6.10.5.2 Ensure REST is Set to HTTPS

Information

The REST API should only be accessed using HTTPS

Rationale:

The JUNOS REST API can be configured for access using either HTTP or HTTPS for connections.

HTTP transmits all data (including passwords) in clear text over the network and provides no assurance of the identity of the hosts involved.

Because of this HTTP should never be used for sensitive tasks such as managing network devices or entering login credentials and HTTPS transport used whenever the REST API is configured.

When configuring HTTPS, a Server Certificate in the Device's PKI Store is required. This can be either a 'Self Signed Certificate' or a Certificate issued by a configured/supported Certificate Authority (including internal CAs). A Certificate issues from a CA is preferred.

Solution

To configure REST over HTTPS, enter the following command from the [edit system services rest] hierarchy:

[edit system services rest]
[email protected]# set https server-certificate <Certificate ID>

Where <Certificate ID> is the name of a Certificate which has already been loaded to the devices PKI Store.
To create a new Public/Private Key Pair in the devices PKI Store and generate Certificate Signing Request issue the following commands from Operational Mode:

[email protected]> request security pki generate-key-pair certificate-id <Certificate ID> type <Algorithm> size <Size>

[email protected]> request security pki generate-certificate-request certificate-id <Certificate ID> domain-name <Device DNS Name> subject <Device Subject DN>

Where:
<Certificate ID> is the Name that will be used for this Certificate throughout configuration
<Algorithm> is the Encryption Algorithm to be used (this should be either RSA or ECC)
<Size> is the number of Bits used for the keys (use at least 2048bits for RSA or 256bits for ECC)
<Device DNS Name> is the FQDN which will be used to manage the device and <Device Subject DN> is the Distinguished Name used to identify this device and certificate.
Optionally, fields for email address, the device's IP Address and output Filename for the PKCS#10 CSR which will be generated can be included.
The CSR should then be submitted to the Certificate Authority for review and signing.
Once the CA returns the Certificate it can be uploaded to the JUNOS device and imported with the following command from Operational Mode:

[email protected]> request security pki local-certificate load certificate-id <Certificate ID> filename <File Upload Location>

Alternatively, a 'Self Signed' Certificate can be generated using the Public/Private Key Pair previously generated with the following command:

[email protected]> request security pki local-certificate generate-self-signed certificate-id <Certificate ID>

Use of Self Signed Certificates is not recommended in secure environments.

Default Value:

By default the REST API is disabled.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: d917bb62991b37388587f27746c478a727f345c3eaf9327613563fd263b42a84