From 69397cde6a478be4cfa2dc56e70be01cc5b52c5e Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 30 Sep 2024 17:53:06 -0400 Subject: [PATCH 01/16] interim save --- docs/intro_upgrading.md | 23 ++++++------ docs/upgrade_restricted_access.md | 62 ++++++++++++++++++++++++------- 2 files changed, 60 insertions(+), 25 deletions(-) diff --git a/docs/intro_upgrading.md b/docs/intro_upgrading.md index baf787f083..5a7f4da5fe 100644 --- a/docs/intro_upgrading.md +++ b/docs/intro_upgrading.md @@ -9,6 +9,13 @@ Please refer to the [Upgrade Considerations](intro_upgrade_considerations.md) be Your SSR conductor or router must have internet access to download the latest software packages; however, we recognize that there are deployments where the SSR does not have internet access. In those cases you can use the SSR conductor as a repository (or proxy) to retrieve or store software images. For information about upgrading offline or air-gap network devices, refer to [Upgrades with Restricted Internet Access](upgrade_restricted_access.md). +For Upgrade procedures, refer to the appropriate section: + +- [Upgrading the Conductor](upgrade_ibu_conductor.md) +- [Upgrading the Router](upgrade_router.md) +- [Upgrades with Restricted Internet Access](upgrade_restricted_access.md) +- [Legacy Upgrades](upgrade_legacy.md) Software versions prior to SSR 6.3.0 + As with any upgrade activity, it is always prudent to create a backup of your current software configuration before initiating any upgrade activity. Conductor and router upgrades may be performed from the GUI of the Conductor, the PCLI of the conductor, or in the case of an unmanaged router, from the router itself. @@ -24,15 +31,7 @@ Prerequisites for upgrades include configuring a user with super user (sudo) pri The conductor `major.minor` version must be greater than or equal to the router version. The router version can not exceed the conductors `major.minor` version, but it can have a greater patch version. All [versions currently under support](about_support_policy.md) can be run on a router and managed by the conductor, provided that the conductor version is greater. Versions of software not under support *may* work, but are not guaranteed to do so. Examples: -- Conductor running version 6.0.5, managing Routers running version 6.0.1: Supported. -- Conductor running version 5.4.8, managing Routers running version 5.4.10: Supported. -- Conductor running version 6.0.5, managing Routers running version 5.5.7: Supported. -- Conductor running version 5.6.8, managing Routers running version 6.1.3; Not supported. - -For Upgrade procedures, refer to the appropriate section: - -- [Upgrading the Conductor](upgrade_ibu_conductor.md) -- [Upgrading the Router](upgrade_router.md) -- [Upgrades with Restricted Internet Access](upgrade_restricted_access.md) -- [Legacy Upgrades](upgrade_legacy.md) Software versions prior to SSR 6.3.0 - +- Conductor running version 6.2.6, managing Routers running version 6.2.5: Supported. +- Conductor running version 6.2.5, managing Routers running version 6.2.6: Supported. +- Conductor running version 6.3.0, managing Routers running version 6.1.10: Supported. +- Conductor running version 5.6.10, managing Routers running version 6.1.3; Not supported. diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index 465def75b3..f87e90f627 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -3,22 +3,25 @@ title: Upgrades with Restricted Internet Access sidebar_label: Upgrades with Restricted Internet Access --- -The standard upgrade workflow is for individual instances of SSR software to download upgrades directly from mirror servers hosted and managed by Juniper on the public internet. However, we recognize that there are deployments where the SSR does not have internet access. In this case, you can configure the routers to retrieve software from a conductor. +In some secure deployments where networks are strictly internal to an organization, SSR devices do not have access to the internet to download updated software. In these networks, referred to as "air-gap" networks, it is necessary to manually download the SSR software on to a device such as a USB and perform an upgrade from inside the network. -There are four configurable software access modes on a router: +To identify a device in an air-gap network, SSR conductors and routers are configured in `offline-mode`, indicating they do not have internet access. This is defined in the `router > system > software-update > repository` configuration, using the `source-type` setting. Upgrading devices in this configuration is addressed in this document. -- `conductor-only`: The router retrieves software versions only from the conductor. -- `prefer-conductor`: The router will retrieve software versions from the conductor, and fall back to using the internet. +Other configurable software access modes on a router: + +- `conductor-only`: The router retrieves software versions only from the conductor. This is often used on internal networks where the routers do not have direct internet access. +- `prefer-conductor`: The router will retrieve software versions from the conductor, but if the conductor is not available it will fall back to using the internet. - `internet-only` (default): The router will use Juniper's publicly hosted repositories for retrieving software images. -- `offline-mode`: This mode is used for conductors and routers that do not have internet access - "air-gap" networks. -In the `router > system > software-update > repository` configuration, use the `source-type` setting to define the software update repository to one of the first three values; `conductor-only`, `prefer-conductor`, or `internet-only`. +For information about configuring software access modes on a router, please see, [Software Access Modes](insert link here when it is done) + +## How Does it Work? -With each of these settings, the conductor(s) require internet access, and the routers must be able to resolve internet hosted repositories. Because the access mode is configured on the router, your collection of routers can each use different preferences. For example, a router on the internet can use a Juniper repository, but another router managed by the same conductor sitting in an isolated environment can use the conductor. +In networks that do not have internet access, routers are configured to override the `source-type` setting and retrieve software directly from the conductor. -## Offline Mode +### Setting Offline Mode -In networks that do not have internet access, routers can be configured to override the `source-type` setting and retrieve software directly from the conductor. In the GUI, set `router > system > software-update > repository > offline-mode` to `true`. +In the GUI, set `router > system > software-update > repository > offline-mode` to `true`. **From the PCLI:** ``` @@ -38,14 +41,45 @@ exit ``` ## Air-Gap Network Upgrade Process -The following process is used to upgrade a Conductor and Conductor-managed Routers to version 6.3.0 of the SSR software. +There are two use cases for upgrades within an air-gap network and each is slightly different. + +- A single-version 6.3.0 upgrade +- A mixed-version upgrade, where the conductor is V6.2.x and the routers are similar or earlier versions -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-xx.r1.el7` and the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` software packages. +### Single-Version 6.3.0 Upgrade + +The following process is used to upgrade a Conductor and Conductor-managed Routers to **version 6.3.0** of the SSR software. + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` and the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` software packages. 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -2. Import the `128T-6.3.0-xx.r1.el7` package onto the conductor using the [`import iso`](cli_reference.md#import-iso) command. +2. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](cli_reference.md#import-iso) command. 3. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). 4. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. 5. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. +6. Continue with [Import ISO](#import-iso). + +### Mixed Version Upgrade + +In this workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` and the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` software packages. +2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. +2. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](cli_reference.md#import-iso) command. +3. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). +4. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. +5. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. +6. Continue with [Import ISO](#import-iso). + + + + + + +** I'm starting to see holes in this scenario. + - Conductor managed deployments are all package based installs, so there will be no mixed deployments of 6.3 managing image based routers unless they are choosing to do that upgrade as part of this process, which does not make any sense; if they want to go to ib-routers, then install 6.3 across the boards. + - If they are upgrading a conductor to 6.2.6 (pb) they will have to upgrade the routers to some PB install. + + ### Import ISO @@ -57,7 +91,9 @@ Use the `filepath` argument to specify the exact location of the ISO. `hunt` wil After the local software repository has been updated with the ISO, the upgrade can proceed. -If you are installing older images on the routers (versions 6.2.5 or older) you may need to include the checksum and signature files with the ISO when you download and import the software to the conductor. +#### Version Checks (outlier - 98% of router ibu's will be done in mist) + +If you are upgrading or installing older image-based software on a router (versions 6.2.5 or older) you may need to include the checksum and signature files with the ISO when you download and import the software to the conductor. - `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.iso` - `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum` From 7a33d72652ad6463d0abafde15bd3d0f409b2eb5 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 1 Oct 2024 14:05:10 -0400 Subject: [PATCH 02/16] clarifying the upgrade process and where to locate the IBU and OTP ISO files. --- docs/config_reference_guide.md | 6 +-- docs/intro_downloading_iso.md | 16 +++--- docs/intro_installation.md | 6 +-- docs/upgrade_restricted_access.md | 82 +++++++++++++++++-------------- sidebars.js | 7 +-- 5 files changed, 62 insertions(+), 55 deletions(-) diff --git a/docs/config_reference_guide.md b/docs/config_reference_guide.md index 47867f7f57..99ec18e34b 100644 --- a/docs/config_reference_guide.md +++ b/docs/config_reference_guide.md @@ -2086,8 +2086,8 @@ This controls which repository or repositories a router will use to retrieve sof | Element | Type | Description | | --- | --- | --- | -| offline-mode | boolean | Default: false. Controls whether the router will only be able to retrieve software upgrade images via its conductor.| -| source-type | enumeration | Valid values: conductor-only, prefer-conductor, internet-only. Default: internet-only. To use the conductor as a proxy server to reach the SSR public internet repository, set this to `conductor-only` or `prefer-conductor`. To reach it via the public internet and not use the conductor as a proxy, set it to `internet-only`.| +| offline-mode | boolean | Default: `false`. Set this to `true` to limit the router to only retrieve software upgrade images from its conductor.| +| source-type | enumeration | Valid values: `conductor-only`, `prefer-conductor`, `internet-only`. Default: `internet-only`. To use the conductor as a proxy server to reach the SSR public internet repository, set this to `conductor-only` or `prefer-conductor`. To reach it via the public internet and not use the conductor as a proxy, set it to `internet-only`.| ## reverse-packet-session-resiliency @@ -2708,7 +2708,7 @@ By default, an SSR retrieves software from a public software repository hosted b | Element | Type | Description | | --- | --- | --- | | max-bandwidth | enumeration | Valid values: unlimited, 1-999999999999. This value is in bits/second. This represents the bandwidth limiter applied to software downloads. | -| repository | sub-element | Which repository/repositories the SSR will use.| +| [repository](#repository) | sub-element | Which repository/repositories the SSR will use.| ## ssh-keepalive diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index f5e0d8e68a..13469d361e 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -9,11 +9,13 @@ With your purchase of a SSR license, you are provided a set of credentials used Juniper Session Smart Networking provides the following workflows for the installation process: -- **Universal ISO:** Beginning with version 6.3.0, the SSR uses a single downloadable ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +- **Universal ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. - Please see [SSR Universal ISO Installation Overview](intro_installation_univ-iso.md) for the download location and related installation instructions. + Please see [SSR Universal ISO Installation Overview](intro_installation_univ-iso.md) for the installation instructions and software image download location. -- **Image-based ISO:** Beginning with version 6.0, an image-based ISO installation process has been implemented for users who manage their network using the Mist Cloud. This installation and upgrade process is only available for SSR version 6.0 and higher, and is currently only available for Mist-managed deployments. +For users installing *earlier versions of the SSR software*, the following installation methods are available: + +- **Image-based ISO:** An image-based ISO installation process is available for users who manage their network using the Mist Cloud. This installation and upgrade process is only available for SSR version 6.0 and higher, and is currently only available for Mist-managed deployments. For details about the Image-based install process, see [Image-based Installation.](intro_installation_image.md) @@ -21,13 +23,7 @@ Juniper Session Smart Networking provides the following workflows for the instal - **One Touch Provisioning (OTP)** is the default and preferred method of installation. OTP sets up DHCP on all interfaces and boots a Web Server GUI. After installing the Conductor and configuring routers through the Conductor, the OTP bootstrap process will install and configure the router. See the following procedures for OTP installation steps: - [Router Installation Using OTP](intro_otp_iso_install.mdx) - [Quickstart from the OTP ISO](intro_install_quickstart_otpiso.md) - - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a peer conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that installations and upgrades be performed through the conductor UI. - -:::note -Beginning with release 5.4.7-7 and any 5.x ISO [**released after August 4, 2022**](about_releases.mdx#all-releases---limited-general-availability-and-out-of-support), the ISO name format has changed from using `OTP` to `ISO`: - -- 128T-5.4.7-7.el7.ISO.v1.x86_64.iso -::: + - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that installations and upgrades be performed through the conductor UI. ## Downloading an ISO diff --git a/docs/intro_installation.md b/docs/intro_installation.md index 1ecb503fe7..01bc44932d 100644 --- a/docs/intro_installation.md +++ b/docs/intro_installation.md @@ -21,9 +21,7 @@ The examples listed in this guide generally prefer running commands as a non-roo Beginning with SSR 6.3.0, the Universal ISO Installation simplifies and streamlines the SSR installation and initialization process, and supports Conductor-managed image-based installations as well as Mist-managed deployments. Installation is done from the SSR ISOs, typically from a bootable image on a flash drive or disk. The install process is as follows: -- Pre-Installation Process: - - [Download the ISOs](intro_downloading_iso.md) - - [Create Bootable Media](intro_creating_bootable_usb.md) + - [SSR Universal ISO Installation (SSR 6.3.0+)](intro_installation_univ-iso.md) - [SSR Installation](install_univ_iso.md) - [Device Initialization](initialize_u-iso_device.md) @@ -33,6 +31,8 @@ Installation is done from the SSR ISOs, typically from a bootable image on a fla - [Installation in Microsoft Azure](intro_installation_azure.md) - [Installing in VMWare](install_vmware_config.mdx) +For installation of versions prior to 6.3.0, see [Legacy Installations](intro_installation_legacy.md): + A Mist-redirect ZTP process for Conductor-managed deployments is supported on Juniper branded hardware devices - the SSR1x0/1x00. See [Onboard an SSR Device to a Conductor](onboard_ssr_to_conductor.md) for details about this process. ## Upgrades diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index f87e90f627..b0b41578b3 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -7,15 +7,15 @@ In some secure deployments where networks are strictly internal to an organizati To identify a device in an air-gap network, SSR conductors and routers are configured in `offline-mode`, indicating they do not have internet access. This is defined in the `router > system > software-update > repository` configuration, using the `source-type` setting. Upgrading devices in this configuration is addressed in this document. -Other configurable software access modes on a router: +Other configurable software update modes on a router: - `conductor-only`: The router retrieves software versions only from the conductor. This is often used on internal networks where the routers do not have direct internet access. - `prefer-conductor`: The router will retrieve software versions from the conductor, but if the conductor is not available it will fall back to using the internet. - `internet-only` (default): The router will use Juniper's publicly hosted repositories for retrieving software images. -For information about configuring software access modes on a router, please see, [Software Access Modes](insert link here when it is done) +For information about configuring software access modes on a router, please see [`software-update`](config_reference_guide.md#software-update) -## How Does it Work? +## How Does It Work? In networks that do not have internet access, routers are configured to override the `source-type` setting and retrieve software directly from the conductor. @@ -39,73 +39,55 @@ config exit exit ``` + ## Air-Gap Network Upgrade Process -There are two use cases for upgrades within an air-gap network and each is slightly different. +There are two use cases for upgrades within an air-gap network. - A single-version 6.3.0 upgrade -- A mixed-version upgrade, where the conductor is V6.2.x and the routers are similar or earlier versions +- A mixed-version upgrade, where the conductor is V6.x and the routers are similar or earlier versions ### Single-Version 6.3.0 Upgrade -The following process is used to upgrade a Conductor and Conductor-managed Routers to **version 6.3.0** of the SSR software. +The following process is used to upgrade a Conductor and Conductor-managed Routers to **version 6.3.0** of the SSR software. Beginning with SSR software version 6.3.0, a conductor can manage routers running image-based software installations. 1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` and the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` software packages. + - The Conductor OTP ISO is available on the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. + - The latest software images are available from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. + 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -2. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](cli_reference.md#import-iso) command. +2. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. 3. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). 4. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. 5. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. -6. Continue with [Import ISO](#import-iso). ### Mixed Version Upgrade In this workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` and the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` software packages. +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` and the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` software packages. + - The OTP ISOs are available on the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -2. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](cli_reference.md#import-iso) command. +2. Import the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. 3. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -4. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. +4. Import the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. 5. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. -6. Continue with [Import ISO](#import-iso). - - - - - - -** I'm starting to see holes in this scenario. - - Conductor managed deployments are all package based installs, so there will be no mixed deployments of 6.3 managing image based routers unless they are choosing to do that upgrade as part of this process, which does not make any sense; if they want to go to ib-routers, then install 6.3 across the boards. - - If they are upgrading a conductor to 6.2.6 (pb) they will have to upgrade the routers to some PB install. - - ### Import ISO The [`import iso`](cli_reference.md#import-iso) command is used to import the SSR ISO onto a local repository, allowing the SSR to be upgraded without connecting to Juniper servers. When upgrading a conductor or when `offline-mode` is defined for a router, the ISO must be imported to the target conductor to perform the upgrade. +`import iso [check-rpm-signature ] [force] [verbose] {hunt | filepath }` + Use the `filepath` argument to specify the exact location of the ISO. `hunt` will search for files that match the patterns `128T*.iso`, `SSR*.iso`, or `SSR*.tar`, and the corresponding checksum and signature files. These checksum and signature files are essential for security verification and are included as part of the `import iso` operation. To install the 6.3.0 software, the following file must be downloaded to the USB and imported onto the conductor: - `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` After the local software repository has been updated with the ISO, the upgrade can proceed. -#### Version Checks (outlier - 98% of router ibu's will be done in mist) - -If you are upgrading or installing older image-based software on a router (versions 6.2.5 or older) you may need to include the checksum and signature files with the ISO when you download and import the software to the conductor. - -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.iso` -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum` -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum.asc` - -:::note -In an HA setup, when using offline-mode for routers to access the software from the conductors, the ISO must be imported to both conductors before performing the upgrade. -::: - ### Selecting the Boot Volume -In instances where you are downloading and storing an SSR version for *router* upgrades, you can identify the boot volume (the disk volume where the image-based software is stored) from which the router will boot. +In instances where you are downloading and storing an *image-based SSR version for router* upgrades, you can identify the boot volume (the disk volume where the image-based software is stored) from which the router will boot. To view the current boot volume, use the `show system version` command: @@ -147,3 +129,31 @@ admin@conductor-node-1.Conductor# Change the `Selected Boot Volume` using the command `set system software router node boot-volume {a|b}`. Use the reboot command to boot into the specifed volume: `send command reboot router node `. + +## Edge Cases and Additional Information + +The following information represents low-likelihood use cases. These are situations where the provided information is important or helpful, but only in a very small number of deployments. + +### Edge Case Upgrade or Installation + +In versions prior to V6.3.0, image-based software running on conductor-managed routers was not supported. If you are installing or upgrading a mixed version network that includes V6.3.x on the Conductor, and wish to upgrade the routers to earlier, image based software (versions starting with 6.0 have image-based options), use the steps in the [Single-Version Upgrade](#single-version-630-upgrade) procedure, and select the image for the version you wish to use from the appropriate [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. Be aware that for versions 6.2.5 or older, you must include the checksum and signature files described below. + +### Version Checks + +This situation will only be encountered if you have: +- An air-gap network +- Installed V6.3.0 on a conductor +- Are installing an earlier version (6.2.x or earlier) of the SSR **Image-based software** on a conductor-managed router. + +If you are upgrading or installing older image-based software on a router (versions 6.2.5 or older) you may need to include the checksum and signature files with the ISO when you download and import the software to the conductor. + +- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.iso` +- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum` +- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum.asc` + +:::note +In an HA setup, when using offline-mode for routers to access the software from the conductors, the ISO must be imported to both conductors before performing the upgrade. +::: + + + diff --git a/sidebars.js b/sidebars.js index abe310af22..38b875e010 100644 --- a/sidebars.js +++ b/sidebars.js @@ -47,10 +47,9 @@ module.exports = { "upgrade_legacy", "intro_rollback", ], - "Pre-Installation Process": [ + "Installation Overview": [ "intro_installation", - "intro_downloading_iso", - "intro_creating_bootable_usb", + ], "SSR Universal ISO Installation": [ "intro_installation_univ-iso", @@ -83,6 +82,8 @@ module.exports = { ], "Legacy Install Information": [ "intro_installation_legacy", + "intro_downloading_iso", + "intro_creating_bootable_usb", { "type": "category", "label": "Conductor Installation", From 7a94ed782fea56d9da651f01842cedf9a10fa908 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 1 Oct 2024 19:46:57 -0400 Subject: [PATCH 03/16] revised per conversation with Jeff. --- docs/intro_downloading_iso.md | 2 +- docs/intro_installation.md | 6 +- docs/intro_installation_univ-iso.md | 6 +- docs/upgrade_restricted_access.md | 116 +++++++++++++++++----------- 4 files changed, 78 insertions(+), 52 deletions(-) diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index 13469d361e..c82795a9c6 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -9,7 +9,7 @@ With your purchase of a SSR license, you are provided a set of credentials used Juniper Session Smart Networking provides the following workflows for the installation process: -- **Universal ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +- **Universal ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable image-based ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. Please see [SSR Universal ISO Installation Overview](intro_installation_univ-iso.md) for the installation instructions and software image download location. diff --git a/docs/intro_installation.md b/docs/intro_installation.md index 01bc44932d..4894018004 100644 --- a/docs/intro_installation.md +++ b/docs/intro_installation.md @@ -18,9 +18,9 @@ The examples listed in this guide generally prefer running commands as a non-roo ## Installation Process -Beginning with SSR 6.3.0, the Universal ISO Installation simplifies and streamlines the SSR installation and initialization process, and supports Conductor-managed image-based installations as well as Mist-managed deployments. +Beginning with SSR 6.3.0, a universal image-based ISO is provided to simplify and streamline the SSR installation and initialization process. This version supports Conductor-managed image-based installations as well as Mist-managed deployments. -Installation is done from the SSR ISOs, typically from a bootable image on a flash drive or disk. The install process is as follows: +Installation to your device utilizes the SSR ISO, downloaded as a bootable image to a USB drive or from disk. The install process is as follows: - [SSR Universal ISO Installation (SSR 6.3.0+)](intro_installation_univ-iso.md) - [SSR Installation](install_univ_iso.md) @@ -31,7 +31,7 @@ Installation is done from the SSR ISOs, typically from a bootable image on a fla - [Installation in Microsoft Azure](intro_installation_azure.md) - [Installing in VMWare](install_vmware_config.mdx) -For installation of versions prior to 6.3.0, see [Legacy Installations](intro_installation_legacy.md): +- [Legacy Installations](intro_installation_legacy.md) for installation of versions prior to 6.3.0 A Mist-redirect ZTP process for Conductor-managed deployments is supported on Juniper branded hardware devices - the SSR1x0/1x00. See [Onboard an SSR Device to a Conductor](onboard_ssr_to_conductor.md) for details about this process. diff --git a/docs/intro_installation_univ-iso.md b/docs/intro_installation_univ-iso.md index 813302ad0a..9254ff5174 100644 --- a/docs/intro_installation_univ-iso.md +++ b/docs/intro_installation_univ-iso.md @@ -21,20 +21,20 @@ The installation workflow consists of the following steps: ## Download -The ISO is available for download at the following location: +The image-based ISOs are available for download at the following location: https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local/ Files available for download are: -- `*.iso` - This file is used for installing/staging bare metal platforms. **Use this file to perform an image-based install.** +- `*.iso` - This file is used for installing/staging bare metal platforms. **Use this file to perform an initial image-based install.** - `*.tar` - This file is used by Mist or the SSR conductor for image-based upgrades, and is accessed directly by the system during the upgrade. User download is not necessary or advised. You will be prompted for your username and token to access the web page listing the software versions. Download is done directly from the page. ### Create a Bootable USB -Use the instructions for [Creating a Bootable USB](intro_creating_bootable_usb.md) to create a bootable USB drive containing the universal ISO image. +Use the instructions for [Creating a Bootable USB](intro_creating_bootable_usb.md) to create a bootable USB drive containing the latest image-based ISO. Once you have the USB, let's go [Install the SSR software!](install_univ_iso.md) \ No newline at end of file diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index b0b41578b3..ed07957d01 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -42,36 +42,88 @@ exit ## Air-Gap Network Upgrade Process -There are two use cases for upgrades within an air-gap network. +The following are use cases for upgrades within an air-gap network. -- A single-version 6.3.0 upgrade -- A mixed-version upgrade, where the conductor is V6.x and the routers are similar or earlier versions +- [Single-Version 6.3.0 Upgrade](#single-version-630-upgrade). +- [Mixed Version Upgrade](#mixed-version-upgrade), where the conductor is upgraded to version 6.3 and the routers are upgraded to earlier image-based versions, or left to be upgraded later. +- [Package-based Software Upgrade](#package-based-software-upgrade). + +:::note +Use these procedures for upgrades only. When performing an initial installation of version 6.3.x software, the IBU ISO is required. +::: ### Single-Version 6.3.0 Upgrade The following process is used to upgrade a Conductor and Conductor-managed Routers to **version 6.3.0** of the SSR software. Beginning with SSR software version 6.3.0, a conductor can manage routers running image-based software installations. + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` and the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` software packages. - - The Conductor OTP ISO is available on the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. - - The latest software images are available from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. +2. Download the `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. . -2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -2. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. -3. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -4. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. -5. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. +3. . [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. + +4. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. + +5. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). + +6. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. + +7. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. + +### Mixed Version Upgrade + +If you are upgrading to version 6.3.x on the Conductor and wish to upgrade the routers, be aware that upgrades to the routers must use image-based software. (Versions starting at 6.0 have image-based options). In versions prior to version 6.3.0, image-based software running on conductor-managed routers was not supported, however version 6.3.x allows your conductor to manage routers running **both** image-based and package-based software. + +The following workflow demonstrates upgrading a conductor to version 6.3.0, and a router to version 6.1.10. + + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. + +2. Navigate to the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page, identify the software image version you will use to upgrade the target router or routers, and download it. + +:::note +If you are upgrading or installing earlier image-based software on a router (versions 6.2.5 or earlier) you will need to include the checksum and signature files with the ISO when you download and import the software to the conductor. +::: + + For example, if you are upgrading a router to SSR Version 6.1.10, you will need to download the following files: + + - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.iso` + - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.tar.sha256sum` + - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.tar.sha256sum.asc` + +3. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. + +4. Plug the USB into your device. + +6. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. + +7. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). + +8. Import the ISO, checksum, and signature file package you downloaded in step 2 onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. -### Mixed Version Upgrade +9. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. + +:::note +In an HA setup, when using offline-mode for routers to access the software from the conductors, the ISO must be imported to both conductors before performing the upgrade. +::: + +### Package-based Software Upgrade In this workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. + +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` and the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` software packages from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` and the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` software packages. - - The OTP ISOs are available on the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -2. Import the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. -3. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -4. Import the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. -5. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. + +3. Plug the USB into your device. + +4. Import the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. + +5. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). + +6. Import the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. + +7. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. ### Import ISO @@ -81,7 +133,7 @@ The [`import iso`](cli_reference.md#import-iso) command is used to import the SS Use the `filepath` argument to specify the exact location of the ISO. `hunt` will search for files that match the patterns `128T*.iso`, `SSR*.iso`, or `SSR*.tar`, and the corresponding checksum and signature files. These checksum and signature files are essential for security verification and are included as part of the `import iso` operation. To install the 6.3.0 software, the following file must be downloaded to the USB and imported onto the conductor: -- `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` +- `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` After the local software repository has been updated with the ISO, the upgrade can proceed. @@ -130,30 +182,4 @@ Change the `Selected Boot Volume` using the command `set system software router Use the reboot command to boot into the specifed volume: `send command reboot router node `. -## Edge Cases and Additional Information - -The following information represents low-likelihood use cases. These are situations where the provided information is important or helpful, but only in a very small number of deployments. - -### Edge Case Upgrade or Installation - -In versions prior to V6.3.0, image-based software running on conductor-managed routers was not supported. If you are installing or upgrading a mixed version network that includes V6.3.x on the Conductor, and wish to upgrade the routers to earlier, image based software (versions starting with 6.0 have image-based options), use the steps in the [Single-Version Upgrade](#single-version-630-upgrade) procedure, and select the image for the version you wish to use from the appropriate [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. Be aware that for versions 6.2.5 or older, you must include the checksum and signature files described below. - -### Version Checks - -This situation will only be encountered if you have: -- An air-gap network -- Installed V6.3.0 on a conductor -- Are installing an earlier version (6.2.x or earlier) of the SSR **Image-based software** on a conductor-managed router. - -If you are upgrading or installing older image-based software on a router (versions 6.2.5 or older) you may need to include the checksum and signature files with the ISO when you download and import the software to the conductor. - -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.iso` -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum` -- `SSR-6.2.5-xx.r1.el7.x86_64.ibu-v1.tar.sha256sum.asc` - -:::note -In an HA setup, when using offline-mode for routers to access the software from the conductors, the ISO must be imported to both conductors before performing the upgrade. -::: - - From c06fd5ccba00e3fa38849b7889c569bbf7bd2da9 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 3 Oct 2024 10:20:36 -0400 Subject: [PATCH 04/16] in process updates --- docs/intro_downloading_iso.md | 14 +++++--------- docs/intro_installation_univ-iso.md | 8 ++++---- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index c82795a9c6..cf635859b0 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -9,15 +9,11 @@ With your purchase of a SSR license, you are provided a set of credentials used Juniper Session Smart Networking provides the following workflows for the installation process: -- **Universal ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable image-based ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +- **SSR Image-based ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable image-based ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. - Please see [SSR Universal ISO Installation Overview](intro_installation_univ-iso.md) for the installation instructions and software image download location. + Please see [SSR Image-based ISO Installation Overview](intro_installation_univ-iso.md) for the installation instructions and software image download location. -For users installing *earlier versions of the SSR software*, the following installation methods are available: - -- **Image-based ISO:** An image-based ISO installation process is available for users who manage their network using the Mist Cloud. This installation and upgrade process is only available for SSR version 6.0 and higher, and is currently only available for Mist-managed deployments. - - For details about the Image-based install process, see [Image-based Installation.](intro_installation_image.md) +For users installing *earlier, package-based versions of the SSR software*, the following installation methods are available: - **Package-based ISO:** For users who do not use Mist Cloud, this ISO offers multiple local installation methods. - **One Touch Provisioning (OTP)** is the default and preferred method of installation. OTP sets up DHCP on all interfaces and boots a Web Server GUI. After installing the Conductor and configuring routers through the Conductor, the OTP bootstrap process will install and configure the router. See the following procedures for OTP installation steps: @@ -29,12 +25,12 @@ For users installing *earlier versions of the SSR software*, the following insta The SSR Software packages are available from our public servers using the username and token provided to you and can be accessed at the following location: -The image-based ISOs for Mist-managed deployments are available to download at the following location: +The image-based ISOs are available to download at the following location: - https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local -The package-based ISOs for Conductor-managed deployments are available to download at the following location: +The package-based ISOs are available to download at the following location: - https://software.128technology.com/artifactory/list/generic-128t-isos-release-local diff --git a/docs/intro_installation_univ-iso.md b/docs/intro_installation_univ-iso.md index 9254ff5174..14cda927cf 100644 --- a/docs/intro_installation_univ-iso.md +++ b/docs/intro_installation_univ-iso.md @@ -1,16 +1,16 @@ --- -title: SSR Universal ISO Installation Overview -sidebar_label: SSR Universal ISO Installation Overview +title: SSR Image-based ISO Installation Overview +sidebar_label: SSR Image-based ISO Installation Overview --- -Beginning with version 6.3.0, the SSR uses a single downloadable ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +Beginning with version 6.3.0, the SSR uses a single image-based ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. #### Version History | Release | Modification | | ------- | ------------ | | 6.0.0 | Image-based ISO installation process implemented for Mist-managed networks. | -| 6.3.0 | Universal ISO released, migrating to a single ISO installation format for Conductor, Conductor-managed, and Mist-managed deployments. | +| 6.3.0 | Image-based ISO updated, migrating to a single ISO installation format for Conductor, Conductor-managed, and Mist-managed deployments. | The installation workflow consists of the following steps: From e71b6e929ae1d673c70482cb81e7f5da6fc43751 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 11 Oct 2024 08:58:29 -0400 Subject: [PATCH 05/16] putting OTP to ISO note back in per Jeff's comment. --- docs/intro_downloading_iso.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index cf635859b0..f5aeec7ecc 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -21,6 +21,12 @@ For users installing *earlier, package-based versions of the SSR software*, the - [Quickstart from the OTP ISO](intro_install_quickstart_otpiso.md) - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that installations and upgrades be performed through the conductor UI. + :::note + Beginning with release 5.4.7-7 and any 5.x ISO [**released after August 4, 2022**](about_releases.mdx#all-releases---limited-general-availability-and-out-of-support), the ISO name format has changed from using `OTP` to `ISO`: + + `128T-5.4.7-7.el7.ISO.v1.x86_64.iso` + ::: + ## Downloading an ISO The SSR Software packages are available from our public servers using the username and token provided to you and can be accessed at the following location: From 433904f3cd3924d31ad73950ba6d7be5fa93bd9d Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 15 Oct 2024 16:51:04 -0400 Subject: [PATCH 06/16] updates per Jeff's review. Incomplete as yet.Waiting on input from tyler. --- docs/intro_downloading_iso.md | 12 ++++-- docs/upgrade_restricted_access.md | 66 +++++++------------------------ 2 files changed, 24 insertions(+), 54 deletions(-) diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index f5aeec7ecc..b4b3ae7913 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -5,7 +5,7 @@ sidebar_label: Downloading ISOs ## Introduction -With your purchase of a SSR license, you are provided a set of credentials used to access the Session Smart Routing software. These credentials, in the form of a username and password are used to access the software assets. +With the purchase of an SSR license, you are provided a set of credentials used to access the Session Smart Routing software. These credentials, in the form of a username and password are used to access the software assets. Juniper Session Smart Networking provides the following workflows for the installation process: @@ -15,11 +15,17 @@ Juniper Session Smart Networking provides the following workflows for the instal For users installing *earlier, package-based versions of the SSR software*, the following installation methods are available: -- **Package-based ISO:** For users who do not use Mist Cloud, this ISO offers multiple local installation methods. +- **Package-based ISO:** For users who do not use Mist Cloud, the package-based ISO is used in the following deployments. + + - When the initial installation is going to be a version prior to 6.3.0. + - When upgrading to a version prior to 6.3.0 on air-gap network using the `import ISO` operation . For example, upgrading an air-gap conductor or routers from V5.6.6 to V6.2.7. See [Package-based Software Upgrade in an Air-Gap Network](upgrade_restricted_access.md#package-based-software-upgrade) for the more information. + + This ISO also provides different local installation methods. + - **One Touch Provisioning (OTP)** is the default and preferred method of installation. OTP sets up DHCP on all interfaces and boots a Web Server GUI. After installing the Conductor and configuring routers through the Conductor, the OTP bootstrap process will install and configure the router. See the following procedures for OTP installation steps: - [Router Installation Using OTP](intro_otp_iso_install.mdx) - [Quickstart from the OTP ISO](intro_install_quickstart_otpiso.md) - - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that installations and upgrades be performed through the conductor UI. + - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that installations and upgrades be performed through the conductor UI. :::note Beginning with release 5.4.7-7 and any 5.x ISO [**released after August 4, 2022**](about_releases.mdx#all-releases---limited-general-availability-and-out-of-support), the ISO name format has changed from using `OTP` to `ISO`: diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index ed07957d01..aa4f3baf54 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -55,6 +55,7 @@ Use these procedures for upgrades only. When performing an initial installation ### Single-Version 6.3.0 Upgrade The following process is used to upgrade a Conductor and Conductor-managed Routers to **version 6.3.0** of the SSR software. Beginning with SSR software version 6.3.0, a conductor can manage routers running image-based software installations. + 1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. @@ -66,16 +67,24 @@ The following process is used to upgrade a Conductor and Conductor-managed Route 5. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -6. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. +6. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. 7. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. +:::note +The process to upgrade a **conductor to 6.3.0** requires the use of the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso`. After the initial upgrade to 6.3.0, all future upgrades will only require the import of the `SSR-6.3.X-XX.r1.el7.x86_64.ibu-v1.iso`. +::: + ### Mixed Version Upgrade -If you are upgrading to version 6.3.x on the Conductor and wish to upgrade the routers, be aware that upgrades to the routers must use image-based software. (Versions starting at 6.0 have image-based options). In versions prior to version 6.3.0, image-based software running on conductor-managed routers was not supported, however version 6.3.x allows your conductor to manage routers running **both** image-based and package-based software. +If you are upgrading to version 6.3.0 on the Conductor and wish to upgrade the routers, be aware that upgrades to the routers must use image-based software. (Versions starting at 6.0 have image-based options). In versions prior to version 6.3.0, image-based software running on conductor-managed routers was not supported, however version 6.3.0 allows your conductor to manage routers running **both** image-based and package-based software. The following workflow demonstrates upgrading a conductor to version 6.3.0, and a router to version 6.1.10. +:::note +The process to upgrade a **conductor to 6.3.0** requires the use of the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso`. After the initial upgrade to 6.3.0, all future upgrades will only require the import of the `SSR-6.3.X-XX.r1.el7.x86_64.ibu-v1.iso`. +::: + 1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. @@ -99,7 +108,7 @@ If you are upgrading or installing earlier image-based software on a router (ver 7. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -8. Import the ISO, checksum, and signature file package you downloaded in step 2 onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. +8. Import the ISO, checksum, and signature file package you downloaded in step 2 onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. 9. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. @@ -109,7 +118,9 @@ In an HA setup, when using offline-mode for routers to access the software from ### Package-based Software Upgrade -In this workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. +For upgrades of Conductor and Conductor-managed routers to software versions prior to 6.3.0, the package-based ISO's are used. + +In this example workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. 1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` and the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` software packages from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. @@ -136,50 +147,3 @@ Use the `filepath` argument to specify the exact location of the ISO. `hunt` wil - `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` After the local software repository has been updated with the ISO, the upgrade can proceed. - -### Selecting the Boot Volume - -In instances where you are downloading and storing an *image-based SSR version for router* upgrades, you can identify the boot volume (the disk volume where the image-based software is stored) from which the router will boot. - -To view the current boot volume, use the `show system version` command: - -``` -admin@conductor-node-1.Conductor# show system version router RTR_WEST_COMBO node combo-west-1 detail -Thu 2024-05-02 14:03:28 UTC -Retrieving system version... - -================================================================= - Node: combo-west-1.RTR_WEST_COMBO -================================================================= - Version: 6.3.0 - Status: r1 - Build Date: 2024-05-01T21:25:38Z - Build Machine: releaseslave3.openstacklocal - Build User: jenkins - Build Directory: /i95code - Hash: 1d892d709c45409369048d129840b02e435b4e21 - Package: 128T-6.3.0-107.r1.el7 - SSR-IMG-release: SSR-6.3.0-107.r1.el7.x86_64.ibu-v1 - ---> Volume ID: b <--- - ---> Selected Boot Volume: b <--- - Idle Volume: - Version: 5.4.11 - Status: unavailable - Build Date: 2022-12-21T03:10:13Z - Build Machine: releaseslave4.openstacklocal - Build User: - Build Directory: - Hash: - Package: 128T-5.4.11-4.el7 - Volume ID: a - -Completed in 5.53 seconds -admin@conductor-node-1.Conductor# - -``` - -Change the `Selected Boot Volume` using the command `set system software router node boot-volume {a|b}`. - -Use the reboot command to boot into the specifed volume: `send command reboot router node `. - - From 6d805e54bc445045f92057de15c49aefbee40c51 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 16 Oct 2024 10:52:33 -0400 Subject: [PATCH 07/16] typos --- docs/upgrade_restricted_access.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index aa4f3baf54..b27f5a77cb 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -59,9 +59,9 @@ The following process is used to upgrade a Conductor and Conductor-managed Route 1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. -2. Download the `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. . +2. Download the `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. -3. . [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. +3. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. 4. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. From c209ac95cbcaa5a0213bdaaf4235963fba248a42 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 16 Oct 2024 11:58:02 -0400 Subject: [PATCH 08/16] upgrade process revisions --- docs/upgrade_restricted_access.md | 42 ++++++++++++++++++------------- 1 file changed, 24 insertions(+), 18 deletions(-) diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index b27f5a77cb..cb87e4cf11 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -59,20 +59,22 @@ The following process is used to upgrade a Conductor and Conductor-managed Route 1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. -2. Download the `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. +2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -3. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. +3. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` ISO onto the conductor using the [`import iso`](#import-iso) command. -4. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. +4. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -5. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). +5. Download the `SSR-6.3.0-107.r1.el7.x86_64.ibu-v1.iso` from the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page. + +6. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -6. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` package onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. +7. Import the `SSR-6.3.0-xx.r1.el7.x86_64.ibu-v1.iso` ISO onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. -7. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. +8. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. :::note -The process to upgrade a **conductor to 6.3.0** requires the use of the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso`. After the initial upgrade to 6.3.0, all future upgrades will only require the import of the `SSR-6.3.X-XX.r1.el7.x86_64.ibu-v1.iso`. +The process to upgrade a **conductor from a version less than 6.3.0 to 6.3.0 or greater** requires the use of the `128T-6.3.X-XX.r1.el7.OTP.v1.x86_64.iso` ISO. After the initial upgrade to 6.3.X, all future upgrades will only require the import of the image-based ISO; for example, `SSR-6.3.3-1.r1.el7.x86_64.ibu-v1.iso`. ::: ### Mixed Version Upgrade @@ -88,7 +90,13 @@ The process to upgrade a **conductor to 6.3.0** requires the use of the `128T-6. 1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. -2. Navigate to the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page, identify the software image version you will use to upgrade the target router or routers, and download it. +2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. + +3. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` ISO onto the conductor using the [`import iso`](#import-iso) command. + +4. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). + +5. Navigate to the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page, identify the software image version you will use to upgrade the target router or routers, and download it. :::note If you are upgrading or installing earlier image-based software on a router (versions 6.2.5 or earlier) you will need to include the checksum and signature files with the ISO when you download and import the software to the conductor. @@ -100,15 +108,11 @@ If you are upgrading or installing earlier image-based software on a router (ver - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.tar.sha256sum` - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.tar.sha256sum.asc` -3. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. - -4. Plug the USB into your device. +6. Copy the files to a USB that has an EXT4 file system. -6. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. +7. Plug the USB in to the Conductor and mount the USB. -7. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). - -8. Import the ISO, checksum, and signature file package you downloaded in step 2 onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. +8. Import the ISO, checksum, and signature file package you downloaded in step 5 onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install these files onto the conductor, only import them. 9. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. @@ -122,7 +126,7 @@ For upgrades of Conductor and Conductor-managed routers to software versions pri In this example workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` and the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` software packages from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` software package from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. @@ -132,9 +136,11 @@ In this example workflow, the conductor will be upgraded to 6.2.6, and the route 5. Upgrade the conductor using the [Conductor Upgrade procedure](upgrade_ibu_conductor.md). -6. Import the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. +6. Download the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` software package from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. + +7. Import the `128T-6.1.10-8.lts.el7.OTP.v1.x86_64.iso` package onto the conductor using the [`import iso`](#import-iso) command. The conductor will act as the software repository for the subsequent router upgrades. You do **not** install this package onto the conductor, only import it. -7. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. +8. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. ### Import ISO From 72cb5f8ac527640684fd014dd3310577b8005c3f Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 16 Oct 2024 13:24:12 -0400 Subject: [PATCH 09/16] fixing broken link --- docs/upgrade_restricted_access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index cb87e4cf11..3408ded193 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -126,7 +126,7 @@ For upgrades of Conductor and Conductor-managed routers to software versions pri In this example workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` software package from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` software package from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. From 42c138c0be879877290b0abb63bed62d43e0e1cc Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 17 Oct 2024 14:28:23 -0400 Subject: [PATCH 10/16] added Sync'ed and Synch'ing info --- docs/upgrade_ibu_conductor.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/upgrade_ibu_conductor.md b/docs/upgrade_ibu_conductor.md index 2f1153d022..56aba11c22 100644 --- a/docs/upgrade_ibu_conductor.md +++ b/docs/upgrade_ibu_conductor.md @@ -57,6 +57,10 @@ request system software revert Revert to a previous version of the SSR. The image-based and package-based status is visible under **Install Type** in the PCLI using `show assets`. +:::note +The `status` column under `show assests` now displays `Synchronized` or `Synchronizing` where previously `Running` or `Connected` was displayed in earlier versions of software. `Synchronized` = `Running`, `Synchronizing` = `Connected`. +::: + **Image Based** ``` From 65a7dc31f6bcff1f005b17e9ea314edc543d9332 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 17 Oct 2024 16:19:27 -0400 Subject: [PATCH 11/16] correcting the state mapping --- docs/upgrade_ibu_conductor.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/upgrade_ibu_conductor.md b/docs/upgrade_ibu_conductor.md index 56aba11c22..ff72771dbf 100644 --- a/docs/upgrade_ibu_conductor.md +++ b/docs/upgrade_ibu_conductor.md @@ -58,7 +58,13 @@ request system software revert Revert to a previous version of the SSR. The image-based and package-based status is visible under **Install Type** in the PCLI using `show assets`. :::note -The `status` column under `show assests` now displays `Synchronized` or `Synchronizing` where previously `Running` or `Connected` was displayed in earlier versions of software. `Synchronized` = `Running`, `Synchronizing` = `Connected`. +The states displayed in the `status` column under `show assests` have changed. The old and new states are mapped below. + +| Old | New | +| --- | ---| +| Disconnected | Disconnected | +| Connected | Synchronizing or Resynchronizing | +| Running | Synchronized | ::: **Image Based** From cfc642bdcdb11bb54a3c1edaea6547a73e9f8f63 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 18 Oct 2024 16:26:21 -0400 Subject: [PATCH 12/16] updating file --- docs/config_radsec.md | 129 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 126 insertions(+), 3 deletions(-) diff --git a/docs/config_radsec.md b/docs/config_radsec.md index 441b00f2d9..b1a4a6d37a 100644 --- a/docs/config_radsec.md +++ b/docs/config_radsec.md @@ -6,9 +6,9 @@ sidebar_label: Configuring RADIUS over TLS RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic to remote RADIUS servers connected over TLS. RADSEC allows RADIUS authentication, authorization, and accounting data to be passed safely across untrusted networks. In this section: -- Configuring RADSEC -- Signing and Importing Webserver Certificates -- Syslog over TLS +- [Configuring RADSEC](#configuring-radsec) +- [Signing and Importing Webserver Certificates](#signing-and-importing-webserver-certificates) +- [Syslog Over TLS](#configuring-syslog-over-tls) ## Configuring RADSEC @@ -78,5 +78,128 @@ Account 'test1' successfully created When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. +## Signing and Importing Webserver Certificates +Imported webserver certificates are validated against trusted certificates configured using `trusted-ca-certificate`. Use the following information to create, sign, and import the certificates to the webserver. +### Configure a Trusted Certificate + +Certificates are pasted in as a multi-line config. + +Configure a certificate root named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root +admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +### Generate the Signing Request + +Use the `create certificate request webserver` command to generate the certificate signing request. + +``` +admin@t327-dut1.cond# create certificate request webserver +Country name (2 letter code): US +State or province name (full name): Massachusetts +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): engineering +Common name: www.router.com +Email address: bob@juniper.net +Subject Alternative Name - DNS (fully qualified domain name): www.router.com +Subject Alternative Name - IP Address: 1.1.1.1 + +Request successfully generated: + +-----BEGIN CERTIFICATE REQUEST----- +MIIDLDCCAhQCAQAwgZkxFzAVBgNVBAMMDnd3dy5yb3V0ZXIuY29tMQswCQYDVQQG +EwJVUzERMA8GA1UEBwwIV2VzdGZvcmQxEDAOBgNVBAoMB0p1bmlwZXIxFDASBgNV +... +. +. +. +-----END CERTIFICATE REQUEST----- +``` + +### Import the Certificate + +After the certificate is signed and returned, it is imported into the SSR for use by the webserver using the `import certificate webserver` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. + +The following example shows an invalid self-signed certificate being imported: + +``` +admin@t327-dut1.cond# import certificate webserver +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 +VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD +... +RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +-----END CERTIFICATE----- + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P +53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR +... +KBs2Hz/E/goCvyEqNaJOix+l +-----END PRIVATE KEY----- + +⚠ Importing... +certificate contains the following issues: certificate is self-signed +/usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280. + return rust_x509.load_pem_x509_certificates(data) +Could not validate certificate chain against a trusted anchor. +Would you like to import anyways? [y/N]: y +Certificate imported successfully +``` +The imported certificate will be validated against the configured trusted root certificates and checked for insecure algorithms and invalid configurations. Bypassing or disabling these validations will result in a non-compliant configuration. + +## Configuring Syslog Over TLS + +Syslog over TLS allows the secure transportation of system log messages from the syslog client to the syslog server. TLS uses certificates to authenticate and encrypt the communication. + +Use the following information to configure Syslog transport over TLS. + +#### 1. Configure the trusted CA certificate. + +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. + +Create a certificate root named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root +admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +#### 2. Configure a client certificate to be used for the syslog client. + +Repeat the previous step to create a client certificate named `syslog`. + +``` +admin@conductor-node-1.Conductor# config authority client-certificate syslog +admin@conductor-node-1.Conductor (client-certificate[name=syslog])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +#### 3. Configure the syslog server at the Authority level to use the configured client certificate. + +The following configuration example will add a syslog server named `syslog` that will use the previously configured client certificate. + +``` +*admin@t327-dut1.cond# configure authority router cond system syslog server 192.168.1.100 6514 +*admin@t327-dut1.cond (server[ip-address=192.168.1.100][port=6514])# up +*admin@t327-dut1.cond (syslog)# client-certificate-name syslog +*admin@t327-dut1.cond (syslog)# protocol tls +*admin@t327-dut1.cond (syslog)# ocsp strict +*admin@t327-dut1.cond (syslog)# facility any +*admin@t327-dut1.cond (syslog)# severity info +*admin@t327-dut1.cond (syslog)# top +``` + +To complete the process, `validate` and `commit` the changes. After the confiuration changes have been committed, the SSR will send the syslog to 192.168.1.100:6514 over TLS. +When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. From f5dfc62ef09c6c1e8d7ead98846a97ce76eb7a0a Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 22 Oct 2024 17:19:57 -0400 Subject: [PATCH 13/16] clarifying RADSEC, Syslog, and Webserver certificates --- docs/config_radsec.md | 276 +++++++++++++++++++++------------ docs/config_syslog_tls.md | 267 +++++++++++++++++++++++++++++++ docs/config_webserver_certs.md | 141 +++++++++++++++++ docs/intro_downloading_iso.md | 2 +- sidebars.js | 2 + 5 files changed, 591 insertions(+), 97 deletions(-) create mode 100644 docs/config_syslog_tls.md create mode 100644 docs/config_webserver_certs.md diff --git a/docs/config_radsec.md b/docs/config_radsec.md index b1a4a6d37a..b0b0b186d1 100644 --- a/docs/config_radsec.md +++ b/docs/config_radsec.md @@ -5,14 +5,9 @@ sidebar_label: Configuring RADIUS over TLS RADIUS over TLS is designed to provide secure communication of RADIUS requests using the Transport Secure Layer (TLS) protocol. RADIUS over TLS, also known as RADSEC, redirects regular RADIUS traffic to remote RADIUS servers connected over TLS. RADSEC allows RADIUS authentication, authorization, and accounting data to be passed safely across untrusted networks. -In this section: -- [Configuring RADSEC](#configuring-radsec) -- [Signing and Importing Webserver Certificates](#signing-and-importing-webserver-certificates) -- [Syslog Over TLS](#configuring-syslog-over-tls) +## RADSEC Configuration - Existing Certificate -## Configuring RADSEC - -Use the following information to configure RADIUS over TLS (RADSEC). +Use the following information to configure RADIUS over TLS (RADSEC) using an existing certificate. #### 1. Configure the RADSEC server. @@ -29,7 +24,7 @@ admin@t327-dut1.cond (radius-server[name=radsec])# server-name t327-dut1.opensta admin@t327-dut1.cond (radius-server[name=radsec])# top ``` -#### 2. Configure the trusted CA certificate. +#### 2. Configure the Trusted CA Certificate. The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. @@ -42,7 +37,11 @@ Enter plain for content (Press CTRL-D to finish): ``` -#### 3. Configure a client certificate to be used for the RADIUS client. +:::note +The `trusted-ca-certificate` is a list and may contain different CA roots used for different certificates. In that case, naming them all `ca_root` would not be suitable. In that case, choose a name that is meaningful to the user and CA, eg: `globalsign_root`. +::: + +#### 3. Configure a Client Certificate to be used for the RADIUS client. Repeat the previous step to create a client certificate named `radsec`. @@ -78,128 +77,213 @@ Account 'test1' successfully created When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. -## Signing and Importing Webserver Certificates - -Imported webserver certificates are validated against trusted certificates configured using `trusted-ca-certificate`. Use the following information to create, sign, and import the certificates to the webserver. - -### Configure a Trusted Certificate - -Certificates are pasted in as a multi-line config. - -Configure a certificate root named `ca_root` and paste the certificate file content into the command: +## RADSEC Configuration - Generate Certificate -``` -admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root -admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content -Enter plain for content (Press CTRL-D to finish): - -``` +Use the following examples to generate a client certificate for use on the device. -### Generate the Signing Request +#### 1. Generate the Signing Request -Use the `create certificate request webserver` command to generate the certificate signing request. +Use the `create certificate request client` command to generate the signing request. ``` -admin@t327-dut1.cond# create certificate request webserver +admin@conductor-node-1.Conductor# create certificate request client radsec Country name (2 letter code): US -State or province name (full name): Massachusetts +State or province name (full name): MA Locality name (eg: city): Westford Organization name (eg: company): Juniper -Organization unit (eg: engineering): engineering -Common name: www.router.com -Email address: bob@juniper.net -Subject Alternative Name - DNS (fully qualified domain name): www.router.com -Subject Alternative Name - IP Address: 1.1.1.1 +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): +Subject Alternative Name - IP Address: +% Error: Could not create request: Subject Alternative Name (DNS or IP address) is required +admin@conductor-node-1.Conductor# create certificate request client radsec +Country name (2 letter code): US +State or province name (full name): MA +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): dut1 +Subject Alternative Name - IP Address: 10.27.32.203 Request successfully generated: -----BEGIN CERTIFICATE REQUEST----- -MIIDLDCCAhQCAQAwgZkxFzAVBgNVBAMMDnd3dy5yb3V0ZXIuY29tMQswCQYDVQQG -EwJVUzERMA8GA1UEBwwIV2VzdGZvcmQxEDAOBgNVBAoMB0p1bmlwZXIxFDASBgNV -... -. -. -. +MIIC1jCCAb4CAQAwTjENMAsGA1UEAwwEZHV0MTELMAkGA1UEBhMCVVMxETAPBgNV +BAcMCFdlc3Rmb3JkMRAwDgYDVQQKDAdKdW5pcGVyMQswCQYDVQQIDAJNQTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8WwHXP/z49sFsxpN5L9THO5y8N +f/as8Nn6XUyG86YyxcR5IYL5gKR5//EunoVjLAUCHgBqxwaUa3enhNEQS97N4Bcs +E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMn8MT8XbS +XF/zmGBI1/4aRbeqL5VMDPO+9DNRxXMgqBs2y48WanGvZeZTP5B/sSczlhOSxHnu +DxNYQ7+rZs9NpKzktCXOSA8nszHp5PNCWsa8tVNQvyhAqboTGrXQZhjZRWzg3nzS +Gb5XIxudEteQOg5LJW/7GpxFmF+XtNxzfSJpw1/tKeA32VN9In++nwoflhUCAwEA +AaBDMEEGCSqGSIb3DQEJDjE0MDIwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwGAYD +VR0RAQH/BA4wDIIEZHV0MYcEChsgyzANBgkqhkiG9w0BAQsFAAOCAQEAK32e8BUh +n9ficSqiRq3b0UuaQGnNrQ1oAY5FeaTY/2gDPYCju43HTsW1TSoK6376UxU43yAC +nAbFVe8p6fMIh9LkR+I9IM/Z2PXUtUrE8MPQo6z4/9aDGgwEoj654nArM7rWXh05 +7RBhzALsh2GWt2GT9FXcODIbGcsu6Ea2+24o1MuKMxDGEWjCnJJheXmFsqraKRnu +rcgzjMPc1F+iMb3O/bzFnj3a4Pj3dRK59bV/0zD7ti8KC/jodV80yzMVn4uSPlj1 +wp4dOHuKsnf+ZsfNK4AGUYdh3qEa1/xJxyug1R3AGjItbkUzbJpR6hp7B0YYWV87 +QALMf6F0SKBDXg++ -----END CERTIFICATE REQUEST----- ``` -### Import the Certificate +#### 2. Configure the Trusted CA Certificate -After the certificate is signed and returned, it is imported into the SSR for use by the webserver using the `import certificate webserver` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. -The following example shows an invalid self-signed certificate being imported: +Create a root certificate named `ca_root` and paste the certificate file content into the command: ``` -admin@t327-dut1.cond# import certificate webserver -Enter the end point certificate in PEM format (Press CTRL-D to finish): +admin@conductor-node-1.Conductor# configure authority trusted-ca-certificate ca_root +*admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqfzVmeFPMA+Jc +53MlVF3LoYZAkqh1Dz3+HFnegcAU3/tCGSdfJad/PeF5KEQDDnF0vc9XbfS2/wJC +wHAt15TH3iarSPE3dV3L0c1tyOFaMUNLAd3nsPArR0w/1YF3o8r2ML9OmZ4WmkZK +vyFx6AsuVm5MpXR4z7U4j955sqRkWsi3I1hLtMPzuWEJA/AbpTCxb1k2xJDQWira +/NALlz6NPVRcngBt56ZDhMNmy/g2zGEcmitEqMUOS7apvRk6hZK94dfjSQe4iEpX +Sdd6vvZxdrWGV10lmDDH0SPtmGBE+34r1UNIbp/XVRh6KxiNcjFVNBwlwqATmTYh +xkXAPw1pAgMBAAECggEACZ3YNLnnvBOiAmx5larvCWvIZz7+am/cJseRmBfIbkT9 +5ooFqvu0OVyTqaJIR8XaR2PnXH6StXmntnqDpHWQTqUvlbGANIqWsyiig26zFCEu +IAXwr0TKRERzKAWT4lwmOAGi4LuQa6Ty/wdNyx9z9f6hBQi2C5Rnm9OdkE6vsAtJ +NbNcsV+bvedfLoJqG1MM3sh3LT3RAltaMuJEw3PdFiMVcQIJgGr85nVJcg4SCUkh +JKlfUE83IqkwAd1V0jn/2yopCmQBLrpyqlRu2MmwFiIS+IUcoReemNK8mlfd8hbR +bc0Zvum65DS1Y6wuuBdWP2v49xaX8fDrVy8unIHQ4wKBgQDDtTq7L06XqJkHtKj3 +6XqVO5oKZhu1tcLDXWsxHnJas6Cw8u0cx+r4cTWUWI/HFBYOKRveIqGdb12QR757 +lRqK3ie+dZvhsztUm04EnVaNvn09YGl5n8fV+3QrygeanYVYNgRdMPhf6PNmcJQB +Ppj2XsIvjxoiNCf+YSDJNO2SwwKBgQDfBa2U2nKhgZZaYGYmdKT1zqb3TsGWSIIt +KhSJX3CvxT08Czqi3R1PgBdNS9YI8XXsDZnvhcmOeP2vm3ylgJZGS7Gi04Mj9ijQ ++beqMnNBjEjc1oXkemd9bfsDfby6k5Ew5OpzVe5rkOpc7oGy54REFh0hLukaoOFJ +eXxUJ9bEYwKBgGqBrG7GNg1PEckhxnr0s2OXxiM2oonnWxEbPATFPxKhgygJbIUn +P3bplXEgKU78XWxjbukbC700KEUm5kE3SfSdJh/+vVC9S+KlinX0cnA9ZMcMOxqX +nBeV+wkBr9WzOChjbUiSJ/l6O0xapBFxUalytFdRl7VZkRJdJYyao1glAoGACrup +OOqybZdg9wSApgUjEzlYy7ockvD2YtoNlvbi43KomcUok0H08SiG9o9Zw6BrPmsB +J4fWxWaJPvRKsWRY1xU5fU6Ulxx3pmb+MdCvv03TC92/H9nMNTsfw3E/rfMAH8xE +hDx0dvTIcqR/1W5S7TvrNvec/E0VyoVwOFSaf2UCgYApQZxpTvGQ6NMvNHBMaCa1 +Xy5AWPfTYbYUTTq9q8t/s1bA5YkA6MJ740dAGzwsUAlJ887QsGXH5ZeQtxVbHbmA +2P6CP4iOY1EjsxNssrLJKkxXdagYeZo5X2KOIqZ8FeVli4BM0mqX96UPN2zV3dNP +eN1DF6VSLghh30ITUauYdQ++ +-----END PRIVATE KEY----- + -----BEGIN CERTIFICATE----- -MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 -VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD -... -RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +MIIDlDCCAnygAwIBAgIVAJHxzhL42q7io2PBDPR+TCeBsyQgMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI1WhcNMjUxMDIyMTYzODI1WjBRMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqn81ZnhT +zAPiXOdzJVRdy6GGQJKodQ89/hxZ3oHAFN/7QhknXyWnfz3heShEAw5xdL3PV230 +tv8CQpHKHjWWQzG1MM3sh3LT3RAltaM0NT6shNXE3va46f3zotWBd6PK9jC/Tpme +FppGSr8hcegLLlZuTKV0eM+1OI/eebKkZFrItyNYS7TD87lhCQPwG6UwsW9ZNsSQ +0Foq2vzQC5c+jT1UXJ4AbeemQ4TDZsv4NsxhHJorRKjFDku2qb0ZOoWSveHX40kH +uIhKV0nXer72cXa1hlddJZgwx9Ej7ZhgRPt+K9VDSG6f11UYeisYjXIxVTQcJcKg +E5k2IcZFwD8NaQIDAQABo2MwYTAdBgNVHQ4EFgQUn07ghxVixnvcB4G51WxouxRA +M2YwHwYDVR0jBBgwFoAUn07ghxVixnvcB4G51WxouxRAM2YwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAHH+4MYOoIrT +DoYsVKJh0x1MHVoCdn39fFvUPFRJg5b3KLyaILzPoS300XOxrtNvY0ayBu70atl8 +9RRj1LMqVb3mjR7sigyj4wm2rWLVOJMncZsiVXVmX2rhteYe6Z0IVPXjOS3Yn9Ph +G8K9lQCHwXmLmsbzlQPbFFvRsCA+/OXVhSA4h88eIIWt9fkcPQfjCEk6SBnzOXDU +n7C3l7TweHggfgMvM9a+ullfmfw0ejhbX3JOrXCuA9EIloATgdpyzOKZ6q2tXBtQ +qynFiqlV0UDGgH+e8hCp41Seva5vBGYvwMVHPU80rhoAsTh1BNpM1r9xbvDQs5ui +3QyeFCt/O0A= -----END CERTIFICATE----- +``` + +#### 3. Import the Client Certificate + +After the certificate is signed and returned, it is imported into the SSR for use by the client using the `import certificate client` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. + +The following example shows an valid self-signed certificate being imported: +``` +admin@conductor-node-1.Conductor# import certificate client radsec +Enter the end point certificate in PEM format (Press CTRL-D to finish): -----BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P -53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR -... -KBs2Hz/E/goCvyEqNaJOix+l +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFrn/2q4mijt14 +gjmN2agDfu6sykg4OJ2NDy4IRrBYilExRJHllAndtc04rp7EQ544Z+/J/dNJrmXK +GnHvm/Rg0UdKnbFrw5aentpx3rFefdaf8nlJLW5rFH1wxDqUhE+y5q+s+8k3ESt0 +9L/26OxTQP11t5Vh/BEkK5iVHLDBGyHntUvEnM5tFWL7+NvefhuZ6McvY7GPDR8c +bkuNHXlv9laeXQlI6IiiYum8waQDnJBGEx2wPTUguZJWP0YgxLinKiCDIINNEf+Y +dGqxf7I/yKWZtkoxB3JVk3qF7651EaGAzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 +91wL39G5AgMBAAECggEAE2/xDSQYyG8bv7muRxBbwNw+Q6cwKrcGZtRTRmUM+ee/ +zAReBCDmR3KU1zn0SoALkqhFn6rhl6EaSSEIivLeuJZbWC7hPyNgMACWohOvhQcC +j3+cBWH+NXEyVGA3EltgKsscAvpO8qcxirJ2HaURd64wPd7rRVMvrErNGfxUNOh1 +fHSd3t7ch7QfQsX+cIRS7ZhIxAKY97nVhlRN1TS8Y0dDW2fSSpV8cqUs7DQjetcI +XG54PAsOjg6TnALtg113zftg6W9WPG2R8CWyW6g3Z0qJ7TDAp6GZMqRBjzjGlfPi +CzUg+YHXCn8P2jrYD/CwSYr42dLX0FZbcdI5NHjSAQKBgQD+rDSi9sIR8Bryo0+R +1B83myMX67dpkWGrxjdrgAijuVSKX5+mT44WGHh8UZtN08bU/pWEWmag9TGBbnic +QY3qJXLyzNHERL7tEEyEGKBoAWuR9qgESI8w2AgJEvCokFO1h5BnmVfnCaB51rrd +iH2irP9Ed3G7+sdVZ3q1AdC3iQKBgQDGtkEpss+i9go2OuVO3ez52SR1aQqiKHak +wCINR52/8UhjGefoCwA59mKUIx9beKxyhVoi2XEXs4LqMCMWUI49INB9IjIn67qW +Cf9wUPGaCOS8P6HTKV+Xm9aZMmMQHTcCamqZbZw2Q9brucdPQJRkcsktKeioV3mL +iwgNliKMsQKBgC3EwQjwk9wpbI5irzAkESArL1ljMWk1iXoXe2pEbkkOS5U6rjRz +Y7Ow3iZpfCG2h6tLvY81t/dART1cu1ar1yNAzt33NEaznCR6o2WyD1Hhv3VSAMwU +Rjee+4K19q40kfaz0E3uDxAkeMSsxJR/rSSJNq8VUElaPmyo1jKlit8RAoGAM4YU +VVyQ7B9BvJf+1zlB9fKwumTXJf657LQI4Eqeg6Nrco7IC+m2UFErdF+7BLvAcx1S +ptCcu1mHa3O51VJj30O/64JPYPyFb9v9yMCkNJ1zucACFL+YkrYMqcJf31DD77Nq +GohKRePHOW39WPZUw8rjkPtZ4TR1RpJxLxyrrrECgYEAucUgTqdA1JmEmm72nQ3z +mzf6LtuLq748DEb8KaTkYwJZaM705/BP8vNLSE/+92gXYkMpTpUBBYTzzK9aYeGE +WiYWxHz5Q4wUxV5uTJR3Jq5rzcHr1shyVDT+aFf9tyNdcLFfbziZ1y/EfAPkOOoH +jLD4SXCWbmRxHYVMn3yhqK4= -----END PRIVATE KEY----- - -⚠ Importing... -certificate contains the following issues: certificate is self-signed + +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIVAL1k460IeyrQWoU82ZVHZ2asUrTuMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI4WhcNMjUwMTIwMTYzODI4WjBVMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxGzAZBgNVBAMMEmNsaWVu +dC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWu +f/ariaKO3XiCOY3ZqAN+7qzKSDg4nY0PLghGsFiKUTFEkeWUCd21zTiunsRDnjhn +78n900muZcoace+b9GDRR0qdsWvDlp6e2nHesV591p/yeUktbmsUfXDEOpSET7Lm +r6z7yTcRK3T0v/bo7FNA/XW3lWH8ESQrmJUcsMEbIee1S8Sczm0VYvv4295+G5no +xy9jsY8NHxxuS40deW/2Vp5dCUjoiKJi6bzBpAOckEYTHbA9NSC5klY/RiDEuKcq +IIMgg00R/5h0arF/sj/fL0cKofSeAgu11z1891d1scDOMwdiGak9VHQr0gA9vIa5 +wrRo6uImpnn3XAvf0bkCAwEAAaNvMG0wHQYDVR0OBBYEFBD7hj42fbQv+v95CXIN +/Y3jckxzMB8GA1UdIwQYMBaAFJ9O4IcVYsZ73AeBudVsaLsUQDNmMAkGA1UdEwQC +MAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB +CwUAA4IBAQCW0sZVVr04ofxj28dcyce6TRr9buFeohBWVPZ+Uu3i4eSWuj0cLOl3 +d/Z3Vv7jnDDQd4175eqA7rGL7Mfe3MsdSeBTut2z8Ubn45dRMZuLHxcrg5qMCq3b +o5Ff038wm1OB3Jc2ec9nJOUUdGh+gdrlxiKJH9i1VlxvgzgltTGvbH7TQozMdBlF +04O32yP3MXsKhHRvYrtQpSQ248QeSLA/wItSc+vqcsPKjCGwSb183CPHDUmUALkE +zTwd4+soylkHxCW2zZ50lUUqqNt1nSIcVF2V3qqxRZXZcJtN5y9+brpc9Z8eiXys +9cgLsL60tukLdwxH5S6gAw/MSm6ABYjdv +-----END CERTIFICATE----- + /usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280. return rust_x509.load_pem_x509_certificates(data) -Could not validate certificate chain against a trusted anchor. -Would you like to import anyways? [y/N]: y +✔ Importing... Certificate imported successfully -``` -The imported certificate will be validated against the configured trusted root certificates and checked for insecure algorithms and invalid configurations. Bypassing or disabling these validations will result in a non-compliant configuration. - -## Configuring Syslog Over TLS +Would you like to add the certificate to your configuration? [y/N]: y +Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all +% Warning: +1. certificate contains the following issues: does not have the extendKeyUsage extension -Syslog over TLS allows the secure transportation of system log messages from the syslog client to the syslog server. TLS uses certificates to authenticate and encrypt the communication. -Use the following information to configure Syslog transport over TLS. + config + authority + client-certificate radius + content -#### 1. Configure the trusted CA certificate. - -The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. - -Create a certificate root named `ca_root` and paste the certificate file content into the command: - -``` -admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root -admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content -Enter plain for content (Press CTRL-D to finish): - -``` +2. certificate contains the following issues: does not have the extendKeyUsage extension -#### 2. Configure a client certificate to be used for the syslog client. -Repeat the previous step to create a client certificate named `syslog`. + config + authority + client-certificate conductor-radius + content -``` -admin@conductor-node-1.Conductor# config authority client-certificate syslog -admin@conductor-node-1.Conductor (client-certificate[name=syslog])# content -Enter plain for content (Press CTRL-D to finish): - +Certificate imported successfully +Would you like to clean up the temporary certificate and key files? [Y/n]: Y ``` -#### 3. Configure the syslog server at the Authority level to use the configured client certificate. +#### 4. Configure the Device to Accept the Client Certificate -The following configuration example will add a syslog server named `syslog` that will use the previously configured client certificate. +Use the following example command to configure your device to accept the certificate. -``` -*admin@t327-dut1.cond# configure authority router cond system syslog server 192.168.1.100 6514 -*admin@t327-dut1.cond (server[ip-address=192.168.1.100][port=6514])# up -*admin@t327-dut1.cond (syslog)# client-certificate-name syslog -*admin@t327-dut1.cond (syslog)# protocol tls -*admin@t327-dut1.cond (syslog)# ocsp strict -*admin@t327-dut1.cond (syslog)# facility any -*admin@t327-dut1.cond (syslog)# severity info -*admin@t327-dut1.cond (syslog)# top -``` +` configure authority router ComboWest node combo-west radius client-certificate-name radsec` -To complete the process, `validate` and `commit` the changes. After the confiuration changes have been committed, the SSR will send the syslog to 192.168.1.100:6514 over TLS. -When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. diff --git a/docs/config_syslog_tls.md b/docs/config_syslog_tls.md new file mode 100644 index 0000000000..ce8806a63c --- /dev/null +++ b/docs/config_syslog_tls.md @@ -0,0 +1,267 @@ +--- +title: Configuring Syslog Over TLS +sidebar_label: Configuring Syslog Over TLS +--- + +Syslog over TLS allows the secure transportation of system log messages from the syslog client to the syslog server. TLS uses certificates to authenticate and encrypt the communication. + +## Syslog over TLS Configuration - Existing Certificate + +Use the following information to configure Syslog over TLS using an existing certificate. + +#### 1. Configure the Trusted CA Certificate. + +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. + +Create a root certificate named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root +admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +:::note +The `trusted-ca-certificate` is a list and may contain different CA roots used for different certificates. In that case, naming them all `ca_root` would not be suitable. In that case, choose a name that is meaningful to the user and CA, eg: `globalsign_root`. +::: + +#### 2. Configure a Client Certificate to be used for the Syslog Client. + +Repeat the previous step to create a client certificate named `syslog`. + +``` +admin@conductor-node-1.Conductor# config authority client-certificate syslog +admin@conductor-node-1.Conductor (client-certificate[name=syslog])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +#### 3. Configure the Syslog Server at the Authority level to use the configured client certificate. + +The following configuration example will add a syslog server named `syslog` that will use the previously configured client certificate. + +``` +*admin@t327-dut1.cond# configure authority router cond system syslog server 192.168.1.100 6514 +*admin@t327-dut1.cond (server[ip-address=192.168.1.100][port=6514])# up +*admin@t327-dut1.cond (syslog)# client-certificate-name syslog +*admin@t327-dut1.cond (syslog)# protocol tls +*admin@t327-dut1.cond (syslog)# ocsp strict +*admin@t327-dut1.cond (syslog)# facility any +*admin@t327-dut1.cond (syslog)# severity info +*admin@t327-dut1.cond (syslog)# top +``` + +To complete the process, `validate` and `commit` the changes. After the confiuration changes have been committed, the SSR will send the syslog to 192.168.1.100:6514 over TLS. +When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. + + +## Syslog over TLS Configuration - Generate Certificate + +Use the following examples to generate a client certificate for use on the device. + +#### 1. Generate the Signing Request + +Use the `create certificate request client` command to generate the signing request. + +``` +admin@conductor-node-1.Conductor# create certificate request client syslog +Country name (2 letter code): US +State or province name (full name): MA +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): +Subject Alternative Name - IP Address: +% Error: Could not create request: Subject Alternative Name (DNS or IP address) is required +admin@conductor-node-1.Conductor# create certificate request client syslog +Country name (2 letter code): US +State or province name (full name): MA +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): +Common name: dut1 +Email address: +Subject Alternative Name - DNS (fully qualified domain name): dut1 +Subject Alternative Name - IP Address: 10.27.32.203 + +Request successfully generated: + +-----BEGIN CERTIFICATE REQUEST----- +MIIC1jCCAb4CAQAwTjENMAsGA1UEAwwEZHV0MTELMAkGA1UEBhMCVVMxETAPBgNV +BAcMCFdlc3Rmb3JkMRAwDgYDVQQKDAdKdW5pcGVyMQswCQYDVQQIDAJNQTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8WwHXP/z49sFsxpN5L9THO5y8N +f/as8Nn6XUyG86YyxcR5IYL5gKR5//EunoVjLAUCHgBqxwaUa3enhNEQS97N4Bcs +E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMn8MT8XbS +XF/zmGBI1/4aRbeqL5VMDPO+9DNRxXMgqBs2y48WanGvZeZTP5B/sSczlhOSxHnu +DxNYQ7+rZs9NpKzktCXOSA8nszHp5PNCWsa8tVNQvyhAqboTGrXQZhjZRWzg3nzS +Gb5XIxudEteQOg5LJW/7GpxFmF+XtNxzfSJpw1/tKeA32VN9In++nwoflhUCAwEA +AaBDMEEGCSqGSIb3DQEJDjE0MDIwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwGAYD +VR0RAQH/BA4wDIIEZHV0MYcEChsgyzANBgkqhkiG9w0BAQsFAAOCAQEAK32e8BUh +n9ficSqiRq3b0UuaQGnNrQ1oAY5FeaTY/2gDPYCju43HTsW1TSoK6376UxU43yAC +nAbFVe8p6fMIh9LkR+I9IM/Z2PXUtUrE8MPQo6z4/9aDGgwEoj654nArM7rWXh05 +7RBhzALsh2GWt2GT9FXcODIbGcsu6Ea2+24o1MuKMxDGEWjCnJJheXmFsqraKRnu +rcgzjMPc1F+iMb3O/bzFnj3a4Pj3dRK59bV/0zD7ti8KC/jodV80yzMVn4uSPlj1 +wp4dOHuKsnf+ZsfNK4AGUYdh3qEa1/xJxyug1R3AGjItbkUzbJpR6hp7B0YYWV87 +QALMf6F0SKBDXg++ +-----END CERTIFICATE REQUEST----- +``` + +#### 2. Configure the Trusted CA Certificate + +The trusted CA certificate is necessary to validate the incoming client certificate. Certificates are pasted in as a multi-line config. + +Create a root certificate named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# configure authority trusted-ca-certificate ca_root +*admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqfzVmeFPMA+Jc +53MlVF3LoYZAkqh1Dz3+HFnegcAU3/tCGSdfJad/PeF5KEQDDnF0vc9XbfS2/wJC +wHAt15TH3iarSPE3dV3L0c1tyOFaMUNLAd3nsPArR0w/1YF3o8r2ML9OmZ4WmkZK +vyFx6AsuVm5MpXR4z7U4j955sqRkWsi3I1hLtMPzuWEJA/AbpTCxb1k2xJDQWira +/NALlz6NPVRcngBt56ZDhMNmy/g2zGEcmitEqMUOS7apvRk6hZK94dfjSQe4iEpX +Sdd6vvZxdrWGV10lmDDH0SPtmGBE+34r1UNIbp/XVRh6KxiNcjFVNBwlwqATmTYh +xkXAPw1pAgMBAAECggEACZ3YNLnnvBOiAmx5larvCWvIZz7+am/cJseRmBfIbkT9 +5ooFqvu0OVyTqaJIR8XaR2PnXH6StXmntnqDpHWQTqUvlbGANIqWsyiig26zFCEu +IAXwr0TKRERzKAWT4lwmOAGi4LuQa6Ty/wdNyx9z9f6hBQi2C5Rnm9OdkE6vsAtJ +NbNcsV+bvedfLoJqG1MM3sh3LT3RAltaMuJEw3PdFiMVcQIJgGr85nVJcg4SCUkh +JKlfUE83IqkwAd1V0jn/2yopCmQBLrpyqlRu2MmwFiIS+IUcoReemNK8mlfd8hbR +bc0Zvum65DS1Y6wuuBdWP2v49xaX8fDrVy8unIHQ4wKBgQDDtTq7L06XqJkHtKj3 +6XqVO5oKZhu1tcLDXWsxHnJas6Cw8u0cx+r4cTWUWI/HFBYOKRveIqGdb12QR757 +lRqK3ie+dZvhsztUm04EnVaNvn09YGl5n8fV+3QrygeanYVYNgRdMPhf6PNmcJQB +Ppj2XsIvjxoiNCf+YSDJNO2SwwKBgQDfBa2U2nKhgZZaYGYmdKT1zqb3TsGWSIIt +KhSJX3CvxT08Czqi3R1PgBdNS9YI8XXsDZnvhcmOeP2vm3ylgJZGS7Gi04Mj9ijQ ++beqMnNBjEjc1oXkemd9bfsDfby6k5Ew5OpzVe5rkOpc7oGy54REFh0hLukaoOFJ +eXxUJ9bEYwKBgGqBrG7GNg1PEckhxnr0s2OXxiM2oonnWxEbPATFPxKhgygJbIUn +P3bplXEgKU78XWxjbukbC700KEUm5kE3SfSdJh/+vVC9S+KlinX0cnA9ZMcMOxqX +nBeV+wkBr9WzOChjbUiSJ/l6O0xapBFxUalytFdRl7VZkRJdJYyao1glAoGACrup +OOqybZdg9wSApgUjEzlYy7ockvD2YtoNlvbi43KomcUok0H08SiG9o9Zw6BrPmsB +J4fWxWaJPvRKsWRY1xU5fU6Ulxx3pmb+MdCvv03TC92/H9nMNTsfw3E/rfMAH8xE +hDx0dvTIcqR/1W5S7TvrNvec/E0VyoVwOFSaf2UCgYApQZxpTvGQ6NMvNHBMaCa1 +Xy5AWPfTYbYUTTq9q8t/s1bA5YkA6MJ740dAGzwsUAlJ887QsGXH5ZeQtxVbHbmA +2P6CP4iOY1EjsxNssrLJKkxXdagYeZo5X2KOIqZ8FeVli4BM0mqX96UPN2zV3dNP +eN1DF6VSLghh30ITUauYdQ++ +-----END PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIVAJHxzhL42q7io2PBDPR+TCeBsyQgMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI1WhcNMjUxMDIyMTYzODI1WjBRMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4 +YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqn81ZnhT +zAPiXOdzJVRdy6GGQJKodQ89/hxZ3oHAFN/7QhknXyWnfz3heShEAw5xdL3PV230 +tv8CQpHKHjWWQzG1MM3sh3LT3RAltaM0NT6shNXE3va46f3zotWBd6PK9jC/Tpme +FppGSr8hcegLLlZuTKV0eM+1OI/eebKkZFrItyNYS7TD87lhCQPwG6UwsW9ZNsSQ +0Foq2vzQC5c+jT1UXJ4AbeemQ4TDZsv4NsxhHJorRKjFDku2qb0ZOoWSveHX40kH +uIhKV0nXer72cXa1hlddJZgwx9Ej7ZhgRPt+K9VDSG6f11UYeisYjXIxVTQcJcKg +E5k2IcZFwD8NaQIDAQABo2MwYTAdBgNVHQ4EFgQUn07ghxVixnvcB4G51WxouxRA +M2YwHwYDVR0jBBgwFoAUn07ghxVixnvcB4G51WxouxRAM2YwDwYDVR0TAQH/BAUw +AwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAHH+4MYOoIrT +DoYsVKJh0x1MHVoCdn39fFvUPFRJg5b3KLyaILzPoS300XOxrtNvY0ayBu70atl8 +9RRj1LMqVb3mjR7sigyj4wm2rWLVOJMncZsiVXVmX2rhteYe6Z0IVPXjOS3Yn9Ph +G8K9lQCHwXmLmsbzlQPbFFvRsCA+/OXVhSA4h88eIIWt9fkcPQfjCEk6SBnzOXDU +n7C3l7TweHggfgMvM9a+ullfmfw0ejhbX3JOrXCuA9EIloATgdpyzOKZ6q2tXBtQ +qynFiqlV0UDGgH+e8hCp41Seva5vBGYvwMVHPU80rhoAsTh1BNpM1r9xbvDQs5ui +3QyeFCt/O0A= +-----END CERTIFICATE----- +``` + +#### 3. Import the Client Certificate + +After the certificate is signed and returned, it is imported into the SSR for use by the client using the `import certificate client` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. + +The following example shows an valid self-signed certificate being imported: + +``` +admin@conductor-node-1.Conductor# import certificate client syslog +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFrn/2q4mijt14 +gjmN2agDfu6sykg4OJ2NDy4IRrBYilExRJHllAndtc04rp7EQ544Z+/J/dNJrmXK +GnHvm/Rg0UdKnbFrw5aentpx3rFefdaf8nlJLW5rFH1wxDqUhE+y5q+s+8k3ESt0 +9L/26OxTQP11t5Vh/BEkK5iVHLDBGyHntUvEnM5tFWL7+NvefhuZ6McvY7GPDR8c +bkuNHXlv9laeXQlI6IiiYum8waQDnJBGEx2wPTUguZJWP0YgxLinKiCDIINNEf+Y +dGqxf7I/yKWZtkoxB3JVk3qF7651EaGAzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 +91wL39G5AgMBAAECggEAE2/xDSQYyG8bv7muRxBbwNw+Q6cwKrcGZtRTRmUM+ee/ +zAReBCDmR3KU1zn0SoALkqhFn6rhl6EaSSEIivLeuJZbWC7hPyNgMACWohOvhQcC +j3+cBWH+NXEyVGA3EltgKsscAvpO8qcxirJ2HaURd64wPd7rRVMvrErNGfxUNOh1 +fHSd3t7ch7QfQsX+cIRS7ZhIxAKY97nVhlRN1TS8Y0dDW2fSSpV8cqUs7DQjetcI +XG54PAsOjg6TnALtg113zftg6W9WPG2R8CWyW6g3Z0qJ7TDAp6GZMqRBjzjGlfPi +CzUg+YHXCn8P2jrYD/CwSYr42dLX0FZbcdI5NHjSAQKBgQD+rDSi9sIR8Bryo0+R +1B83myMX67dpkWGrxjdrgAijuVSKX5+mT44WGHh8UZtN08bU/pWEWmag9TGBbnic +QY3qJXLyzNHERL7tEEyEGKBoAWuR9qgESI8w2AgJEvCokFO1h5BnmVfnCaB51rrd +iH2irP9Ed3G7+sdVZ3q1AdC3iQKBgQDGtkEpss+i9go2OuVO3ez52SR1aQqiKHak +wCINR52/8UhjGefoCwA59mKUIx9beKxyhVoi2XEXs4LqMCMWUI49INB9IjIn67qW +Cf9wUPGaCOS8P6HTKV+Xm9aZMmMQHTcCamqZbZw2Q9brucdPQJRkcsktKeioV3mL +iwgNliKMsQKBgC3EwQjwk9wpbI5irzAkESArL1ljMWk1iXoXe2pEbkkOS5U6rjRz +Y7Ow3iZpfCG2h6tLvY81t/dART1cu1ar1yNAzt33NEaznCR6o2WyD1Hhv3VSAMwU +Rjee+4K19q40kfaz0E3uDxAkeMSsxJR/rSSJNq8VUElaPmyo1jKlit8RAoGAM4YU +VVyQ7B9BvJf+1zlB9fKwumTXJf657LQI4Eqeg6Nrco7IC+m2UFErdF+7BLvAcx1S +ptCcu1mHa3O51VJj30O/64JPYPyFb9v9yMCkNJ1zucACFL+YkrYMqcJf31DD77Nq +GohKRePHOW39WPZUw8rjkPtZ4TR1RpJxLxyrrrECgYEAucUgTqdA1JmEmm72nQ3z +mzf6LtuLq748DEb8KaTkYwJZaM705/BP8vNLSE/+92gXYkMpTpUBBYTzzK9aYeGE +WiYWxHz5Q4wUxV5uTJR3Jq5rzcHr1shyVDT+aFf9tyNdcLFfbziZ1y/EfAPkOOoH +jLD4SXCWbmRxHYVMn3yhqK4= +-----END PRIVATE KEY----- + +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIVAL1k460IeyrQWoU82ZVHZ2asUrTuMA0GCSqGSIb3DQEB +CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD +VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy +MTYzODI4WhcNMjUwMTIwMTYzODI4WjBVMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN +TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxGzAZBgNVBAMMEmNsaWVu +dC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWu +f/ariaKO3XiCOY3ZqAN+7qzKSDg4nY0PLghGsFiKUTFEkeWUCd21zTiunsRDnjhn +78n900muZcoace+b9GDRR0qdsWvDlp6e2nHesV591p/yeUktbmsUfXDEOpSET7Lm +r6z7yTcRK3T0v/bo7FNA/XW3lWH8ESQrmJUcsMEbIee1S8Sczm0VYvv4295+G5no +xy9jsY8NHxxuS40deW/2Vp5dCUjoiKJi6bzBpAOckEYTHbA9NSC5klY/RiDEuKcq +IIMgg00R/5h0arF/sj/fL0cKofSeAgu11z1891d1scDOMwdiGak9VHQr0gA9vIa5 +wrRo6uImpnn3XAvf0bkCAwEAAaNvMG0wHQYDVR0OBBYEFBD7hj42fbQv+v95CXIN +/Y3jckxzMB8GA1UdIwQYMBaAFJ9O4IcVYsZ73AeBudVsaLsUQDNmMAkGA1UdEwQC +MAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB +CwUAA4IBAQCW0sZVVr04ofxj28dcyce6TRr9buFeohBWVPZ+Uu3i4eSWuj0cLOl3 +d/Z3Vv7jnDDQd4175eqA7rGL7Mfe3MsdSeBTut2z8Ubn45dRMZuLHxcrg5qMCq3b +o5Ff038wm1OB3Jc2ec9nJOUUdGh+gdrlxiKJH9i1VlxvgzgltTGvbH7TQozMdBlF +04O32yP3MXsKhHRvYrtQpSQ248QeSLA/wItSc+vqcsPKjCGwSb183CPHDUmUALkE +zTwd4+soylkHxCW2zZ50lUUqqNt1nSIcVF2V3qqxRZXZcJtN5y9+brpc9Z8eiXys +9cgLsL60tukLdwxH5S6gAw/MSm6ABYjdv +-----END CERTIFICATE----- + +/usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280. + return rust_x509.load_pem_x509_certificates(data) +✔ Importing... +Certificate imported successfully +Would you like to add the certificate to your configuration? [y/N]: y +Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all +% Warning: +1. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate radius + content + +2. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate conductor-radius + content + +Certificate imported successfully +Would you like to clean up the temporary certificate and key files? [Y/n]: Y +``` + +#### 4. Configure the Device to Accept the Client Certificate + +Use the following example command to configure your device to accept the certificate. + +` configure authority router ComboWest node combo-west radius client-certificate-name syslog` diff --git a/docs/config_webserver_certs.md b/docs/config_webserver_certs.md new file mode 100644 index 0000000000..670c4bbf41 --- /dev/null +++ b/docs/config_webserver_certs.md @@ -0,0 +1,141 @@ +--- +title: Signing and Importing Webserver Certificates +sidebar_label: Signing and Importing Webserver Certificates +--- + +Imported webserver certificates are validated against trusted certificates configured using `trusted-ca-certificate`. Use the following information to create, sign, and import the certificates to the webserver. + +### Configure a Trusted Certificate + +Certificates are pasted in as a multi-line config. + +Configure a root certificate named `ca_root` and paste the certificate file content into the command: + +``` +admin@conductor-node-1.Conductor# config authority trusted-ca-certificate ca_root +admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content +Enter plain for content (Press CTRL-D to finish): + +``` + +### Generate the Signing Request + +Use the `create certificate request webserver` command to generate the certificate signing request. + +``` +admin@t327-dut1.cond# create certificate request webserver +Country name (2 letter code): US +State or province name (full name): Massachusetts +Locality name (eg: city): Westford +Organization name (eg: company): Juniper +Organization unit (eg: engineering): engineering +Common name: www.router.com +Email address: bob@juniper.net +Subject Alternative Name - DNS (fully qualified domain name): www.router.com +Subject Alternative Name - IP Address: 1.1.1.1 + +Request successfully generated: + +-----BEGIN CERTIFICATE REQUEST----- +MIIDLDCCAhQCAQAwgZkxFzAVBgNVBAMMDnd3dy5yb3V0ZXIuY29tMQswCQYDVQQG +EwJVUzERMA8GA1UEBwwIV2VzdGZvcmQxEDAOBgNVBAoMB0p1bmlwZXIxFDASBgNV +... +. +. +. +-----END CERTIFICATE REQUEST----- +``` + +### Import the Certificate + +After the certificate is signed and returned, it is imported into the SSR for use by the webserver using the `import certificate webserver` command. It is validated against any trusted certificates entered using `trusted-ca-certificate`. + +The following example shows a valid certificate being imported: + +``` +admin@t327-dut1.cond# import certificate webserver +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 +VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD +... +RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +-----END CERTIFICATE----- + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P +53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR +... +KBs2Hz/E/goCvyEqNaJOix+l +-----END PRIVATE KEY----- + +admin@t327-dut1.cond# import certificate webserver +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 +VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD +... +RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +-----END CERTIFICATE----- + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P +53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR +... +KBs2Hz/E/goCvyEqNaJOix+l +-----END PRIVATE KEY----- + +✔ Importing... +Certificate imported successfully +Would you like to add the certificate to your configuration? [y/N]: y +Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all +% Warning: +1. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate webserver + content + +2. certificate contains the following issues: does not have the extendKeyUsage extension + + + config + authority + client-certificate conductor-webserver + content + +Certificate imported successfully +Would you like to clean up the temporary certificate and key files? [Y/n]: Y +``` + +The following example shows an invalid self-signed certificate being imported: + +``` +admin@t327-dut1.cond# import certificate webserver +Enter the end point certificate in PEM format (Press CTRL-D to finish): +-----BEGIN CERTIFICATE----- +MIIDHTCCAgWgAwIBAgICL/AwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEMTI4 +VDAiGA8yMDI0MDYwNjEyMzIzMVoYDzIwMjUwNjA3MTIzMjMxWjAPMQ0wCwYDVQQD +... +RaIliPRAdN85EXDiAP68ytg5D2ZzxCpmRvj4AiFI3JOc +-----END CERTIFICATE----- + +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCo4PCT4Wp89t5P +53ZJtfgKwdV/CfAi3uXAfWmdluKlXjarlgTc6rgX8wGNSRj5/AajEUU6Z68DaejR +... +KBs2Hz/E/goCvyEqNaJOix+l +-----END PRIVATE KEY----- + +⚠ Importing... +certificate contains the following issues: certificate is self-signed +/usr/lib/128technology/unzip/pcli/runfiles/pypi__36__cryptography_40_0_2/cryptography/x509/base.py:576: CryptographyDeprecationWarning: Parsed a negative serial number, which is disallowed by RFC 5280. + return rust_x509.load_pem_x509_certificates(data) +Could not validate certificate chain against a trusted anchor. +Would you like to import anyways? [y/N]: y +Certificate imported successfully +``` +The imported certificate is validated against the configured trusted root certificates and checked for insecure algorithms and invalid configurations. Bypassing or disabling these validations will result in a non-compliant configuration. + diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index b4b3ae7913..0936828eaf 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -18,7 +18,7 @@ For users installing *earlier, package-based versions of the SSR software*, the - **Package-based ISO:** For users who do not use Mist Cloud, the package-based ISO is used in the following deployments. - When the initial installation is going to be a version prior to 6.3.0. - - When upgrading to a version prior to 6.3.0 on air-gap network using the `import ISO` operation . For example, upgrading an air-gap conductor or routers from V5.6.6 to V6.2.7. See [Package-based Software Upgrade in an Air-Gap Network](upgrade_restricted_access.md#package-based-software-upgrade) for the more information. + - When upgrading to a version prior to 6.3.0 on air-gap network using the `import ISO` operation. For example, upgrading an air-gap conductor or routers from 5.6.6 to 6.2.7. See [Package-based Software Upgrade in an Air-Gap Network](upgrade_restricted_access.md#package-based-software-upgrade) for the more information. This ISO also provides different local installation methods. diff --git a/sidebars.js b/sidebars.js index b3b08368f1..2ba894d103 100644 --- a/sidebars.js +++ b/sidebars.js @@ -288,6 +288,8 @@ module.exports = { "config_ldap", "config_radius", "config_radsec", + "config_syslog_tls", + "config_weberver_certs", "config_password_policies", "howto_reset_user_password", ], From db33c6823f082585e28477dcd224ca22f5ac3379 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 22 Oct 2024 17:24:21 -0400 Subject: [PATCH 14/16] typo --- sidebars.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidebars.js b/sidebars.js index 2ba894d103..686f42e133 100644 --- a/sidebars.js +++ b/sidebars.js @@ -289,7 +289,7 @@ module.exports = { "config_radius", "config_radsec", "config_syslog_tls", - "config_weberver_certs", + "config_webserver_certs", "config_password_policies", "howto_reset_user_password", ], From 17751305d3528ea13c50502d2ba11ac052367ded Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 24 Oct 2024 11:22:58 -0400 Subject: [PATCH 15/16] Updates pre reviews --- docs/config_radsec.md | 81 ++++++-------------- docs/config_syslog_tls.md | 110 ++++------------------------ docs/intro_downloading_iso.md | 10 +-- docs/intro_installation.md | 2 +- docs/intro_installation_univ-iso.md | 10 +-- docs/upgrade_restricted_access.md | 12 +-- 6 files changed, 54 insertions(+), 171 deletions(-) diff --git a/docs/config_radsec.md b/docs/config_radsec.md index b0b0b186d1..b861b31463 100644 --- a/docs/config_radsec.md +++ b/docs/config_radsec.md @@ -115,16 +115,12 @@ MIIC1jCCAb4CAQAwTjENMAsGA1UEAwwEZHV0MTELMAkGA1UEBhMCVVMxETAPBgNV BAcMCFdlc3Rmb3JkMRAwDgYDVQQKDAdKdW5pcGVyMQswCQYDVQQIDAJNQTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8WwHXP/z49sFsxpN5L9THO5y8N f/as8Nn6XUyG86YyxcR5IYL5gKR5//EunoVjLAUCHgBqxwaUa3enhNEQS97N4Bcs -E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMn8MT8XbS +E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMT8XbS XF/zmGBI1/4aRbeqL5VMDPO+9DNRxXMgqBs2y48WanGvZeZTP5B/sSczlhOSxHnu -DxNYQ7+rZs9NpKzktCXOSA8nszHp5PNCWsa8tVNQvyhAqboTGrXQZhjZRWzg3nzS -Gb5XIxudEteQOg5LJW/7GpxFmF+XtNxzfSJpw1/tKeA32VN9In++nwoflhUCAwEA -AaBDMEEGCSqGSIb3DQEJDjE0MDIwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwGAYD -VR0RAQH/BA4wDIIEZHV0MYcEChsgyzANBgkqhkiG9w0BAQsFAAOCAQEAK32e8BUh -n9ficSqiRq3b0UuaQGnNrQ1oAY5FeaTY/2gDPYCju43HTsW1TSoK6376UxU43yAC -nAbFVe8p6fMIh9LkR+I9IM/Z2PXUtUrE8MPQo6z4/9aDGgwEoj654nArM7rWXh05 -7RBhzALsh2GWt2GT9FXcODIbGcsu6Ea2+24o1MuKMxDGEWjCnJJheXmFsqraKRnu -rcgzjMPc1F+iMb3O/bzFnj3a4Pj3dRK59bV/0zD7ti8KC/jodV80yzMVn4uSPlj1 +DxNYQ7+rZs9NpKzktCXOSA8nsz +. +. +. wp4dOHuKsnf+ZsfNK4AGUYdh3qEa1/xJxyug1R3AGjItbkUzbJpR6hp7B0YYWV87 QALMf6F0SKBDXg++ -----END CERTIFICATE REQUEST----- @@ -143,28 +139,18 @@ Enter plain for content (Press CTRL-D to finish): -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqfzVmeFPMA+Jc 53MlVF3LoYZAkqh1Dz3+HFnegcAU3/tCGSdfJad/PeF5KEQDDnF0vc9XbfS2/wJC -wHAt15TH3iarSPE3dV3L0c1tyOFaMUNLAd3nsPArR0w/1YF3o8r2ML9OmZ4WmkZK +wHAt15TH3iarSPE3dV3L0c1tyOFaMUNLAd3nsPArR0w/1YAfr1cAN0rEUZ4WmkZK vyFx6AsuVm5MpXR4z7U4j955sqRkWsi3I1hLtMPzuWEJA/AbpTCxb1k2xJDQWira /NALlz6NPVRcngBt56ZDhMNmy/g2zGEcmitEqMUOS7apvRk6hZK94dfjSQe4iEpX Sdd6vvZxdrWGV10lmDDH0SPtmGBE+34r1UNIbp/XVRh6KxiNcjFVNBwlwqATmTYh xkXAPw1pAgMBAAECggEACZ3YNLnnvBOiAmx5larvCWvIZz7+am/cJseRmBfIbkT9 5ooFqvu0OVyTqaJIR8XaR2PnXH6StXmntnqDpHWQTqUvlbGANIqWsyiig26zFCEu IAXwr0TKRERzKAWT4lwmOAGi4LuQa6Ty/wdNyx9z9f6hBQi2C5Rnm9OdkE6vsAtJ -NbNcsV+bvedfLoJqG1MM3sh3LT3RAltaMuJEw3PdFiMVcQIJgGr85nVJcg4SCUkh +NbNcsV+bvedfLoJqG1MM3sh3LT3RAltaM0ntw3PdFiMVcQIJgGr85nVJcg4SCUkh JKlfUE83IqkwAd1V0jn/2yopCmQBLrpyqlRu2MmwFiIS+IUcoReemNK8mlfd8hbR -bc0Zvum65DS1Y6wuuBdWP2v49xaX8fDrVy8unIHQ4wKBgQDDtTq7L06XqJkHtKj3 -6XqVO5oKZhu1tcLDXWsxHnJas6Cw8u0cx+r4cTWUWI/HFBYOKRveIqGdb12QR757 -lRqK3ie+dZvhsztUm04EnVaNvn09YGl5n8fV+3QrygeanYVYNgRdMPhf6PNmcJQB -Ppj2XsIvjxoiNCf+YSDJNO2SwwKBgQDfBa2U2nKhgZZaYGYmdKT1zqb3TsGWSIIt -KhSJX3CvxT08Czqi3R1PgBdNS9YI8XXsDZnvhcmOeP2vm3ylgJZGS7Gi04Mj9ijQ -+beqMnNBjEjc1oXkemd9bfsDfby6k5Ew5OpzVe5rkOpc7oGy54REFh0hLukaoOFJ -eXxUJ9bEYwKBgGqBrG7GNg1PEckhxnr0s2OXxiM2oonnWxEbPATFPxKhgygJbIUn -P3bplXEgKU78XWxjbukbC700KEUm5kE3SfSdJh/+vVC9S+KlinX0cnA9ZMcMOxqX -nBeV+wkBr9WzOChjbUiSJ/l6O0xapBFxUalytFdRl7VZkRJdJYyao1glAoGACrup -OOqybZdg9wSApgUjEzlYy7ockvD2YtoNlvbi43KomcUok0H08SiG9o9Zw6BrPmsB -J4fWxWaJPvRKsWRY1xU5fU6Ulxx3pmb+MdCvv03TC92/H9nMNTsfw3E/rfMAH8xE -hDx0dvTIcqR/1W5S7TvrNvec/E0VyoVwOFSaf2UCgYApQZxpTvGQ6NMvNHBMaCa1 -Xy5AWPfTYbYUTTq9q8t/s1bA5YkA6MJ740dAGzwsUAlJ887QsGXH5ZeQtxVbHbmA +. +. +. 2P6CP4iOY1EjsxNssrLJKkxXdagYeZo5X2KOIqZ8FeVli4BM0mqX96UPN2zV3dNP eN1DF6VSLghh30ITUauYdQ++ -----END PRIVATE KEY----- @@ -178,16 +164,9 @@ TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4 YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqn81ZnhT zAPiXOdzJVRdy6GGQJKodQ89/hxZ3oHAFN/7QhknXyWnfz3heShEAw5xdL3PV230 tv8CQpHKHjWWQzG1MM3sh3LT3RAltaM0NT6shNXE3va46f3zotWBd6PK9jC/Tpme -FppGSr8hcegLLlZuTKV0eM+1OI/eebKkZFrItyNYS7TD87lhCQPwG6UwsW9ZNsSQ -0Foq2vzQC5c+jT1UXJ4AbeemQ4TDZsv4NsxhHJorRKjFDku2qb0ZOoWSveHX40kH -uIhKV0nXer72cXa1hlddJZgwx9Ej7ZhgRPt+K9VDSG6f11UYeisYjXIxVTQcJcKg -E5k2IcZFwD8NaQIDAQABo2MwYTAdBgNVHQ4EFgQUn07ghxVixnvcB4G51WxouxRA -M2YwHwYDVR0jBBgwFoAUn07ghxVixnvcB4G51WxouxRAM2YwDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAHH+4MYOoIrT -DoYsVKJh0x1MHVoCdn39fFvUPFRJg5b3KLyaILzPoS300XOxrtNvY0ayBu70atl8 -9RRj1LMqVb3mjR7sigyj4wm2rWLVOJMncZsiVXVmX2rhteYe6Z0IVPXjOS3Yn9Ph -G8K9lQCHwXmLmsbzlQPbFFvRsCA+/OXVhSA4h88eIIWt9fkcPQfjCEk6SBnzOXDU -n7C3l7TweHggfgMvM9a+ullfmfw0ejhbX3JOrXCuA9EIloATgdpyzOKZ6q2tXBtQ +. +. +. qynFiqlV0UDGgH+e8hCp41Seva5vBGYvwMVHPU80rhoAsTh1BNpM1r9xbvDQs5ui 3QyeFCt/O0A= -----END CERTIFICATE----- @@ -208,25 +187,12 @@ gjmN2agDfu6sykg4OJ2NDy4IRrBYilExRJHllAndtc04rp7EQ544Z+/J/dNJrmXK GnHvm/Rg0UdKnbFrw5aentpx3rFefdaf8nlJLW5rFH1wxDqUhE+y5q+s+8k3ESt0 9L/26OxTQP11t5Vh/BEkK5iVHLDBGyHntUvEnM5tFWL7+NvefhuZ6McvY7GPDR8c bkuNHXlv9laeXQlI6IiiYum8waQDnJBGEx2wPTUguZJWP0YgxLinKiCDIINNEf+Y -dGqxf7I/yKWZtkoxB3JVk3qF7651EaGAzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 +dGqxf7I/h01yH4nDGR3nad30fAN+10chzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 91wL39G5AgMBAAECggEAE2/xDSQYyG8bv7muRxBbwNw+Q6cwKrcGZtRTRmUM+ee/ zAReBCDmR3KU1zn0SoALkqhFn6rhl6EaSSEIivLeuJZbWC7hPyNgMACWohOvhQcC -j3+cBWH+NXEyVGA3EltgKsscAvpO8qcxirJ2HaURd64wPd7rRVMvrErNGfxUNOh1 -fHSd3t7ch7QfQsX+cIRS7ZhIxAKY97nVhlRN1TS8Y0dDW2fSSpV8cqUs7DQjetcI -XG54PAsOjg6TnALtg113zftg6W9WPG2R8CWyW6g3Z0qJ7TDAp6GZMqRBjzjGlfPi -CzUg+YHXCn8P2jrYD/CwSYr42dLX0FZbcdI5NHjSAQKBgQD+rDSi9sIR8Bryo0+R -1B83myMX67dpkWGrxjdrgAijuVSKX5+mT44WGHh8UZtN08bU/pWEWmag9TGBbnic -QY3qJXLyzNHERL7tEEyEGKBoAWuR9qgESI8w2AgJEvCokFO1h5BnmVfnCaB51rrd -iH2irP9Ed3G7+sdVZ3q1AdC3iQKBgQDGtkEpss+i9go2OuVO3ez52SR1aQqiKHak -wCINR52/8UhjGefoCwA59mKUIx9beKxyhVoi2XEXs4LqMCMWUI49INB9IjIn67qW -Cf9wUPGaCOS8P6HTKV+Xm9aZMmMQHTcCamqZbZw2Q9brucdPQJRkcsktKeioV3mL -iwgNliKMsQKBgC3EwQjwk9wpbI5irzAkESArL1ljMWk1iXoXe2pEbkkOS5U6rjRz -Y7Ow3iZpfCG2h6tLvY81t/dART1cu1ar1yNAzt33NEaznCR6o2WyD1Hhv3VSAMwU -Rjee+4K19q40kfaz0E3uDxAkeMSsxJR/rSSJNq8VUElaPmyo1jKlit8RAoGAM4YU -VVyQ7B9BvJf+1zlB9fKwumTXJf657LQI4Eqeg6Nrco7IC+m2UFErdF+7BLvAcx1S -ptCcu1mHa3O51VJj30O/64JPYPyFb9v9yMCkNJ1zucACFL+YkrYMqcJf31DD77Nq -GohKRePHOW39WPZUw8rjkPtZ4TR1RpJxLxyrrrECgYEAucUgTqdA1JmEmm72nQ3z -mzf6LtuLq748DEb8KaTkYwJZaM705/BP8vNLSE/+92gXYkMpTpUBBYTzzK9aYeGE +. +. +. WiYWxHz5Q4wUxV5uTJR3Jq5rzcHr1shyVDT+aFf9tyNdcLFfbziZ1y/EfAPkOOoH jLD4SXCWbmRxHYVMn3yhqK4= -----END PRIVATE KEY----- @@ -242,15 +208,10 @@ f/ariaKO3XiCOY3ZqAN+7qzKSDg4nY0PLghGsFiKUTFEkeWUCd21zTiunsRDnjhn 78n900muZcoace+b9GDRR0qdsWvDlp6e2nHesV591p/yeUktbmsUfXDEOpSET7Lm r6z7yTcRK3T0v/bo7FNA/XW3lWH8ESQrmJUcsMEbIee1S8Sczm0VYvv4295+G5no xy9jsY8NHxxuS40deW/2Vp5dCUjoiKJi6bzBpAOckEYTHbA9NSC5klY/RiDEuKcq -IIMgg00R/5h0arF/sj/fL0cKofSeAgu11z1891d1scDOMwdiGak9VHQr0gA9vIa5 -wrRo6uImpnn3XAvf0bkCAwEAAaNvMG0wHQYDVR0OBBYEFBD7hj42fbQv+v95CXIN -/Y3jckxzMB8GA1UdIwQYMBaAFJ9O4IcVYsZ73AeBudVsaLsUQDNmMAkGA1UdEwQC -MAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB -CwUAA4IBAQCW0sZVVr04ofxj28dcyce6TRr9buFeohBWVPZ+Uu3i4eSWuj0cLOl3 -d/Z3Vv7jnDDQd4175eqA7rGL7Mfe3MsdSeBTut2z8Ubn45dRMZuLHxcrg5qMCq3b -o5Ff038wm1OB3Jc2ec9nJOUUdGh+gdrlxiKJH9i1VlxvgzgltTGvbH7TQozMdBlF -04O32yP3MXsKhHRvYrtQpSQ248QeSLA/wItSc+vqcsPKjCGwSb183CPHDUmUALkE -zTwd4+soylkHxCW2zZ50lUUqqNt1nSIcVF2V3qqxRZXZcJtN5y9+brpc9Z8eiXys +IIMgg00R/5h0arF/sj/fL0cKofSeAgu11z1891d1sc0OMwdiGak9VHQr0gA9vIa5 +. +. +. 9cgLsL60tukLdwxH5S6gAw/MSm6ABYjdv -----END CERTIFICATE----- diff --git a/docs/config_syslog_tls.md b/docs/config_syslog_tls.md index ce8806a63c..36a5a15952 100644 --- a/docs/config_syslog_tls.md +++ b/docs/config_syslog_tls.md @@ -94,16 +94,12 @@ MIIC1jCCAb4CAQAwTjENMAsGA1UEAwwEZHV0MTELMAkGA1UEBhMCVVMxETAPBgNV BAcMCFdlc3Rmb3JkMRAwDgYDVQQKDAdKdW5pcGVyMQswCQYDVQQIDAJNQTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8WwHXP/z49sFsxpN5L9THO5y8N f/as8Nn6XUyG86YyxcR5IYL5gKR5//EunoVjLAUCHgBqxwaUa3enhNEQS97N4Bcs -E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMn8MT8XbS +E7YygMkI7oAnHCioslB+x2Am/xKPRosh3s50fIN3mY409/byMGipfGcyNlMn8XbS XF/zmGBI1/4aRbeqL5VMDPO+9DNRxXMgqBs2y48WanGvZeZTP5B/sSczlhOSxHnu DxNYQ7+rZs9NpKzktCXOSA8nszHp5PNCWsa8tVNQvyhAqboTGrXQZhjZRWzg3nzS -Gb5XIxudEteQOg5LJW/7GpxFmF+XtNxzfSJpw1/tKeA32VN9In++nwoflhUCAwEA -AaBDMEEGCSqGSIb3DQEJDjE0MDIwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwGAYD -VR0RAQH/BA4wDIIEZHV0MYcEChsgyzANBgkqhkiG9w0BAQsFAAOCAQEAK32e8BUh -n9ficSqiRq3b0UuaQGnNrQ1oAY5FeaTY/2gDPYCju43HTsW1TSoK6376UxU43yAC -nAbFVe8p6fMIh9LkR+I9IM/Z2PXUtUrE8MPQo6z4/9aDGgwEoj654nArM7rWXh05 -7RBhzALsh2GWt2GT9FXcODIbGcsu6Ea2+24o1MuKMxDGEWjCnJJheXmFsqraKRnu -rcgzjMPc1F+iMb3O/bzFnj3a4Pj3dRK59bV/0zD7ti8KC/jodV80yzMVn4uSPlj1 +. +. +. wp4dOHuKsnf+ZsfNK4AGUYdh3qEa1/xJxyug1R3AGjItbkUzbJpR6hp7B0YYWV87 QALMf6F0SKBDXg++ -----END CERTIFICATE REQUEST----- @@ -119,54 +115,17 @@ Create a root certificate named `ca_root` and paste the certificate file content admin@conductor-node-1.Conductor# configure authority trusted-ca-certificate ca_root *admin@conductor-node-1.Conductor (trusted-ca-certificate[name=ca_root])# content Enter plain for content (Press CTRL-D to finish): ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCqfzVmeFPMA+Jc -53MlVF3LoYZAkqh1Dz3+HFnegcAU3/tCGSdfJad/PeF5KEQDDnF0vc9XbfS2/wJC -wHAt15TH3iarSPE3dV3L0c1tyOFaMUNLAd3nsPArR0w/1YF3o8r2ML9OmZ4WmkZK -vyFx6AsuVm5MpXR4z7U4j955sqRkWsi3I1hLtMPzuWEJA/AbpTCxb1k2xJDQWira -/NALlz6NPVRcngBt56ZDhMNmy/g2zGEcmitEqMUOS7apvRk6hZK94dfjSQe4iEpX -Sdd6vvZxdrWGV10lmDDH0SPtmGBE+34r1UNIbp/XVRh6KxiNcjFVNBwlwqATmTYh -xkXAPw1pAgMBAAECggEACZ3YNLnnvBOiAmx5larvCWvIZz7+am/cJseRmBfIbkT9 -5ooFqvu0OVyTqaJIR8XaR2PnXH6StXmntnqDpHWQTqUvlbGANIqWsyiig26zFCEu -IAXwr0TKRERzKAWT4lwmOAGi4LuQa6Ty/wdNyx9z9f6hBQi2C5Rnm9OdkE6vsAtJ -NbNcsV+bvedfLoJqG1MM3sh3LT3RAltaMuJEw3PdFiMVcQIJgGr85nVJcg4SCUkh -JKlfUE83IqkwAd1V0jn/2yopCmQBLrpyqlRu2MmwFiIS+IUcoReemNK8mlfd8hbR -bc0Zvum65DS1Y6wuuBdWP2v49xaX8fDrVy8unIHQ4wKBgQDDtTq7L06XqJkHtKj3 -6XqVO5oKZhu1tcLDXWsxHnJas6Cw8u0cx+r4cTWUWI/HFBYOKRveIqGdb12QR757 -lRqK3ie+dZvhsztUm04EnVaNvn09YGl5n8fV+3QrygeanYVYNgRdMPhf6PNmcJQB -Ppj2XsIvjxoiNCf+YSDJNO2SwwKBgQDfBa2U2nKhgZZaYGYmdKT1zqb3TsGWSIIt -KhSJX3CvxT08Czqi3R1PgBdNS9YI8XXsDZnvhcmOeP2vm3ylgJZGS7Gi04Mj9ijQ -+beqMnNBjEjc1oXkemd9bfsDfby6k5Ew5OpzVe5rkOpc7oGy54REFh0hLukaoOFJ -eXxUJ9bEYwKBgGqBrG7GNg1PEckhxnr0s2OXxiM2oonnWxEbPATFPxKhgygJbIUn -P3bplXEgKU78XWxjbukbC700KEUm5kE3SfSdJh/+vVC9S+KlinX0cnA9ZMcMOxqX -nBeV+wkBr9WzOChjbUiSJ/l6O0xapBFxUalytFdRl7VZkRJdJYyao1glAoGACrup -OOqybZdg9wSApgUjEzlYy7ockvD2YtoNlvbi43KomcUok0H08SiG9o9Zw6BrPmsB -J4fWxWaJPvRKsWRY1xU5fU6Ulxx3pmb+MdCvv03TC92/H9nMNTsfw3E/rfMAH8xE -hDx0dvTIcqR/1W5S7TvrNvec/E0VyoVwOFSaf2UCgYApQZxpTvGQ6NMvNHBMaCa1 -Xy5AWPfTYbYUTTq9q8t/s1bA5YkA6MJ740dAGzwsUAlJ887QsGXH5ZeQtxVbHbmA -2P6CP4iOY1EjsxNssrLJKkxXdagYeZo5X2KOIqZ8FeVli4BM0mqX96UPN2zV3dNP -eN1DF6VSLghh30ITUauYdQ++ ------END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- MIIDlDCCAnygAwIBAgIVAJHxzhL42q7io2PBDPR+TCeBsyQgMA0GCSqGSIb3DQEB CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy MTYzODI1WhcNMjUxMDIyMTYzODI1WjBRMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN -TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4 +TWFzc2Fja/m1nIs+rY0Fs1LIyWA1kswIVGVzdCBJbmMxFzAVBgNVBAMMDmNhLmV4 YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqn81ZnhT zAPiXOdzJVRdy6GGQJKodQ89/hxZ3oHAFN/7QhknXyWnfz3heShEAw5xdL3PV230 -tv8CQpHKHjWWQzG1MM3sh3LT3RAltaM0NT6shNXE3va46f3zotWBd6PK9jC/Tpme -FppGSr8hcegLLlZuTKV0eM+1OI/eebKkZFrItyNYS7TD87lhCQPwG6UwsW9ZNsSQ -0Foq2vzQC5c+jT1UXJ4AbeemQ4TDZsv4NsxhHJorRKjFDku2qb0ZOoWSveHX40kH -uIhKV0nXer72cXa1hlddJZgwx9Ej7ZhgRPt+K9VDSG6f11UYeisYjXIxVTQcJcKg -E5k2IcZFwD8NaQIDAQABo2MwYTAdBgNVHQ4EFgQUn07ghxVixnvcB4G51WxouxRA -M2YwHwYDVR0jBBgwFoAUn07ghxVixnvcB4G51WxouxRAM2YwDwYDVR0TAQH/BAUw -AwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAHH+4MYOoIrT -DoYsVKJh0x1MHVoCdn39fFvUPFRJg5b3KLyaILzPoS300XOxrtNvY0ayBu70atl8 -9RRj1LMqVb3mjR7sigyj4wm2rWLVOJMncZsiVXVmX2rhteYe6Z0IVPXjOS3Yn9Ph -G8K9lQCHwXmLmsbzlQPbFFvRsCA+/OXVhSA4h88eIIWt9fkcPQfjCEk6SBnzOXDU -n7C3l7TweHggfgMvM9a+ullfmfw0ejhbX3JOrXCuA9EIloATgdpyzOKZ6q2tXBtQ +. +. +. qynFiqlV0UDGgH+e8hCp41Seva5vBGYvwMVHPU80rhoAsTh1BNpM1r9xbvDQs5ui 3QyeFCt/O0A= -----END CERTIFICATE----- @@ -187,25 +146,12 @@ gjmN2agDfu6sykg4OJ2NDy4IRrBYilExRJHllAndtc04rp7EQ544Z+/J/dNJrmXK GnHvm/Rg0UdKnbFrw5aentpx3rFefdaf8nlJLW5rFH1wxDqUhE+y5q+s+8k3ESt0 9L/26OxTQP11t5Vh/BEkK5iVHLDBGyHntUvEnM5tFWL7+NvefhuZ6McvY7GPDR8c bkuNHXlv9laeXQlI6IiiYum8waQDnJBGEx2wPTUguZJWP0YgxLinKiCDIINNEf+Y -dGqxf7I/yKWZtkoxB3JVk3qF7651EaGAzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 +dGqxf7I/yKn1gH+Swh0sAYn33651EaGAzjMHYhmpPVR0K9IAPbyGucK0aOriJqZ5 91wL39G5AgMBAAECggEAE2/xDSQYyG8bv7muRxBbwNw+Q6cwKrcGZtRTRmUM+ee/ zAReBCDmR3KU1zn0SoALkqhFn6rhl6EaSSEIivLeuJZbWC7hPyNgMACWohOvhQcC -j3+cBWH+NXEyVGA3EltgKsscAvpO8qcxirJ2HaURd64wPd7rRVMvrErNGfxUNOh1 -fHSd3t7ch7QfQsX+cIRS7ZhIxAKY97nVhlRN1TS8Y0dDW2fSSpV8cqUs7DQjetcI -XG54PAsOjg6TnALtg113zftg6W9WPG2R8CWyW6g3Z0qJ7TDAp6GZMqRBjzjGlfPi -CzUg+YHXCn8P2jrYD/CwSYr42dLX0FZbcdI5NHjSAQKBgQD+rDSi9sIR8Bryo0+R -1B83myMX67dpkWGrxjdrgAijuVSKX5+mT44WGHh8UZtN08bU/pWEWmag9TGBbnic -QY3qJXLyzNHERL7tEEyEGKBoAWuR9qgESI8w2AgJEvCokFO1h5BnmVfnCaB51rrd -iH2irP9Ed3G7+sdVZ3q1AdC3iQKBgQDGtkEpss+i9go2OuVO3ez52SR1aQqiKHak -wCINR52/8UhjGefoCwA59mKUIx9beKxyhVoi2XEXs4LqMCMWUI49INB9IjIn67qW -Cf9wUPGaCOS8P6HTKV+Xm9aZMmMQHTcCamqZbZw2Q9brucdPQJRkcsktKeioV3mL -iwgNliKMsQKBgC3EwQjwk9wpbI5irzAkESArL1ljMWk1iXoXe2pEbkkOS5U6rjRz -Y7Ow3iZpfCG2h6tLvY81t/dART1cu1ar1yNAzt33NEaznCR6o2WyD1Hhv3VSAMwU -Rjee+4K19q40kfaz0E3uDxAkeMSsxJR/rSSJNq8VUElaPmyo1jKlit8RAoGAM4YU -VVyQ7B9BvJf+1zlB9fKwumTXJf657LQI4Eqeg6Nrco7IC+m2UFErdF+7BLvAcx1S -ptCcu1mHa3O51VJj30O/64JPYPyFb9v9yMCkNJ1zucACFL+YkrYMqcJf31DD77Nq -GohKRePHOW39WPZUw8rjkPtZ4TR1RpJxLxyrrrECgYEAucUgTqdA1JmEmm72nQ3z -mzf6LtuLq748DEb8KaTkYwJZaM705/BP8vNLSE/+92gXYkMpTpUBBYTzzK9aYeGE +. +. +. WiYWxHz5Q4wUxV5uTJR3Jq5rzcHr1shyVDT+aFf9tyNdcLFfbziZ1y/EfAPkOOoH jLD4SXCWbmRxHYVMn3yhqK4= -----END PRIVATE KEY----- @@ -215,20 +161,12 @@ MIIDpDCCAoygAwIBAgIVAL1k460IeyrQWoU82ZVHZ2asUrTuMA0GCSqGSIb3DQEB CwUAMFExCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMREwDwYD VQQKDAhUZXN0IEluYzEXMBUGA1UEAwwOY2EuZXhhbXBsZS5jb20wHhcNMjQxMDIy MTYzODI4WhcNMjUwMTIwMTYzODI4WjBVMQswCQYDVQQGEwJVUzEWMBQGA1UECAwN -TWFzc2FjaHVzZXR0czERMA8GA1UECgwIVGVzdCBJbmMxGzAZBgNVBAMMEmNsaWVu +TWFzc2FjaHVzZXR031sTH3nuMB3r+h0uSHa1Lc0un+/xGzAZBgNVBAMMEmNsaWVu dC5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWu f/ariaKO3XiCOY3ZqAN+7qzKSDg4nY0PLghGsFiKUTFEkeWUCd21zTiunsRDnjhn -78n900muZcoace+b9GDRR0qdsWvDlp6e2nHesV591p/yeUktbmsUfXDEOpSET7Lm -r6z7yTcRK3T0v/bo7FNA/XW3lWH8ESQrmJUcsMEbIee1S8Sczm0VYvv4295+G5no -xy9jsY8NHxxuS40deW/2Vp5dCUjoiKJi6bzBpAOckEYTHbA9NSC5klY/RiDEuKcq -IIMgg00R/5h0arF/sj/fL0cKofSeAgu11z1891d1scDOMwdiGak9VHQr0gA9vIa5 -wrRo6uImpnn3XAvf0bkCAwEAAaNvMG0wHQYDVR0OBBYEFBD7hj42fbQv+v95CXIN -/Y3jckxzMB8GA1UdIwQYMBaAFJ9O4IcVYsZ73AeBudVsaLsUQDNmMAkGA1UdEwQC -MAAwCwYDVR0PBAQDAgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMA0GCSqGSIb3DQEB -CwUAA4IBAQCW0sZVVr04ofxj28dcyce6TRr9buFeohBWVPZ+Uu3i4eSWuj0cLOl3 -d/Z3Vv7jnDDQd4175eqA7rGL7Mfe3MsdSeBTut2z8Ubn45dRMZuLHxcrg5qMCq3b -o5Ff038wm1OB3Jc2ec9nJOUUdGh+gdrlxiKJH9i1VlxvgzgltTGvbH7TQozMdBlF -04O32yP3MXsKhHRvYrtQpSQ248QeSLA/wItSc+vqcsPKjCGwSb183CPHDUmUALkE +. +. +. zTwd4+soylkHxCW2zZ50lUUqqNt1nSIcVF2V3qqxRZXZcJtN5y9+brpc9Z8eiXys 9cgLsL60tukLdwxH5S6gAw/MSm6ABYjdv -----END CERTIFICATE----- @@ -239,22 +177,6 @@ zTwd4+soylkHxCW2zZ50lUUqqNt1nSIcVF2V3qqxRZXZcJtN5y9+brpc9Z8eiXys Certificate imported successfully Would you like to add the certificate to your configuration? [y/N]: y Which router is this certificate for? (Select all if it applies to the entire authority) [all]: all -% Warning: -1. certificate contains the following issues: does not have the extendKeyUsage extension - - - config - authority - client-certificate radius - content - -2. certificate contains the following issues: does not have the extendKeyUsage extension - - - config - authority - client-certificate conductor-radius - content Certificate imported successfully Would you like to clean up the temporary certificate and key files? [Y/n]: Y diff --git a/docs/intro_downloading_iso.md b/docs/intro_downloading_iso.md index 0936828eaf..0d83cff569 100644 --- a/docs/intro_downloading_iso.md +++ b/docs/intro_downloading_iso.md @@ -9,13 +9,13 @@ With the purchase of an SSR license, you are provided a set of credentials used Juniper Session Smart Networking provides the following workflows for the installation process: -- **SSR Image-based ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable image-based ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +- **SSR Image-based ISO:** **Beginning with version 6.3.0**, the SSR uses a single downloadable image-based SSR ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. Please see [SSR Image-based ISO Installation Overview](intro_installation_univ-iso.md) for the installation instructions and software image download location. For users installing *earlier, package-based versions of the SSR software*, the following installation methods are available: -- **Package-based ISO:** For users who do not use Mist Cloud, the package-based ISO is used in the following deployments. +- **Package-based 128T ISO:** For users who do not use Mist Cloud, the package-based 128T ISO is used in the following deployments. - When the initial installation is going to be a version prior to 6.3.0. - When upgrading to a version prior to 6.3.0 on air-gap network using the `import ISO` operation. For example, upgrading an air-gap conductor or routers from 5.6.6 to 6.2.7. See [Package-based Software Upgrade in an Air-Gap Network](upgrade_restricted_access.md#package-based-software-upgrade) for the more information. @@ -25,7 +25,7 @@ For users installing *earlier, package-based versions of the SSR software*, the - **One Touch Provisioning (OTP)** is the default and preferred method of installation. OTP sets up DHCP on all interfaces and boots a Web Server GUI. After installing the Conductor and configuring routers through the Conductor, the OTP bootstrap process will install and configure the router. See the following procedures for OTP installation steps: - [Router Installation Using OTP](intro_otp_iso_install.mdx) - [Quickstart from the OTP ISO](intro_install_quickstart_otpiso.md) - - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that installations and upgrades be performed through the conductor UI. + - **Interactive:** Beginning with SSR version 6.3.0, the use of the interactive installer is not supported, nor necessary. Software installation and upgrade activities are supported from the GUI or PCLI. With software versions earlier than 6.3.0, upgrading the SSR software on a conductor or router that is managed by a conductor using the interactive installer may result in the system becoming unresponsive. For this reason it is highly recommended that upgrades be performed through the conductor UI. For a new installation of a conductor using software prior to 6.3.0, the interactive method can be used. :::note Beginning with release 5.4.7-7 and any 5.x ISO [**released after August 4, 2022**](about_releases.mdx#all-releases---limited-general-availability-and-out-of-support), the ISO name format has changed from using `OTP` to `ISO`: @@ -37,12 +37,12 @@ For users installing *earlier, package-based versions of the SSR software*, the The SSR Software packages are available from our public servers using the username and token provided to you and can be accessed at the following location: -The image-based ISOs are available to download at the following location: +The image-based SSR ISOs are available to download at the following location: - https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local -The package-based ISOs are available to download at the following location: +The package-based 128T ISOs are available to download at the following location: - https://software.128technology.com/artifactory/list/generic-128t-isos-release-local diff --git a/docs/intro_installation.md b/docs/intro_installation.md index 4894018004..d6d0195790 100644 --- a/docs/intro_installation.md +++ b/docs/intro_installation.md @@ -18,7 +18,7 @@ The examples listed in this guide generally prefer running commands as a non-roo ## Installation Process -Beginning with SSR 6.3.0, a universal image-based ISO is provided to simplify and streamline the SSR installation and initialization process. This version supports Conductor-managed image-based installations as well as Mist-managed deployments. +Beginning with SSR 6.3.0, a universal image-based SSR ISO is provided to simplify and streamline the SSR installation and initialization process. This version supports Conductor-managed image-based installations as well as Mist-managed deployments. Installation to your device utilizes the SSR ISO, downloaded as a bootable image to a USB drive or from disk. The install process is as follows: diff --git a/docs/intro_installation_univ-iso.md b/docs/intro_installation_univ-iso.md index 14cda927cf..ced7dc6ffd 100644 --- a/docs/intro_installation_univ-iso.md +++ b/docs/intro_installation_univ-iso.md @@ -3,14 +3,14 @@ title: SSR Image-based ISO Installation Overview sidebar_label: SSR Image-based ISO Installation Overview --- -Beginning with version 6.3.0, the SSR uses a single image-based ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. +Beginning with version 6.3.0, the SSR uses a single image-based SSR ISO with a significantly simplified installation process. After the SSR installation completes, the GUI provides clear choices and processes for each of the device configuration options: Conductor, a Conductor-managed router, or a Mist-managed router. #### Version History | Release | Modification | | ------- | ------------ | -| 6.0.0 | Image-based ISO installation process implemented for Mist-managed networks. | -| 6.3.0 | Image-based ISO updated, migrating to a single ISO installation format for Conductor, Conductor-managed, and Mist-managed deployments. | +| 6.0.0 | Image-based SSR ISO installation process implemented for Mist-managed networks. | +| 6.3.0 | Image-based SSR ISO updated, migrating to a single ISO installation format for Conductor, Conductor-managed, and Mist-managed deployments. | The installation workflow consists of the following steps: @@ -21,7 +21,7 @@ The installation workflow consists of the following steps: ## Download -The image-based ISOs are available for download at the following location: +The image-based SSR ISOs are available for download at the following location: https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local/ @@ -35,6 +35,6 @@ You will be prompted for your username and token to access the web page listing ### Create a Bootable USB -Use the instructions for [Creating a Bootable USB](intro_creating_bootable_usb.md) to create a bootable USB drive containing the latest image-based ISO. +Use the instructions for [Creating a Bootable USB](intro_creating_bootable_usb.md) to create a bootable USB drive containing the latest image-based SSR ISO. Once you have the USB, let's go [Install the SSR software!](install_univ_iso.md) \ No newline at end of file diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index 3408ded193..ad34d847c6 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -49,7 +49,7 @@ The following are use cases for upgrades within an air-gap network. - [Package-based Software Upgrade](#package-based-software-upgrade). :::note -Use these procedures for upgrades only. When performing an initial installation of version 6.3.x software, the IBU ISO is required. +Use these procedures for upgrades only. When performing an initial installation of version 6.3.x software or greater, the image-based SSR ISO is required. ::: ### Single-Version 6.3.0 Upgrade @@ -57,9 +57,9 @@ Use these procedures for upgrades only. When performing an initial installation The following process is used to upgrade a Conductor and Conductor-managed Routers to **version 6.3.0** of the SSR software. Beginning with SSR software version 6.3.0, a conductor can manage routers running image-based software installations. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` from the [6.3 Package Based ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local/6.3/) page. -2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. +2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the downloaded ISO. 3. Import the `128T-6.3.0-107.r1.el7.OTP.v1.x86_64.iso` ISO onto the conductor using the [`import iso`](#import-iso) command. @@ -74,12 +74,12 @@ The following process is used to upgrade a Conductor and Conductor-managed Route 8. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. :::note -The process to upgrade a **conductor from a version less than 6.3.0 to 6.3.0 or greater** requires the use of the `128T-6.3.X-XX.r1.el7.OTP.v1.x86_64.iso` ISO. After the initial upgrade to 6.3.X, all future upgrades will only require the import of the image-based ISO; for example, `SSR-6.3.3-1.r1.el7.x86_64.ibu-v1.iso`. +The process to upgrade a **conductor from a version less than 6.3.0 to 6.3.0 or greater** requires the use of the `128T-6.3.X-XX.r1.el7.OTP.v1.x86_64.iso` package based 128T ISO. After the initial upgrade to 6.3.X, all future upgrades will only require the import of the image-based SSR ISO; for example, `SSR-6.3.3-1.r1.el7.x86_64.ibu-v1.iso`. ::: ### Mixed Version Upgrade -If you are upgrading to version 6.3.0 on the Conductor and wish to upgrade the routers, be aware that upgrades to the routers must use image-based software. (Versions starting at 6.0 have image-based options). In versions prior to version 6.3.0, image-based software running on conductor-managed routers was not supported, however version 6.3.0 allows your conductor to manage routers running **both** image-based and package-based software. +If you are upgrading to version 6.3.0 on the Conductor and wish to upgrade the routers, note that after the conductor is upgraded to 6.3.x, routers upgraded to 6.1 or greater will require the image-based SSR ISO. In versions prior to version 6.3.0, image-based software running on conductor-managed routers was not supported, however version 6.3.0 allows your conductor to manage routers running **both** image-based and package-based software. The following workflow demonstrates upgrading a conductor to version 6.3.0, and a router to version 6.1.10. @@ -126,7 +126,7 @@ For upgrades of Conductor and Conductor-managed routers to software versions pri In this example workflow, the conductor will be upgraded to 6.2.6, and the routers to 6.1.10. -1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` software package from the [SSR ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. +1. On a system that has internet access, use the [ISO Download procedure](intro_downloading_iso.md#downloading-an-iso) to download the `128T-6.2.6-15.sts.el7.OTP.v1.x86_64.iso` software package from the [128T package-based ISO Download](https://software.128technology.com/artifactory/list/generic-128t-isos-release-local) page. 2. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. From 08da1d041fbdbd7f8aa6679d2ced184ba5b1496e Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 24 Oct 2024 13:17:00 -0400 Subject: [PATCH 16/16] one missed review comment, one edit --- docs/config_syslog_tls.md | 2 -- docs/upgrade_restricted_access.md | 14 +++----------- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/docs/config_syslog_tls.md b/docs/config_syslog_tls.md index 36a5a15952..435dbba2b9 100644 --- a/docs/config_syslog_tls.md +++ b/docs/config_syslog_tls.md @@ -53,8 +53,6 @@ The following configuration example will add a syslog server named `syslog` that ``` To complete the process, `validate` and `commit` the changes. After the confiuration changes have been committed, the SSR will send the syslog to 192.168.1.100:6514 over TLS. -When the user logs into the node `t327-dut1` via ssh, the authentication request is sent via RADSEC to the server `172.18.5.224` and the user is authenticated. - ## Syslog over TLS Configuration - Generate Certificate diff --git a/docs/upgrade_restricted_access.md b/docs/upgrade_restricted_access.md index ad34d847c6..93eb6c3042 100644 --- a/docs/upgrade_restricted_access.md +++ b/docs/upgrade_restricted_access.md @@ -98,23 +98,15 @@ The process to upgrade a **conductor to 6.3.0** requires the use of the `128T-6. 5. Navigate to the [SSR Software Images](https://software.128technology.com/artifactory/list/generic-128t-install-images-release-local) page, identify the software image version you will use to upgrade the target router or routers, and download it. -:::note -If you are upgrading or installing earlier image-based software on a router (versions 6.2.5 or earlier) you will need to include the checksum and signature files with the ISO when you download and import the software to the conductor. -::: - For example, if you are upgrading a router to SSR Version 6.1.10, you will need to download the following files: - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.iso` - - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.tar.sha256sum` - - `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.tar.sha256sum.asc` -6. Copy the files to a USB that has an EXT4 file system. - -7. Plug the USB in to the Conductor and mount the USB. +6. [Create a bootable USB](intro_creating_bootable_usb.md) drive from the SSR ISO. -8. Import the ISO, checksum, and signature file package you downloaded in step 5 onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install these files onto the conductor, only import them. +7. Import the `SSR-6.1.10-8.lts.el7.x86_64.ibu-v1.iso` ISO onto the conductor. The conductor will act as the software repository for the subsequent router upgrades. Do **not** install this package onto the conductor, only import it. -9. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. +8. Upgrade individual routers using the [Router Upgrade](upgrade_router.md) procedure. :::note In an HA setup, when using offline-mode for routers to access the software from the conductors, the ISO must be imported to both conductors before performing the upgrade.