLAUCHgBqxwaUa3enhNEQS97N4Bcs +E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMn8XbS +XF/zmGBI1/4aRbeqL5VMDPO+9DNRxXMgqBs2y48WanGvZeZTP5B/sSczlhOSxHnu +DxNYQ7+rZs9NpKzktCXOSA8nszHp5PNCWsa8tVNQvyhAqboTGrXQZhjZRWzg3nzS +. +. +. +wp4dOHuKsnf+ZsfNK4AGUYdh3qEa1/xJxyug1R3AGjItbkUzbJpR6hp7B0YYWV87 +QALMf6F0SKBDXg++ +-----END CERTIFICATE REQUEST----- +``` + +#### 2. Configure the Trusted CA Certificate + +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. + +Create a root certificate named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# configure authority trusted-ca-certificate ca_root +*admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIVAJHxzhL42q7io2PBDPR+TCeBsyQgMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI1WhcNMjUxMDIyMTYzODI1WjBRMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2Fja/m1nIs+rY0Fs1LIyWA1kswIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqn81ZnhT +zAPiXOdzJVRdy6GGQJKodQ89/hxZ3oHAFN/7QhknXyWnfz3heShEAw5xdL3PV230 +. +. +. +qynFiqlV0UDGgH+e8hCp41Seva5vBGYvwMVHPU80rhoAsTh1BNpM1r9xbvDQs5ui +3QyeFCt/O0A= +-----END CERTIFICATE----- +``` + +#### 3. Import the Client Certificate + +After the certificate is signed and returned, it is imported into the SSR for use by the client using the `import certificate client` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. + +The following example shows an valid self-signed certificate being imported: + +``` +admin@conductor-node-1.Conductor# import certificate client syslog +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFrn/2q4mijt14 +gjmN2agDfu6sykg4OJ2NDy4IRrBYilExRJHllAndtc04rp7EQ544Z+/J/dNJrmXK +GnHvm/Rg0UdKnbFrw5aentpx3rFefdaf8nlJLW5rFH1wxDqUhE+y5q+s+8k3ESt0 +9L/26OxTQP11t5Vh/BEkK5iVHLDBGyHntUvEnM5tFWL7+NvefhuZ6McvY7GPDR8c +bkuNHXlv9laeXQlI6IiiYum8waQDnJBGEx2wPTUguZJWP0YgxLinKiCDIINNEf+Y +dGqxf7I/yKn1gH+Swh0sAYn33651EaGAzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 +91wL39G5AgMBAAECggEAE2/xDSQYyG8bv7muRxBbwNw+Q6cwKrcGZtRTRmUM+ee/ +zAReBCDmR3KU1zn0SoALkqhFn6rhl6EaSSEIivLeuJZbWC7hPyNgMACWohOvhQcC +. +. +. +WiYWxHz5Q4wUxV5uTJR3Jq5rzcHr1shyVDT+aFf9tyNdcLFfbziZ1y/EfAPkOOoH +jLD4SXCWbmRxHYVMn3yhqK4= +-----END PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIVAL1k460IeyrQWoU82ZVHZ2asUrTuMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI4WhcNMjUwMTIwMTYzODI4WjBVMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2FjaHVzZXR031sTH3nuMB3r+h0uSHa1Lc0un+/xGzAZBgNVBAMMEmNsaWVu +dC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWu +f/ariaKO3XiCOY3ZqAN+7qzKSDg4nY0PLghGsFiKUTFEkeWUCd21zTiunsRDnjhn +. +. +. +zTwd4+soylkHxCW2zZ50lUUqqNt1nSIcVF2V3qqxRZXZcJtN5y9+brpc9Z8eiXys +9cgLsL60tukLdwxH5S6gAw/MSm6ABYjdv +-----END CERTIFICATE----- + +/usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280. + return rust_x509.load_pem_x509_certificates(data) +✔ Importing... +Certificate imported successfully +Would you like to add the certificate to your configuration? [y/N]: y +Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all + +Certificate imported successfully +Would you like to clean up the temporary certificate and key files? [Y/n]: Y +``` + +#### 4. Configure the Device to Accept the Client Certificate + +Use the following example command to configure your device to accept the certificate. + +` configure authority router ComboWest node combo-west radius client-certificate-name syslog` diff --git a/docs/config_webserver_certs.md b/docs/config_webserver_certs.md new file mode 100644 index 0000000000..670c4bbf41 --- /dev/null +++ b/docs/config_webserver_certs.md @@ -0,0 +1,141 @@ +--- +title: Signing and Importing Webserver Certificates +sidebar_label: Signing and Importing Webserver Certificates +--- + +Imported webserver certificates are validated against trusted certificates configured using `trusted-ca-certificate`. Use the following information to create, sign, and import the certificates to the webserver. + +### Configure a Trusted Certificate + +Certificates are pasted in as a multi-line config. + +Configure a root certificate named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root +admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +### Generate the Signing Request + +Use the `create certificate request webserver` command to generate the certificate signing request. + +``` +admin@t327-dut1.cond# create certificate request webserver +Country name (2 letter code): US +State or province name (full name): Massachusetts +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): engineering +Common name: www.router.com +Email address: bob@juniper.net +Subject Alternative Name - DNS (fully qualified domain name): www.router.com +Subject Alternative Name - IP Address: 1.1.1.1 + +Request successfully generated: + +-----BEGIN CERTIFICATE REQUEST----- +MIIDLDCCAhQCAQAwgZkxFzAVBgNVBAMMDnd3dy5yb3V0ZXIuY29tMQswCQYDVQQG +EwJVUzERMA8GA1UEBwwIV2VzdGZvcmQxEDAOBgNVBAoMB0p1bmlwZXIxFDASBgNV +... +. +. +. +-----END CERTIFICATE REQUEST----- +``` + +### Import the Certificate + +After the certificate is signed and returned, it is imported into the SSR for use by the webserver using the `import certificate webserver` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. + +The following example shows a valid certificate being imported: + +``` +admin@t327-dut1.cond# import certificate webserver +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 +VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD +... +RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +-----END CERTIFICATE----- + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P +53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR +... +KBs2Hz/E/goCvyEqNaJOix+l +-----END PRIVATE KEY----- + +admin@t327-dut1.cond# import certificate webserver +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 +VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD +... +RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +-----END CERTIFICATE----- + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P +53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR +... +KBs2Hz/E/goCvyEqNaJOix+l +-----END PRIVATE KEY----- + +✔ Importing... +Certificate imported successfully +Would you like to add the certificate to your configuration? [y/N]: y +Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all +% Warning: +1. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate webserver + content + +2. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate conductor-webserver + content + +Certificate imported successfully +Would you like to clean up the temporary certificate and key files? [Y/n]: Y +``` + +The following example shows an invalid self-signed certificate being imported: + +``` +admin@t327-dut1.cond# import certificate webserver +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 +VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD +... +RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +-----END CERTIFICATE----- + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P +53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR +... +KBs2Hz/E/goCvyEqNaJOix+l +-----END PRIVATE KEY----- + +⚠ Importing... +certificate contains the following issues: certificate is self-signed +/usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280. + return rust_x509.load_pem_x509_certificates(data) +Could not validate certificate chain against a trusted anchor. +Would you like to import anyways? [y/N]: y +Certificate imported successfully +``` +The imported certificate is validated against the configured trusted root certificates and checked for insecure algorithms and invalid configurations. Bypassing or disabling these validations will result in a non-compliant configuration. + diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index f5e0d8e68a..0d83cff569 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -5,40 +5,44 @@ sidebar_label: Downloading ISOs ## Introduction -With your purchase of a SSR license, you are provided a set of credentials used to access the Session Smart Routing software. These credentials, in the form of a username and password are used to access the software assets. +With the purchase of an SSR license, you are provided a set of credentials used to access the Session Smart Routing software. These credentials, in the form of a username and password are used to access the software assets. Juniper Session Smart Networking provides the following workflows for the installation process: -- **Universal ISO:** Beginning with version 6.3.0, the SSR uses a single downloadable ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +- **SSR Image-based ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable image-based SSR ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. - Please see [SSR Universal ISO Installation Overview](intro_installation_univ-iso.md) for the download location and related installation instructions. + Please see [SSR Image-based ISO Installation Overview](intro_installation_univ-iso.md) for the installation instructions and software image download location. -- **Image-based ISO:** Beginning with version 6.0, an image-based ISO installation process has been implemented for users who manage their network using the Mist Cloud. This installation and upgrade process is only available for SSR version 6.0 and higher, and is currently only available for Mist-managed deployments. +For users installing *earlier, package-based versions of the SSR software*, the following installation methods are available: - For details about the Image-based install process, see [Image-based Installation.](intro_installation_image.md) +- **Package-based 128T ISO:** For users who do not use Mist Cloud, the package-based 128T ISO is used in the following deployments. + + - When the initial installation is going to be a version prior to 6.3.0. + - When upgrading to a version prior to 6.3.0 on air-gap network using the `import ISO` operation. For example, upgrading an air-gap conductor or routers from 5.6.6 to 6.2.7. See [Package-based Software Upgrade in an Air-Gap Network](upgrade_restricted_access.md#package-based-software-upgrade) for the more information. + + This ISO also provides different local installation methods. -- **Package-based ISO:** For users who do not use Mist Cloud, this ISO offers multiple local installation methods. - **One Touch Provisioning (OTP)** is the default and preferred method of installation. OTP sets up DHCP on all interfaces and boots a Web Server GUI. After installing the Conductor and configuring routers through the Conductor, the OTP bootstrap process will install and configure the router. See the following procedures for OTP installation steps: - [Router Installation Using OTP](intro_otp_iso_install.mdx) - [Quickstart from the OTP ISO](intro_install_quickstart_otpiso.md) - - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a peer conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that installations and upgrades be performed through the conductor UI. + - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that upgrades be performed through the conductor UI. For a new installation of a conductor using software prior to 6.3.0, the interactive method can be used. -:::note -Beginning with release 5.4.7-7 and any 5.x ISO [**released after August 4, 2022**](about_releases.mdx#all-releases---limited-general-availability-and-out-of-support), the ISO name format has changed from using `OTP` to `ISO`: + :::note + Beginning with release 5.4.7-7 and any 5.x ISO [**released after August 4, 2022**](about_releases.mdx#all-releases---limited-general-availability-and-out-of-support), the ISO name format has changed from using `OTP` to `ISO`: -- 128T-5.4.7-7.el7.ISO.v1.x86_64.iso -::: + `128T-5.4.7-7.el7.ISO.v1.x86_64.iso` + ::: ## Downloading an ISO The SSR Software packages are available from our public servers using the username and token provided to you and can be accessed at the following location: -The image-based ISOs for Mist-managed deployments are available to download at the following location: +The image-based SSR ISOs are available to download at the following location: - https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local -The package-based ISOs for Conductor-managed deployments are available to download at the following location: +The package-based 128T ISOs are available to download at the following location: - https://software.128technology.com/artifactory/list/generic-128t-isos-release-local diff --git a/docs/intro_installation.md b/docs/intro_installation.md index 1ecb503fe7..d6d0195790 100644 --- a/docs/intro_installation.md +++ b/docs/intro_installation.md @@ -18,12 +18,10 @@ The examples listed in this guide generally prefer running commands as a non-roo ## Installation Process -Beginning with SSR 6.3.0, the Universal ISO Installation simplifies and streamlines the SSR installation and initialization process, and supports Conductor-managed image-based installations as well as Mist-managed deployments. +Beginning with SSR 6.3.0, a universal image-based SSR ISO is provided to simplify and streamline the SSR installation and initialization process. This version supports Conductor-managed image-based installations as well as Mist-managed deployments. + +Installation to your device utilizes the SSR ISO, downloaded as a bootable image to a USB drive or from disk. The install process is as follows: -Installation is done from the SSR ISOs, typically from a bootable image on a flash drive or disk. The install process is as follows: -- Pre-Installation Process: - - [Download the ISOs](intro_downloading_iso.md) - - [Create Bootable Media](intro_creating_bootable_usb.md) - [SSR Universal ISO Installation (SSR 6.3.0+)](intro_installation_univ-iso.md) - [SSR Installation](install_univ_iso.md) - [Device Initialization](initialize_u-iso_device.md) @@ -33,6 +31,8 @@ Installation is done from the SSR ISOs, typically from a bootable image on a fla - [Installation in Microsoft Azure](intro_installation_azure.md) - [Installing in VMWare](install_vmware_config.mdx) +- [Legacy Installations](intro_installation_legacy.md) for installation of versions prior to 6.3.0 + A Mist-redirect ZTP process for Conductor-managed deployments is supported on Juniper branded hardware devices - the SSR1x0/1x00. See [Onboard an SSR Device to a Conductor](onboard_ssr_to_conductor.md) for details about this process. ## Upgrades diff --git a/docs/intro_installation_univ-iso.md b/docs/intro_installation_univ-iso.md index 813302ad0a..ced7dc6ffd 100644 --- a/docs/intro_installation_univ-iso.md +++ b/docs/intro_installation_univ-iso.md @@ -1,16 +1,16 @@ --- -title: SSR Universal ISO Installation Overview -sidebar_label: SSR Universal ISO Installation Overview +title: SSR Image-based ISO Installation Overview +sidebar_label: SSR Image-based ISO Installation Overview --- -Beginning with version 6.3.0, the SSR uses a single downloadable ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +Beginning with version 6.3.0, the SSR uses a single image-based SSR ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. #### Version History | Release | Modification | | ------- | ------------ | -| 6.0.0 | Image-based ISO installation process implemented for Mist-managed networks. | -| 6.3.0 | Universal ISO released, migrating to a single ISO installation format for Conductor, Conductor-managed, and Mist-managed deployments. | +| 6.0.0 | Image-based SSR ISO installation process implemented for Mist-managed networks. | +| 6.3.0 | Image-based SSR ISO updated, migrating to a single ISO installation format for Conductor, Conductor-managed, and Mist-managed deployments. | The installation workflow consists of the following steps: @@ -21,20 +21,20 @@ The installation workflow consists of the following steps: ## Download -The ISO is available for download at the following location: +The image-based SSR ISOs are available for download at the following location: https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local/ Files available for download are: -- `*.iso` - This file is used for installing/staging bare metal platforms. **Use this file to perform an image-based install.** +- `*.iso` - This file is used for installing/staging bare metal platforms. **Use this file to perform an initial image-based install.** - `*.tar` - This file is used by Mist or the SSR conductor for image-based upgrades, and is accessed directly by the system during the upgrade. User download is not necessary or advised. You will be prompted for your username and token to access the web page listing the software versions. Download is done directly from the page. ### Create a Bootable USB -Use the instructions for [Creating a Bootable USB](intro_creating_bootable_usb.md) to create a bootable USB drive containing the universal ISO image. +Use the instructions for [Creating a Bootable USB](intro_creating_bootable_usb.md) to create a bootable USB drive containing the latest image-based SSR ISO. Once you have the USB, let's go [Install the SSR software!](install_univ_iso.md) \ No newline at end of file diff --git a/docs/intro_upgrading.md b/docs/intro_upgrading.md index baf787f083..5a7f4da5fe 100644 --- a/docs/intro_upgrading.md +++ b/docs/intro_upgrading.md @@ -9,6 +9,13 @@ Please refer to the [Upgrade Considerations](intro_upgrade_considerations.md) be Your SSR conductor or router must have internet access to download the latest software packages; however, we recognize that there are deployments where the SSR does not have internet access. In those cases you can use the SSR conductor as a repository (or proxy) to retrieve or store software images. For information about upgrading offline or air-gap network devices, refer to [Upgrades with Restricted Internet Access](upgrade_restricted_access.md). +For Upgrade procedures, refer to the appropriate section: + +- [Upgrading the Conductor](upgrade_ibu_conductor.md) +- [Upgrading the Router](upgrade_router.md) +- [Upgrades with Restricted Internet Access](upgrade_restricted_access.md) +- [Legacy Upgrades](upgrade_legacy.md) Software versions prior to SSR 6.3.0 + As with any upgrade activity, it is always prudent to create a backup of your current software configuration before initiating any upgrade activity. Conductor and router upgrades may be performed from the GUI of the Conductor, the PCLI of the conductor, or in the case of an unmanaged router, from the router itself. @@ -24,15 +31,7 @@ Prerequisites for upgrades include configuring a user with super user (sudo) pri The conductor `major.minor` version must be greater than or equal to the router version. The router version can not exceed the conductors `major.minor` version, but it can have a greater patch version. All [versions currently under support](about_support_policy.md) can be run on a router and managed by the conductor, provided that the conductor version is greater. Versions of software not under support *may* work, but are not guaranteed to do so. Examples: -- Conductor running version 6.0.5, managing Routers running version 6.0.1: Supported. -- Conductor running version 5.4.8, managing Routers running version 5.4.10: Supported. -- Conductor running version 6.0.5, managing Routers running version 5.5.7: Supported. -- Conductor running version 5.6.8, managing Routers running version 6.1.3; Not supported. - -For Upgrade procedures, refer to the appropriate section: - -- [Upgrading the Conductor](upgrade_ibu_conductor.md) -- [Upgrading the Router](upgrade_router.md) -- [Upgrades with Restricted Internet Access](upgrade_restricted_access.md) -- [Legacy Upgrades](upgrade_legacy.md) Software versions prior to SSR 6.3.0 - +- Conductor running version 6.2.6, managing Routers running version 6.2.5: Supported. +- Conductor running version 6.2.5, managing Routers running version 6.2.6: Supported. +- Conductor running version 6.3.0, managing Routers running version 6.1.10: Supported. +- Conductor running version 5.6.10, managing Routers running version 6.1.3; Not supported. diff --git a/docs/upgrade_ibu_conductor.md b/docs/upgrade_ibu_conductor.md index 2f1153d022..ff72771dbf 100644 --- a/docs/upgrade_ibu_conductor.md +++ b/docs/upgrade_ibu_conductor.md @@ -57,6 +57,16 @@ request system software revert Revert to a previous version of the SSR. The image-based and package-based status is visible under **Install Type** in the PCLI using `show assets`. +:::note +The states displayed in the `status` column under `show assests` have changed. The old and new states are mapped below. + +| Old | New | +| --- | ---| +| Disconnected | Disconnected | +| Connected | Synchronizing or Resynchronizing | +| Running | Synchronized | +::: + **Image Based** ``` diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index 465def75b3..93eb6c3042 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -3,22 +3,25 @@ title: Upgrades with Restricted Internet Access sidebar_label: Upgrades with Restricted Internet Access --- -The standard upgrade workflow is for individual instances of SSR software to download upgrades directly from mirror servers hosted and managed by Juniper on the public internet. However, we recognize that there are deployments where the SSR does not have internet access. In this case, you can configure the routers to retrieve software from a conductor. +In some secure deployments where networks are strictly internal to an organization, SSR devices do not have access to the internet to download updated software. In these networks, referred to as "air-gap" networks, it is necessary to manually download the SSR software on to a device such as a USB and perform an upgrade from inside the network. -There are four configurable software access modes on a router: +To identify a device in an air-gap network, SSR conductors and routers are configured in `offline-mode`, indicating they do not have internet access. This is defined in the `router > system > software-update > repository` configuration, using the `source-type` setting. Upgrading devices in this configuration is addressed in this document. -- `conductor-only`: The router retrieves software versions only from the conductor. -- `prefer-conductor`: The router will retrieve software versions from the conductor, and fall back to using the internet. +Other configurable software update modes on a router: + +- `conductor-only`: The router retrieves software versions only from the conductor. This is often used on internal networks where the routers do not have direct internet access. +- `prefer-conductor`: The router will retrieve software versions from the conductor, but if the conductor is not available it will fall back to using the internet. - `internet-only` (default): The router will use Juniper's publicly hosted repositories for retrieving software images. -- `offline-mode`: This mode is used for conductors and routers that do not have internet access - "air-gap" networks. -In the `router > system > software-update > repository` configuration, use the `source-type` setting to define the software update repository to one of the first three values; `conductor-only`, `prefer-conductor`, or `internet-only`. +For information about configuring software access modes on a router, please see [`software-update`](config_reference_guide.md#software-update) + +## How Does It Work? -With each of these settings, the conductor(s) require internet access, and the routers must be able to resolve internet hosted repositories. Because the access mode is configured on the router, your collection of routers can each use different preferences. For example, a router on the internet can use a Juniper repository, but another router managed by the same conductor sitting in an isolated environment can use the conductor. +In networks that do not have internet access, routers are configured to override the `source-type` setting and retrieve software directly from the conductor. -## Offline Mode +### Setting Offline Mode -In networks that do not have internet access, routers can be configured to override the `source-type` setting and retrieve software directly from the conductor. In the GUI, set `router > system > software-update > repository > offline-mode` to `true`. +In the GUI, set `router > system > software-update > repository > offline-mode` to `true`. **From the PCLI:** ``` @@ -36,78 +39,109 @@ config exit exit ``` + ## Air-Gap Network Upgrade Process -The following process is used to upgrade a Conductor and Conductor-managed Routers to version 6.3.0 of the SSR software. +The following are use cases for upgrades within an air-gap network. + +- [Single-Version 6.3.0 Upgrade](#single-version-630-upgrade). +- [Mixed Version Upgrade](#mixed-version-upgrade), where the conductor is upgraded to version 6.3 and the routers are upgraded to earlier image-based versions, or left to be upgraded later. +- [Package-based Software Upgrade](#package-based-software-upgrade). + +:::note +Use these procedures for upgrades only. When performing an initial installation of version 6.3.x software or greater, the image-based SSR ISO is required. +::: + +### Single-Version 6.3.0 Upgrade + +The following process is used to upgrade a Conductor and Conductor-managed Routers to **version 6.3.0** of the SSR software. Beginning with SSR software version 6.3.0, a conductor can manage routers running image-based software installations. + + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [6.3 Package Based ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/6.3/) page. + +2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the downloaded ISO. + +3. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` ISO onto the conductor using the [`import iso`](#import-iso) command. + +4. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). + +5. Download the `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. + +6. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. + +7. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` ISO onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. + +8. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. + +:::note +The process to upgrade a **conductor from a version less than 6.3.0 to 6.3.0 or greater** requires the use of the `128T-6.3.X-XX.r1.el7.OTP.v1.x86_64.iso` package based 128T ISO. After the initial upgrade to 6.3.X, all future upgrades will only require the import of the image-based SSR ISO; for example, `SSR-6.3.3-1.r1.el7.x86_64.ibu-v1.iso`. +::: + +### Mixed Version Upgrade + +If you are upgrading to version 6.3.0 on the Conductor and wish to upgrade the routers, note that after the conductor is upgraded to 6.3.x, routers upgraded to 6.1 or greater will require the image-based SSR ISO. In versions prior to version 6.3.0, image-based software running on conductor-managed routers was not supported, however version 6.3.0 allows your conductor to manage routers running **both** image-based and package-based software. + +The following workflow demonstrates upgrading a conductor to version 6.3.0, and a router to version 6.1.10. + +:::note +The process to upgrade a **conductor to 6.3.0** requires the use of the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso`. After the initial upgrade to 6.3.0, all future upgrades will only require the import of the `SSR-6.3.X-XX.r1.el7.x86_64.ibu-v1.iso`. +::: + + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-xx.r1.el7` and the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` software packages. 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -2. Import the `128T-6.3.0-xx.r1.el7` package onto the conductor using the [`import iso`](cli_reference.md#import-iso) command. -3. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -4. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. -5. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. -### Import ISO +3. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` ISO onto the conductor using the [`import iso`](#import-iso) command. -The [`import iso`](cli_reference.md#import-iso) command is used to import the SSR ISO onto a local repository, allowing the SSR to be upgraded without connecting to Juniper servers. When upgrading a conductor or when `offline-mode` is defined for a router, the ISO must be imported to the target conductor to perform the upgrade. +4. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -Use the `filepath` argument to specify the exact location of the ISO. `hunt` will search for files that match the patterns `128T*.iso`, `SSR*.iso`, or `SSR*.tar`, and the corresponding checksum and signature files. These checksum and signature files are essential for security verification and are included as part of the `import iso` operation. To install the 6.3.0 software, the following file must be downloaded to the USB and imported onto the conductor: +5. Navigate to the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page, identify the software image version you will use to upgrade the target router or routers, and download it. -- `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` + For example, if you are upgrading a router to SSR Version 6.1.10, you will need to download the following files: -After the local software repository has been updated with the ISO, the upgrade can proceed. + - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.iso` + +6. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -If you are installing older images on the routers (versions 6.2.5 or older) you may need to include the checksum and signature files with the ISO when you download and import the software to the conductor. +7. Import the `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.iso` ISO onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.iso` -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum` -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum.asc` +8. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. :::note In an HA setup, when using offline-mode for routers to access the software from the conductors, the ISO must be imported to both conductors before performing the upgrade. ::: -### Selecting the Boot Volume +### Package-based Software Upgrade -In instances where you are downloading and storing an SSR version for *router* upgrades, you can identify the boot volume (the disk volume where the image-based software is stored) from which the router will boot. +For upgrades of Conductor and Conductor-managed routers to software versions prior to 6.3.0, the package-based ISO's are used. -To view the current boot volume, use the `show system version` command: +In this example workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` software package from the [128T package-based ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. -``` -admin@conductor-node-1.Conductor# show system version router RTR_WEST_COMBO node combo-west-1 detail -Thu 2024-05-02 14:03:28 UTC -Retrieving system version... - -================================================================= - Node: combo-west-1.RTR_WEST_COMBO -================================================================= - Version: 6.3.0 - Status: r1 - Build Date: 2024-05-01T21:25:38Z - Build Machine: releaseslave3.openstacklocal - Build User: jenkins - Build Directory: /i95code - Hash: 1d892d709c45409369048d129840b02e435b4e21 - Package: 128T-6.3.0-107.r1.el7 - SSR-IMG-release: SSR-6.3.0-107.r1.el7.x86_64.ibu-v1 - ---> Volume ID: b <--- - ---> Selected Boot Volume: b <--- - Idle Volume: - Version: 5.4.11 - Status: unavailable - Build Date: 2022-12-21T03:10:13Z - Build Machine: releaseslave4.openstacklocal - Build User: - Build Directory: - Hash: - Package: 128T-5.4.11-4.el7 - Volume ID: a - -Completed in 5.53 seconds -admin@conductor-node-1.Conductor# +2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -``` +3. Plug the USB into your device. + +4. Import the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. -Change the `Selected Boot Volume` using the command `set system software router node boot-volume {a|b}`. +5. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -Use the reboot command to boot into the specifed volume: `send command reboot router node `. +6. Download the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` software package from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. + +7. Import the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. + +8. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. + +### Import ISO + +The [`import iso`](cli_reference.md#import-iso) command is used to import the SSR ISO onto a local repository, allowing the SSR to be upgraded without connecting to Juniper servers. When upgrading a conductor or when `offline-mode` is defined for a router, the ISO must be imported to the target conductor to perform the upgrade. + +`import iso [check-rpm-signature ] [force] [verbose] {hunt | filepath }` + +Use the `filepath` argument to specify the exact location of the ISO. `hunt` will search for files that match the patterns `128T*.iso`, `SSR*.iso`, or `SSR*.tar`, and the corresponding checksum and signature files. These checksum and signature files are essential for security verification and are included as part of the `import iso` operation. To install the 6.3.0 software, the following file must be downloaded to the USB and imported onto the conductor: + +- `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` + +After the local software repository has been updated with the ISO, the upgrade can proceed. diff --git a/sidebars.js b/sidebars.js index 39c8769890..686f42e133 100644 --- a/sidebars.js +++ b/sidebars.js @@ -47,10 +47,9 @@ module.exports = { "upgrade_legacy", "intro_rollback", ], - "Pre-Installation Process": [ + "Installation Overview": [ "intro_installation", - "intro_downloading_iso", - "intro_creating_bootable_usb", + ], "SSR Universal ISO Installation": [ "intro_installation_univ-iso", @@ -83,6 +82,8 @@ module.exports = { ], "Legacy Install Information": [ "intro_installation_legacy", + "intro_downloading_iso", + "intro_creating_bootable_usb", { "type": "category", "label": "Conductor Installation", @@ -287,6 +288,8 @@ module.exports = { "config_ldap", "config_radius", "config_radsec", + "config_syslog_tls", + "config_webserver_certs", "config_password_policies", "howto_reset_user_password", ],