6.10.5.4 Ensure REST HTTPS is Set to use Mutual Authentication

Information

The REST HTTPS API should be configured for Mutual Authentication

Rationale:

The JUNOS REST API can be configured for access using either HTTP or HTTPS for connections.

When configured to use HTTPS, X.509 Certificates are used to validate the JUNOS Devices identity to API Clients when they connect. Optionally, TLS Mutual Authentication may also be configured, whereby the REST API Client must also provide an X.509 Certificate signed by a mutually trusted Certificate Authority before it is permitted to connect.

Using a mutually trusted Certificate Authority (CA), either an Internal or Public CA, allows for both the Client Device (such as a Network Automation Server) and JUNOS Device to detect when a management session is being intercepted or impersonated by an attacker. Additionally, a centralized CA is able to revoke any Certificate's which may be compromised or have been issued to Clients who are no longer authorized.

A Certificate Authority is a Trusted Third Party which validates X.509 Certificates by signing them, using a secure Hashing algorithm and their own Private Key. A CA may be part of an organization's internal Public Key Infrastructure (PKI) or an Public CA service such as those provided by Verisign, Entrust or Microsoft.

Commonly, for signing Certificates used for internal management and systems, Organizations will configure their own PKI rather than paying for Public CA Services - configuring their End Points to trust Certificates signed by their CA through Group Policy or similar methods.

Either option is equally acceptable for use REST TLS Mutual Authentication, but a ca-profile must be configured on the JUNOS Device (even where the device has preconfigured trust for some Public CAs).

TLS/HTTPS Mutual Authentication does not replace User Authentication, which is still performed via an HTTP Authentication Header using details configured Local or Remote (via RADIUS/TACACS+) User.

Impact:

REST API Management may be lost if the Certificate is not valid or if Automation/Network Management Systems using the REST API are not also configured to support Mutual Authentication using valid Certificates from the same Certificate Authority.

Solution

To configure REST HTTPS Mutual Authentication, enter the following command from the [edit system services rest] hierarchy:

[edit system services rest]
user@host# set https mutual-authentication <CA Profile>

Where <CA Profile> is the name of an existing Certificate Authority Profile configured on the JUNOS Device for a Trusted CA.
To configure a new CA Profile, use the following commands from the [edit security pki] hierarchy:

[edit security pki]
user@host# set ca-profile <CA Profile> ca-identity <CA ID>

It is recommended that a Certificate Revocation List be set for the CA Profile, by including the <CRL URL> using the following command:

[edit security pki]
user@host# set ca-profile <CA Profile> revocation-check crl <CRL URL>

Finally, the CAs' Public Certificate should be obtained an uploaded to the JUNOS Device and linked to the CA Profile:

[edit security pki]
user@host# run request security pki ca-certificate load ca-profile <CA Profile> filename <path and filename>

Default Value:

By default the REST API is disabled.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), CSCv7|11.5

Plugin: Juniper

Control ID: 3a928ff96ec889d812fbeeb7d13b363d25e7724fd5d24a24834f9e9a07163bc8