6.
Setthemodeswitchonthecryptographicmodulesofclustermembers'thatwere
earlierdisabledtoI(initializationmode).
7.
Rebooteachofthesenodesfromtheserialconsole.
8.
Afteranodejoinsthesecurityworld,resetitscryptographicmodule'smodeswitch
toO(operationalmode).
Related
Documentation
CreatingaNewSecurityWorldonpage970
975
Copyright©2012,JuniperNetworks,Inc.
Chapter41:SecureAccessFIPS
Pdf custom paper size - Compress reduce PDF size in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF
C# Code & .NET API to Compress & Decompress PDF Document
change font size pdf form reader; adjusting page size in pdf
Pdf custom paper size - VB.NET PDF File Compress Library: Compress reduce PDF size in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF
VB.NET PDF Document Compression and Decompression Control SDK
optimize scanned pdf; best pdf compressor
Copyright©2012,JuniperNetworks,Inc.
976
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF Print Library: Print PDF documents in C#.net, ASP.NET
PDF document printing paper size and PDF document printing resolution. Fully-featured PDF document printing SDK can help to easily create a custom web-based
reader compress pdf; best pdf compressor online
CHAPTER42
SA4500andSA6500FIPSAppliances
FIPSOverviewonpage977
NameandPasswordRestrictionsonpage978
InitializingaKeystoreonpage979
ReinitializingtheKeystoreonpage979
JoiningaClusteronpage980
ImportingDeviceCertificatesonpage981
ChangingtheSecurityOfficerPasswordonpage981
ChangingtheWebUserPasswordonpage982
ResettingtheHSMCardInCaseOfAnErroronpage982
UpgradingtheHSMFirmwareonpage982
BinaryImportingandExportingoftheKeystoreonpage983
FIPSDeviceStatusLEDBehavioronpage983
FIPSOverview
TheJuniperNetworksSA4500and6500FIPSisastandardSA4500orSA6500
applianceequippedwithaFIPS-compliantcryptocard.Thetamper-proofhardware
securitymoduleinstalledonanSecureAccessFIPSsystemiscertifiedtomeettheFIPS
140-2level3securitybenchmark.
TheconfigurationprocessforSecureAccessFIPSadministratorsisalmostexactlythe
sameasforthenon-FIPSSecureAccessadministrators,requiringonlyminorconfiguration
changesduringtheinitialization,clustering,andcertificategenerationprocesses.Inthe
fewcaseswhereadministrationtasksaredifferent,thisguideincludestheappropriate
instructionsforbothSecureAccessandSecureAccessFIPSadministrators.Forend-users,
SecureAccessFIPSisexactlythesameasastandardSecureAccesssystem.
TheFIPS-compliantcryptocardisahostbusadaptercardthatcombinesIPsecandSSL
cryptographicaccelerationwithHardwareSecurityModule(HSM)features.This
combinationofadedicatedHSM,advancedcryptographicsecurityandsecurekey
managementmeetthesecurityandperformanceneedsforanyservice.
Thiscardhastwomainroles:asecurityofficerandauserrole.TheFIPS-compliantcrypto
cardreplacestheneedforadministratorcardswiththeconceptofasecurityofficerwho
977
Copyright©2012,JuniperNetworks,Inc.
isresponsibleforkeyandpasswordmanagement.Thesecurityofficercredentialprotects
thekeystorefrombeingexportedandimportedontoanotherFIPS-compliantcrypto
card.
Userrolesperformcryptographicoperationssuchasaccessingkeyingmaterialwithin
thekeystoreaswellasperformingbulkencryptionoperations.
Thesecurityofficercredentials,usercredentials,andRSAprivatekeysarestoredinthe
HSMencryptedkeystorelocatedontheSecureAccessdisk.Youarepromptedtoprovide
thesecredentialswheneveranyoperationrequiresthem.Credentialsarenotautomatically
retrievedfromtheHSMkeystore.
Keystoresarestoredonthediskandareencryptedwithamasterkey.Themasterkeyis
storedinthecrytocardfirmwareandcanbebackedupbyasecurityofficerusingarestore
password.Thisrestorepasswordcanthenbeusedtorestorethemasterkeyontothe
sameordifferentFIPS-compliantcryptocardsallowingthekeystoretobesharedacross
acluster,forexample.
Related
Documentation
NameandPasswordRestrictionsonpage978
InitializingaKeystoreonpage979
ReinitializingtheKeystoreonpage979
JoiningaClusteronpage980
ImportingDeviceCertificatesonpage981
ChangingtheSecurityOfficerPasswordonpage981
ChangingtheWebUserPasswordonpage982
ResettingtheHSMCardInCaseOfAnErroronpage982
UpgradingtheHSMFirmwareonpage982
BinaryImportingandExportingoftheKeystoreonpage983
NameandPasswordRestrictions
Securityofficernamesandusernamesmustadheretothefollowingrequirements:
Table49:SecurityOfficerNameandUsernameRequirements
Description
SecurityOfficerNameandUsername
Requirement
Atleastonecharacter
MinimumLength
63characters
MaximumLength
Alphanumeric,underscore(_),dash(-)andperiod(.)
ValidCharacters
Mustbealphabetic
FirstCharacter
Copyright©2012,JuniperNetworks,Inc.
978
JunosPulseSecureAccessServiceAdministrationGuide
Passwordsmustbeatleastsixcharactersandnomorethan63characters.Three
charactersmustbealphabeticandonecharactermustbenon-alphabetic.
Related
Documentation
FIPSOverviewonpage977
InitializingaKeystore
WhentheFIPSapplianceispoweredonfromafactory-resetorwhenitsconfiguration
isreset,theserialconsolerequirestheinitializationofakeystoreandaself-signeddevice
certificate.Thestepsforinitializationare:
Duringthebootprocess,thecurrentrelease’sHSMfirmwareisinstalledonthe
FIPS-compliantcryptocardHSM.
Youarepromptedtocreateanewkeystore.Aspartofthenewkeystorecreation,you
mustprovidethefollowingdata:
Thesecurityofficernameandpassword.Savethesecredentialsastheyarerequired
forsuchtasksascreatingnewrestorepasswordsandforchangingthesecurityofficer
password.
ThekeystorerestoreorHSMmasterkeybackuppassword.Everytimeyouexport
thesystemconfiguration,savethecurrentrestorepasswordforthearchivedkeystore.
Webusernameandpasswordforrunningcryptographicoperationsusingkeysstored
intheHSM’skeystore.
Theself-signedcertificatecreationproceedsasnormalexceptthattheHSMisused
togenerateasecureRSAprivatekeywhichisstoredintheHSM’sdatabase.
Related
Documentation
FIPSOverviewonpage977
ReinitializingtheKeystore
Ifthereisachangeinthesecuritypolicyofthedeploymentthatrequiresthecreationof
newRSAkeypairsandcorrespondingcertificates,youwillneedtoreinitializethekeystore.
Youcanreinitializethekeystorefromeitherastand-alonenodeorfromacluster.
Toreinitializethekeystorefromastand-alonenode:
1.
Rebootthestand-alonenode.
Duringthebootprocess,youarepromptedtore-initializethekeystore.
2.
Pressytodeletethecurrentkeystoreandservercertificates.
NOTE: Ifyoudonotpressywithin10seconds,theappliancewillproceedto
bootnormally.
979
Copyright©2012,JuniperNetworks,Inc.
Chapter42:SA4500andSA6500FIPSAppliances
Toreinitializethekeystorefromacluster:
1.
Rebootanodewithinthecluster.
Duringthebootprocess,youarepromptedtore-initializethekeystore.
2.
Pressytodeletethecurrentkeystoreandservercertificates.Anewkeystoreis
initialized.
NOTE: Ifyoudonotpressywithin10seconds,theappliancewillproceed
tobootnormally.
3.
Onthenodethatyourebooted,opentheclusterstatuspageintheadminconsole
andwaitforallnodestoexitfromthe“Transitioning”state.
4.
Forallothernodesinthecluster,connecttotheserialconsoleandenter9toselect
FIPSOptionsandthen1toselectCompleteimportofkeystoreandservercertificates.
5.
Entertherestorepasswordwhenprompted.
Related
Documentation
FIPSOverviewonpage977
JoiningaCluster
Joiningaclusterinvolvesusingboththeadminconsoleandserialconsole.Tojoina
cluster:
1.
Ifyouhavenotalreadydoneso,defineandinitializeacluster
Ifyouarecurrentlyrunningstandaloneappliancesthatyouwanttocluster,we
recommendthatbeforeyoucreateacluster,youfirstconfiguresystemanduser
settingsononemachine.Afterdoingso,usethesamemachinetocreatethecluster.
Thismachinejoinstheclusteraspartofthecreationprocess.WhenotherSecure
Accessdevicesjointhecluster,thismachinepropagatesitsconfigurationtothenew
clustermember.
2.
Beforeyoucanaddanappliancetoacluster,youneedtomakeitsidentityknownto
thecluster.
3.
Jointheappliancetotheclusterthroughtheadminconsoleorthroughtheserial
console.
Whenjoininganodetoaclusterusingtheserialconsole,youarepromptedforthe
clusterkeystore’srestorepassword.Iftherestorepasswordfails,enter9toselect
FIPSOptionandthenenter1toselectCompleteimportofkeystoreandserver
certificates.
Whenaclusteriscreatedonanode,thenode’skeystorebecomesthecluster’s
keystore.Anynodejoiningtheclustermustimportthecluster’skeystore.Youneed
thecurrentkeystorerestorepasswordtodothis.
Copyright©2012,JuniperNetworks,Inc.
980
JunosPulseSecureAccessServiceAdministrationGuide
4.
Whenyouseethemessageconfirmingthatthemachinehasjoinedthecluster,click
theSystem>Clustering>ClusterStatustabintheadminconsoleofanyactivecluster
member.
5.
Whenallnodeshaveexitedfromthe“Transitioning”state,connecttotheserialconsole
ofeachnodethathasanon-CLlicenseandenter9toselectFIPSOptionsandthen
1toselectCompleteimportofkeystoreandservercertificates.
6.
Entertheclusterkeystorerestorepassword.
Related
Documentation
FIPSOverviewonpage977
ImportingDeviceCertificates
Toimportadevicecertificate,generateaCSRfromtheapplianceandthenimportits
correspondingcertificateafteritisvalidatedbyaCA.EachCSRrequestgeneratesanew
RSAkeypair.
NOTE: DevicecertificateswithoutaCSRrequestfromtheappliancecannot
beimported.
Related
Documentation
FIPSOverviewonpage977
ChangingtheSecurityOfficerPassword
Occasionallyyoumaywanttochangethesecurityofficerpassword.Inacluster,youcan
performthisoperationfromanynode.Thenewsecurityofficerpasswordisupdatedto
theothernodesautomatically.
NOTE: Changingthesecurityofficerpasswordrestartsthewebserver.
Tochangethesecurityofficerpassword:
1.
ConnecttotheserialconsoleoftheFIPSapplianceyouwanttoreset.
2.
Enter9toselectFIPSOption.
3.
Enter2toselectChangesecurityofficerpassword.
4.
Entertheexistingsecurityofficerpassword.
5.
Enterthenewpassword.
6.
Re-enterthenewpasswordwhenpromptedtoconfirm.
Related
Documentation
FIPSOverviewonpage977
981
Copyright©2012,JuniperNetworks,Inc.
Chapter42:SA4500andSA6500FIPSAppliances
ChangingtheWebUserPassword
ThewebusernameandpasswordareusedtosecurelystoretheRSAprivatekeysinthe
HSM’sencrypteddatabase.ThesecredentialsareusedbytheSASeriesAppliance
processestocarryoutRSAoperations.Thekeyswillneverbeavailableforuseoutside
theHSM.Youcanlaterchangethewebpasswordbutnotthewebusername.
Inacluster,youcanperformthisoperationfromanynode.Thenewpasswordisupdated
totheothernodesautomatically.
NOTE: Changingthewebuserpasswordrestartsthewebserver.
Tochangethewebpassword:
1.
ConnecttotheserialconsoleoftheFIPSapplianceyouwanttoreset.
2.
Enter9toselectFIPSOption.
3.
Enter3toselectChangewebuserpassword.
4.
Entertheexistingwebuserpassword.
5.
Enterthenewpassword.
Related
Documentation
FIPSOverviewonpage977
ResettingtheHSMCardInCaseOfAnError
IftheFIPScardLEDsindicatesanerrororfault,tryresettingtheHSMcardpriorto
rebootingyourappliance.
ToresettheHSMcard:
1.
ConnecttotheserialconsoleoftheFIPSapplianceyouwanttoreset.
2.
Enter9toselectFIPSOption.
3.
Enter5toselectResettheHSM.
4.
ObservetheLEDSontheFIPScard.Iftheydonoteventuallyturngreen,rebootyour
appliance.
Related
Documentation
FIPSOverviewonpage977
UpgradingtheHSMFirmware
Somesystemsoftwareupgradesmayalsorequirefirmwareupdates.Typically,firmware
upgradesoccurduringthebootprocess.Afterthesystemsoftwareupdates,theserial
consolepromptsyouforthekeystorerestorepasswordbeforeupgradingtheHSM’s
Copyright©2012,JuniperNetworks,Inc.
982
JunosPulseSecureAccessServiceAdministrationGuide
firmware.Ifyoudonotrememberthepassword,youhavetheoptionofupgradingthe
firmwareatalaterdateusingtheserialconsole.Notethatthewebservermaynotfunction
properlyifthefirmwareupgradeisrequiredandisnotupdated.
Toupgradethefirmwareusingtheserialconsole:
1.
ClickSystem>Clustering>ClusterStatustabintheadminconsoleandwaitforthe
nodetobeinthe“FIPSdisassociated”state.
2.
Openaserialconsoleandenter9toselecttheFIPSoption.
3.
Enter6toselectLoadFirmware.
Related
Documentation
FIPSOverviewonpage977
BinaryImportingandExportingoftheKeystore
SelectMaintenance>Import/Exportfromtheadminconsoletoimportandexportthe
keystore.Youcandothisfromastand-alonenodeorfromanodewithinacluster.The
keystoreisexportedaspartofthesystemsettingsconfigurationfile.Safelystorethe
restorepasswordassociatedwiththearchivedkeystoreasyouwillneeditforvarious
FIPSoperations.Ifyouforgettherestorepasswordyoucancreateanewonefromthe
serialconsoleandthenre-exporttheconfiguration.
Toimportthekeystore,selecttheImportKeyStoreandDeviceCertificate(s)checkbox
andimportyourconfiguration.Aftertheimportprocesshascompleted,openaserial
consoleforthatFIPSapplianceandenter9forFIPSOptionsandthen1toselectComplete
importofkeystoreandservercertificates.Ifthekeystoreisdifferentfromtheoneinstalled
ontheHSMyouwillbepromptedforthekeystore’srestorepassword.
NOTE: IfyoureboottheFIPSappliancewithoutperformingtheserialconsole
stepabove,youarepromptedtoimportthekeystoreduringthebootprocess.
Enterytoimportthekeystore.Ifyoudonotenterywithinfiveseconds,the
FIPSappliancecontinuestobootnormally.Ifthisoccurs,performtheserial
consolestepaftertheFIPSappliancecompletesitsbootprocess.
IftheFIPSapplianceisinacluster,gotoeachnodewithintheclusterandperformthe
serialconsolestepabovetocompletethekeystoreimportprocess.
Related
Documentation
FIPSOverviewonpage977
FIPSDeviceStatusLEDBehavior
TherearethreedevicestatusLEDslocatedontheFIPScard:
S(Status)
F(FIPS)
983
Copyright©2012,JuniperNetworks,Inc.
Chapter42:SA4500andSA6500FIPSAppliances
I(INIT)
Table50:StatusLED
Description
ColorandState
LED
Bootstrapfirmwareisexecuting
Off
STATUS
IDLE,OPERATIONAL,orFAILSAFEstate
Blinkinggreen
POSTorDISABLEDstate(drivernotattached)
Green
Erroroccurredduringbootprocess
Blinkingred
HALTED(fatalerror)stateorwhenalow-level
hardwareinitializationfailureoccurred
Red
Operatinginnon-FIPSmode
Off
FIPS
OperatinginFIPSmode
Green
Zeroizejumperispresent
Blinkingyellow
Boardisnotinitialized
Off
INIT
Boardinitializedbysecurityofficer
Green
POST,DIAGNOSTICorFAILSAFE(firmwarenot
upgraded)state
Yellow
Runningdiagnostics
Blinkingyellow
Related
Documentation
FIPSOverviewonpage977
Copyright©2012,JuniperNetworks,Inc.
984
JunosPulseSecureAccessServiceAdministrationGuide
Documents you may be interested
Documents you may be interested