128technology · Chr1st0ph3rTurn3r · Mar 22, 2024 · Dec 15, 2023 · Dec 18, 2023 · Dec 18, 2023
@@ -0,0 +1,50 @@
+---
+title: Common Criteria Compliance Guidelines
+sidebar_label: Common Criteria Compliance Guidelines
+---
+
+For compliance, the following configuration considerations must be made:
+
+- FIPS mode must be enabled **during installation**.
+- All configuration procedures must be performed from the PCLI; use of the GUI is not part of the approved use case.
+- When installing a router, the [IPv4 Option Filter](cc_fips_sec_firewall_filtering.md#ipv4-option-filtering) must be set to `drop-all`.
+- When installing a router, the [ICMP Session Match](cc_fips_sec_firewall_filtering.md#from-the-command-line) must be set to `identifier-and-type`.
+- Configure the [TCP Half-Open Connections Limit](cc_fips_sec_firewall_filtering.md#tcp-half-open-connection-limit) for firewall.
+- The `password-policy` must define the minimum password length and maximum number of permitted login attempts per user. Please refer to [`configure authority password-policy`](config_command_guide.md#configure-authority-password-policy) for pcli commands and context for assigning these values.
+- Traffic logging must be enabled by setting the following command to `true`: 
+
+ `configure authority router router system audit traffic enabled true`
+- Any services that are used to enforce evaluated firewall functionality must have a service-policy attached that applies strict transport state enforcement:
+ `configure authority service-policy <service_policy> transport-state-enforcement strict`
+
+ For overview information about service policies, please see [Service and Service Policy Design](bcp_service_and_service_policy_design.md). 
+
+ For information about configuration baselines, please see [Service Policy Baseline Configuration](bcp_service-policy_defaults.md)
+
+<!---It was once mentioned that sometimes clients may not want to enforce this, especially in HA configurations as the states are not synced across devices. It should be made clear to users that this feature must be configured on services where the evaluated firewall capabilities are expected to be enforced. It is up to the users whether to enable this or not if they have no need to enforce the firewall security functionality on the relevant service.--->
+
+## Out of Scope Features
+
+The following functionality and platforms are not supported under Common Criteria.
+
+- Non-Juniper branded hardware platforms and Juniper branded hardware platforms not explicitly included.
+- Juniper SSR Software for virtual platforms.
+- HTTPS/TLS, IPSec, SNMP, RADIUS.
+- X.509 certificate management, validation or verification.
+- Virtual Private Network (VPN) and Intrusion Prevention System (IPS) functions.
+- Graphical User Interface (GUI) and Juniper MIST.
+
+The SSR Hardware has no physical restrictions for Common Criteria certification, however, there is an assumption of physical security.
+
+## Installation Process Overview
+
+Installation of the SSR network devices should follow the following high-level process:
+
+Installation is done from the SSR ISOs, typically from a bootable image on a flash drive or disk. The install process is as follows:
+- [Download the OTP ISO](intro_downloading_iso.md)
+- [Create Bootable Media](intro_creating_bootable_usb.md)
+- [Install a Conductor](cc_fips_conductor_install.md)
+- [Create the Router configuration with the Conductor](intro_basic_router_config.md) or [Import a Configuration](single_conductor_config.md)
+- [Install the Router using the OTP ISO](cc_fips_router_install.md) 
+
+For the compliant installation process and configuration parameters please refer to the specific [Conductor](cc_fips_conductor_install.md) or [Router](cc_fips_router_install.md) Installation and Configuration procedure.
@@ -0,0 +1,266 @@
+---
+title: Conductor Installation - FIPS
+sidebar_label: Conductor Installation - FIPS 
+---
+
+This process assumes you have already created a bootable device using a USB. Instructions for downloading and creating a bootable device are available in [Downloading an SSR ISO](intro_downloading_iso.md) and [Creating a Bootable USB](intro_creating_bootable_usb.md).
+
+The steps in this section describe the *interactive conductor installation* from the packaged-based ISO. The section [Initialize the Conductor](#initialize-the-conductor-node) describes using the Initializer to configure the system as a Conductor after installing from the Interactive ISO.
+
+:::note
+The Conductor installation must be completed before installing a Session Smart Router or routers using the ISO. The same ISO is used for both installations.
+:::
+
+## Prerequisites
+
+- Ensure that the platform you are installing on meets the [SSR hardware requirements](about_supported_platforms.md#minimum-platform-specifications).
+- Verify that the boot priority of the USB drive is properly listed in the system BIOS.
+- Local console connectivity to the device/VM. 
+
+## Installation Type
+
+After imaging the ISO onto removable media, insert it into the SSR device and power it on.
+
+Upon boot, the following screen is displayed. The default selection is booting to the serial console (115200 baud). You must manually choose the installation process suited for your environment. 
+
+To install using the Interactive Installation, use the arrow keys to select either `Install 128T Routing Software Serial Console` or **`Install 128T Routing Software VGA Console`**. As noted earlier, this guide describes the Conductor installation process using the Interactive Installation, specifically using the VGA console.
+
+![VGA Boot with Interactive Install](/img/cc_install_conductor_interactive.png)
+
+:::note
+Because not all hardware has video support, booting to the serial console 115200 baud is the default, and is automatically selected after 30 seconds. When using the serial console, the terminal size is 80x25 - anything smaller may result in abnormal navigation behavior.
+
+Selecting the wrong type of console (Serial or VGA) may result in garbled characters being displayed. If allowed to continue it will result in an incorrect installation. If the wrong console is selected, reboot the target system and select the correct line for the target hardware.
+::: 
+
+#### Install via Serial Console
+
+Use this option when running on hardware with no video chipset. It uses `/dev/ttyS0` 115200 baud as the serial console for interacting with the installer. 
+
+For serial console issues please refer to [Serial Console Troubleshooting](ts_serial_console_tsing.md).
+
+#### Install via VGA Console
+
+Use this option when running on hardware that has onboard graphics chipsets. This installs SSR software using the GUI installer.
+
+## FIPS Mode
+
+To enable FIPS Enforcement for SSR software version 6.2.3-14R2, add the `fips=1` kernel option  to the kernel command line during system installation as shown in the steps below. This ensures that key generation is done with FIPS approved algorithms and continuous monitoring tests in place.
+
+### VGA Console
+
+1. Use up/down keys to highlight the desired install mode. 
+
+  ![Bios Install](/img/cc_install_conductor_interactive.png)
+
+2. Press **TAB** to edit the configuration.
+
+3. Add `fips=1` to the end of the `vmlinuz` parameters.
+
+  ![FIPS Parameter](/img/ccfips_BIOSinstall_2.png)
+
+4. Press **Enter** to start the install.
+
+### Serial Console
+
+1. Use up/down keys to highlight the desired install mode. 
+
+  ![Serial Install Selection](/img/install_serial_conductor_interactive1.png)
+
+2. For FIPS press `e` to edit and append `fips=1`.
+
+  ![FIPS Parameter](/img/cc_fips_serial_conductor.png)
+
+3. Press **Enter** to start the install. 
+
+## Conductor Installation 
+
+After the Linux installation completes, the SSR software installation begins. Note that this may take several minutes to complete (up to 40 minutes). After the installation has completed, the following screen is displayed:
+
+![Installation Complete](/img/intro_installation_bootable_media_install_complete.png)
+
+Select `<Yes>` to shut down the system. Remove the bootable media, then power the system up to complete the installation process. 
+
+### Initial Boot and NMTUI
+
+When the system boots from the `Install 128T Routing Software...` Interactive Installation work flow, the system asks whether to configure initial Linux Networking before the SSR Initializer is started.
+
+![128T NetManager TUI Start](/img/Initializer_Serial0.png)
+
+Selecting `Yes` launches the NMTUI application to perform an initial network interface setup.
+
+![128T NetManager TUI Option](/img/Initializer_Serial1.png)
+
+### Configure the Network Interface 
+
+Configure the IP address that will be used to manage the network routers.  
+
+1. Select the device ethernet interface that corresponds to the management port for your Conductor and select `<Edit>`
+
+<img src="/img/nmtui-linux-a.png" alt="Configure the Ethernet port" width="192" height="243" />
+
+2. In the Edit Connection screen, configure the following:
+- The IP address for the port
+- the Gateway IP address
+- DNS server addresses
+
+<img src="/img/nmtui-linux-b-static-ipv4-config.png" alt="Edit Connection" width="654" height="394" />
+
+3. Scroll to the bottom of the screen and select `Automatically Connect` and `Available to All Users`, then select OK. 
+
+<img src="/img/nmtui-linux-c-static-ipv4-autoconx.png" alt="Edit Connection" width="654" height="394" />
+
+4. From the NMTUI screen, select `Set system hostname`, and `<OK>`.
+
+<img src="/img/nmtui-linux-set-hostname.png" alt="Select Hostname" width="354" height="381" />
+
+5. Enter the hostname and select `<OK>`. Note that the hostname will be used as the Asset ID.
+
+<img src="/img/nmtui-linux-set-hostname2.png" alt="Add Hostname" width="354" height="381" />
+
+6. From the NMTUI screen, select `Activate a connection`, and `<OK>`.
+
+7. Select the port, and `<Activate>`. 
+
+<img src="/img/nmtui-linux-activate-port.png" alt="Activate port" width="379" height="378" />
+
+ When the port has been activated, an asterisk will appear next to the port name.
+
+```
+Ethernet (enp2s0f0)
+* enp2s0f0
+```
+8. Select `<Back>` and then `<Quit>` NMTUI.
+
+The Initializer process starts automatically.
+
+### Initialize the Conductor Node
+
+The SSR Initializer tunes your operating system, prepares the platform to run the SSR software, and creates the bootstrapping files necessary to load the software. The Initializer is launched on first boot.
+
+There are three different types of conductor installations; 
+- Standalone Conductor 
+- [Conductor High Availability](ha_conductor_install.mdx)
+- [Conductor High Availability for Cloud Deployments](intro_initialize_HA_conductor.md)
+
+## Standalone Conductor
+
+1. On the SSR Initializer wizard screen, use the space bar to select the **Conductor** role for the SSR node, and press the **Enter** key to select **OK**.
+
+  ![SSR Role](/img/initializer_Serial2.png)
+
+2. When asked _What kind of Conductor node is this?_, select **Standalone** from the following options:
+
+  ![Identify the Node](/img/initializer_standalone.png)
+
+- **Standalone:** This conductor has no highly available peer, and is not currently planned for high availability.
+
+3. Enter the following system properties on the **Node Info** screen:
+
+    ![Node Information](/img/initializer_Serial5a.png)
+
+    - **Node Name:** The name of the system within your Conductor, in this example, _test-conductor_. By default this field uses the Linux system's hostname. The node name identifies the conductor node under the **Conductor** element in the Authority. 
+
+    :::note
+    Both routers and conductors can consist of one node (for standalone systems) or two nodes (for highly available systems).
+    :::
+    - **Conductor Name:** The name of the Conductor system as a whole. When referring to a running SSR software instance, it is identifiable by the full name; e.g., `test-conductor.conductor`. The full system name is reflected in the PCLI prompt.
+
+4. On the **Password Setup** screen, create a password for the SSR Admin user. The administrator password must be at least 8 characters long, contain at least 1 uppercase letter, at least 1 lowercase letter, at least 1 number, cannot contain the username in any form, and cannot repeat characters more than 3 times. This operation is only performed on the standalone or first node in the HA peer, and the password must be entered twice. 
+  :::note
+  Resetting a password requires entering the old password. If a password is lost or forgotten and the account is inaccessible, the account cannot be recovered. Please keep password records accessible and secure. 
+  :::
+
+  ![Password Setup](/img/initializer_Serial6.png)
+
+5. Press the **Enter** key to select **OK**. The Initializer performs a hardware compatibility check. The compatibility check may fail due to warnings or failure notices, which are displayed in the output script. If no failures are present, you can choose to continue with the installation even if multiple warnings exist. For information on why a specific test may have failed or generated a warning, contact Juniper Technical Support.
+
+6. When prompted, select `<Yes>` to start the conductor. 
+
+  ![Initializer Complete](/img/initializer_complete.png)
+
+### Verify the Installation
+
+After installing the SSR Software it is important to verify that the installation was completed successfully.
+
+### To Verify the SSR Installation:
+
+After starting the Conductor, the login screen appears. 
+
+1. Login using the admin credentials.
+
+```
+test-conductor login: admin
+Password:
+```
+  ![Conductor Admin Login](/img/conductor_install1.png)
+
+2. Enter the Linux shell:
+
+  a. Type `exit` to exit the PCLI.
+
+  b. Type `shell` and press `Enter` to enter the linux shell.
+
+3. Log into the command window as `root`.
+4. Execute the command: `sudo systemctl status 128T`
+
+![Linux Shell](/img/conductor_install2.png)
+
+5. When the service is listed as _Active_, log into the system using the system default password. By logging into the system, you have verified the installation. 
+
+### Change the Default Passwords
+
+The following user accounts and passwords are created during the ISO installation process:
+
+| Username | Password   |
+| -------- | ---------- |
+| root     | 128tRoutes |
+| t128     | 128tRoutes |
+
+It is *strongly recommended* that you change these passwords immediately. Use the `passwd` command from the UNIX window.
+
+```
+[t128@test-conductor ~]$ passwd
+Changing password for user t128
+Changing password for t128
+(current)UNIX password:
+New password:
+Retype new password: 
+passwd: all authentication tokens updated successfully.
+[t128@test-conductor ~]$ su - 
+Password:
+[root@test-conductor ~]# passwd
+Changing password for user root.
+New password:
+Retype new password: 
+passwd: all authentication tokens updated successfully.
+[root@test-conductor ~]#
+```
+
+### Configure the Token
+
+Once the system has been setup for the first time, the next step is to provision credentials for SSR software access on the conductor. Provisioning the software credentials on the conductor propagates those settings down to all of the managed routers.
+
+Use the PCLI command `set software access-token`. For information on this command, see [`set software access-token`](cli_reference.md#set-software-access-token).
+
+From the root user in the workflow above, run the `pcli` command to access the PCLI and configure the token.
+
+```
+[root@test-conductor ~]# pcli
+Starting the PCLI...
+[email protected]# set software access-token <username> <password>
+Saving...
+Waiting for process to complete
+...(messages removed for brevity)...
+Making the DNF cache
+No further operation requested. Exiting
+Installer complete
+Successfully saved credentials.
+[email protected]#
+```
+
+## Next Steps - Router Configuration
+
+Congratulations, you have successfully installed and configured a conductor! The next step is to optimize the router onboarding process. Creating router configurations on the conductor allows individual routers to download the necessary configuration to get up and running smoothly. 
+
+A sample branch router configuration is available as a [**template**](config_templates.md#default-templates) on the conductor. This is a great place to start the configuration process. Additionally, you can create configuration templates that allow administrators to automate the configuration of top level resources. For more information, see [Configuration Templates](config_templates.md). 
@@ -0,0 +1,39 @@
+---
+title: Username and Password Policies
+sidebar_label: Username and Password Policies
+---
+
+| Release | Modification |
+| ------- | ------------ |
+| 5.6.0   | Feature introduced |
+| 6.0.1   | Added Max failed login attempts and User lock time. |
+| 6.0.4   | Added Username requirements. |
+
+### Password Requirements
+
+The SSR password policies have been updated to provide a more secure experience. When creating passwords and password policies for users, the following parameters are enforced.
+
+1. Password must contain 1 capital, 1 lower case, 1 number and 1 special character.
+2. Password must be at least 9 characters.
+3. Minimum password length is configurable (greater than 9).
+4. When a password is changed, characters must be changed in at least eight of the positions within the password.
+5. The minimum password lifetime is 24 hours/1 day.
+6. There is a 60-day maximum password lifetime restriction.
+7. Password reuse is prohibited for a minimum of **five** generations.
+8. A temporary password for system logons is allowed, with an **immediate** change to a permanent password.
+9. The default admin password **must** be changed to strong password on first use.
+10. The maximum failed login attempts are configurable, with a default of 6.
+11. User lock time (time the user must wait before attempting login after reaching the max failed attempts) is configurable. The default is 1800 seconds.
+
+### Username Requirements
+
+1. Usernames may contain only lower and upper case letters, digits, underscores `_`, or dashes `-`. 
+2. They can end with a dollar sign `$`. 
+3. Dashes `-` are not allowed at the beginning of the username. 
+4. Fully numeric usernames and usernames beginning with `.` are not recommended. 
+5. Usernames may only be up to 32 characters long.
+6. The `.` character is allowed within a username: `firstname.lastname`.
+
+:::important
+After upgrading to a release with new username pattern support, users can add a username using the above requirements. However, after rolling back a node to the previous release, the username delete will fail because the old user data model does not support the new format. Usernames that do not support the **old** username pattern should be deleted before rolling back nodes. If they are not, those users cannot be deleted after the rollback.
+:::
@@ -0,0 +1,10 @@
+---
+title: Introduction - Common Criteria and FIPS Mode
+sidebar_label: Introduction - Common Criteria and FIPS Mode
+---
+
+The focus of this document is to provide the required configuration steps to install and operate the SSR in a manner consistent with the requirements of Common Criteria and FIPS. 
+
+Common Criteria for information technology is an international agreement signed by several countries that permits the evaluation of security products against a common set of standards. In the Common Criteria Recognition Arrangement (CCRA) at http://www.commoncriteriaportal.org/ccra/, the participants agree to mutually recognize evaluations of products performed in other countries. All evaluations are performed using a common methodology for information technology security evaluation.
+
+For more information on Common Criteria, see http://www.commoncriteriaportal.org/.