Copy certificates after RE replacement in JunOS HA cluster - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, January 30, 2014

Copy certificates after RE replacement in JunOS HA cluster

This KB can be used on SRX firewalls as well.

usually when you start the CRL request, installed the certs for local and CA, both cluster members will automatically synchronized for certs and keys between nodes since  PKI is supported in SRX cluster environment.

When one node lost their key and certs, following procedures can help to get them from another node.


SUMMARY:
This document explains how to copy certificates after RE replacement in HA cluster.
PROBLEM OR GOAL:
These certificates and key-pairs won't get synched from other Node when new RE is replaced.
As the certificates does not get synched, the IPSEC tunnel using certificates will go down after failover to this Node (On which RE was replaced).

The certificates/key-pairs used for IKE negotiations are stored in following locations,

/var/db/certs/common/key-pair
/var/db/certs/common/local
/var/db/certs/common/certification-authority
SOLUTION:
Procedure is as follow

1. Start shell as root user on both cluster nodes in two sessions.
2. Verify content on source cluster node of first folder with "ls -la /var/db/certs/common/key-pair/"
3. Confirm do you have same file names on destination cluster node with same command.
4. If you have files with same names in destination folder, backup them with moving to some other location.

===
root@SRX-B% pwd
/var/db/certs/common/key-pair
root@SRX-B% ls -la
total 8
drwx------ 2 root wheel 512 Jan 22 15:09 .
drwx------ 7 root wheel 512 Mar 26 2009 ..
-rw-r--r-- 1 root wheel 0 Jan 22 15:09 test
root@SRX-B% mv test test.old
root@SRX-B% ls -la
total 8
drwx------ 2 root wheel 512 Jan 22 15:10 .
drwx------ 7 root wheel 512 Mar 26 2009 ..
-rw-r--r-- 1 root wheel 0 Jan 22 15:09 test.old
root@SRX-B%
===

5. From source cluster node copy files from first folder, make sure that you use correct node number for destination:
===
root@SRX-X% rcp -T /var/db/certs/common/key-pair/* nodex:/var/db/certs/common/key-pair/
===
6. Verify on destination cluster node do you have new file copied from first node with "ls -la"
7. Repeat steps 2 to 6 for each folder

No comments:

Post a Comment