6.10.2.2 Ensure Web-Management is Set to use HTTPS

Information

JWeb should only be accessed using HTTPS

Rationale:

JWeb can be configured to provide a Web GUI over either HTTP or HTTPS.

HTTP transmits all data (including passwords) in clear text over the network and provides no assurance of the identity of the hosts involved.

Because of this HTTP should never be used for sensitive tasks such as managing network devices or entering login credentials and HTTPS should be configured for Web-Management instead.

Impact:

Ensure an alternative method to manage the JUNOS device is configured and working prior to changing the Certificate used for HTTPS to ensure continued access in the event of any errors.

Solution

To enable HTTPS access using the System Generated 'Self Signed' Certificate, issue the following command from the [edit system service web-management] hierarchy;

[edit system services web-management]
user@host#set https system-generated-certificate

Alternatively, you may which to use a Local Certificate which is stored in the device's Configuration File:

[edit system services web-management]
user@host#set https local-certificate <Certificate Name>

<Certificate Name> should match an X.509 Certificate loaded under the [edit security certificates] hierarchy as shown below:

[edit security certificates]
user@host# set <Certificate Name> load-key-file <File Name/URL>

Where <File Name/URL> is either the name and path of a local Certificate and Key Pair file, or the URL from which the file can be fetched.
Note - This method leaves the Certificate and Private Key as part of the devices Configuration file, potentially exposing them. This is not the preferred method to configure a certificate in most instances.
Finally, you can configure JUNOS to use a PKI-Certificate:

[edit system services web-management]
user@host#set https pki-local-certificate <Certificate Name>

Where <Certificate Name> is an X.509 Certificate which has already been loaded to the JUNOS device's local PKI store.

Default Value:

Varies by platform. For some Branch and SME focused devices, like the SRX300 or EX2300, JWeb is enabled by default. For most larger Enterprise and SP devices JWeb is disabled by default.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 6f4d6726e01b35a0a077e240c2d0fd60ec748d3dacd0a61a6df7eefc803193b9