网络安全与技术
Highlighted
网络安全与技术

SSL proxy configuration on SRX

修改时间 ‎12-27-2011 11:29 PM

Step 1: Configure a self signed root certificate
        There are multiple ways to configure a self signed root certificate.

         a) Generate self signed certificate on the device itself
         root@parle> request security pki generate-key-pair certificate-id
                     ssl-inspect-ca size 2048 type rsa
         Generated key pair ssl-inspect-ca, key size 2048 bits

         root@parle> request security pki local-certificate generate-self-signed
                     certificate-id ssl-inspect-ca domain-name www.juniper.net
                     subject "CN=www.juniper.net,OU=IT,O=Juniper Networks,L=Sunnyvale,ST=CA,C=US"
                     email security-admin@juniper.net
         Self-signed certificate generated and loaded successfully

         root@parle> show security pki local-certificate
 
       Certificate identifier: ssl-inspect-ca
         Issued to: www.juniper.net, Issued by: CN = www.juniper.net, OU = IT,
                    O = Juniper Netwroks, L = Sunnyvale, ST = CA, C = US
         Validity:
            Not before: 01-15-2011 06:03
            Not after: 01-14-2016 06:03
         Public key algorithm: rsaEncryption(2048 bits)

Step2:
Configure a SSL proxy profile using root certificate and
        whitelist address. Enable SSL proxy for SSLv3 and TLS1.

        #set services ssl proxy profile ssl-inspect-profile root-ca ssl-inspect-ca
        #set services ssl proxy profile ssl-inspect-profile actions ignore_server_auth_failure
        #set services ssl proxy profile ssl-inspect-profile actions logs all

Step3:


Enable SSL proxy service on a traffic stream by means of a policy.
        # set security policy from zone trust to zone untrust match source-address any
        # set security policy from zone trust to zone untrust match destination-address any
        # set security policy from zone trust to zone untrust match application junos-https
        # set security policy from zone trust to zone untrust then permit application-services ssl-proxy ssl-inspect-profile