6.10.5.3 Ensure REST is Set to use PKI Certificate for HTTPS

Information

The REST API should only be accessed using HTTPS with a PKI Certificate

Rationale:

The JUNOS REST API can be configured for access using either HTTP or HTTPS for connections.

When configured to use HTTPS X.509 Certificates are used to:

Share Public Encryption Keys

Provide Identity Information

Validate the Web Server's Identity

Enforce Encryption Key Rollover by limiting their validity period

JWeb can be configured to use Self Signed 'System-Generated' X.509 Certificates, where the JUNOS device makes an identity claim, such as 'I am myrouter.myorg.com', without any external validation. When an administrator connects to JWeb their browser will generate a Security Error due to this lack of validation, which the user will need to accept in order to proceed to the interface.

Without validation from a trusted Certificate Authority (CA), either an Internal or Public CA, administrators may be unable to detect when a management session is being intercepted or impersonated by an attacker. Additionally, a Self Signed certificate cannot be centrally revoked should a compromise be detected, relying instead on each user manually removing trust for the compromised Certificate.

A Certificate Authority is a Trusted Third Party which validates X.509 Certificates by signing them, using a secure Hashing algorithm and their own Private Key. A CA may be part of an organization's internal Public Key Infrastructure (PKI) or a Public CA service such as those provided by Verisign, Entrust or Microsoft.

Commonly, for signing Certificates used for internal management and systems, Organizations will configure their own PKI rather than paying for Public CA Services - configuring their End Points to trust Certificates signed by their CA through Group Policy or similar methods.

Either option is equally acceptable for use with JWeb, but Self Signed Certificates should not be used.

Impact:

REST API Management may be lost if the Certificate is not valid or issued from a Certificate Authority which the Network Management/Automation Systems are not configured to trust.

NOTE: REST does not appear to be configured on the target. This check is not applicable.

Solution

To configure REST over HTTPS, enter the following command from the [edit system services rest] hierarchy:

[edit system services rest]
[email protected]# set https server-certificate <Certificate ID>

Where <Certificate ID> is the name of a Certificate which has already been loaded to the devices PKI Store.
To create a new Public/Private Key Pair in the devices PKI Store and generate Certificate Signing Request issue the following commands from Operational Mode:

[email protected]> request security pki generate-key-pair certificate-id <Certificate ID> type <Algorithm> size <Size>

[email protected]> request security pki generate-certificate-request certificate-id <Certificate ID> domain-name <Device DNS Name> subject <Device Subject DN>

Where:
<Certificate ID> is the Name that will be used for this Certificate throughout configuration
<Algorithm> is the Encryption Algorithm to be used (this should be either RSA or ECDSA)
<Size> is the number of Bits used for the keys (use at least 2048bits for RSA or 256bits for ECDSA)
<Device DNS Name> is the FQDN which will be used to manage the device and <Device Subject DN> is the Distinguished Name used to identify this device and certificate.
Optionally, fields for email address, the device's IP Address and output Filename for the PKCS#10 CSR which will be generated can be included.
The CSR should then be submitted to the Certificate Authority for review and signing.
Once the CA returns the Certificate it can be uploaded to the JUNOS device and imported with the following command from Operational Mode:

[email protected]> request security pki local-certificate load certificate-id <Certificate ID> filename <File Upload Location>

Default Value:

By default the REST API is disabled.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: dc34d7cfccf5bc77f69f3dbdd76338f0ffcbc9dc0ba164aa71039156fe7f18a1