Memorise

Juniper : Introduction to the Junos Operating System, “PKI: DSA verify fails.”

How to Update the New Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware

As of August 18, 2014, all Boot Loaders and ScreenOS Firmwares downloaded from the Juniper Networks Software Download Site are signed with the New Image Authentication Certificate.ScreenOS includes the ability to determine the authenticity of binary images provided by Juniper Networks. An image (also known as “firmware”) authentication signature has been incorporated into each ScreenOS build since version 2.6.1r1. When the ScreenOS authentication certificate (also known as “image key” or “imagekey.cer”) has been loaded beforehand onto a Juniper Networks firewall or VPN device (ISG Series, NetScreen Series, and SSG Series), each time the device is rebooted, ScreenOS will validate the authenticity of the image saved in flash. If the validation fails, the device will not load the image. The same logic is applied to ScreenOS firmware upgrade/downgrade. If the image cannot be validated by the installed image key, the upgrade/downgrade will fail.Validating the authenticity of an image enhances security and stability. When this feature is enabled, ScreenOS rejects illegitimate or damaged images before they will be booted onto the device, forcing the system administrator to save an authentic software image in the device before it will boot, and thereby protecting the device against unsafe and potentially unstable software.

When firmware update fail you may notice error in log: “PKI: DSA verify fails.”
SOLUTION:

Validating the Image Authentication Certificate

It is important to ensure the integrity of the image key itself before you load it on the Juniper Networks security device. You can confirm the image key’s integrity by comparing the checksum of the imagekey.cer certificate file to the value below. A tool such as md5sum, sha1sum, andsha256sum for Unix/Linux can be used.

New Image Key (download)
$ md5sum imagekey.cer 
99def4b80b75ed65aad52a5fc3ed1131  imagekey.cer

$ sha1sum imagekey.cer 
06c3c15b88de548b18814d4389d18a20f65a5845  imagekey.cer

$ sha256sum imagekey.cer 
02b107f0679bc5d5aa0ab49be52043bb31f2a010a980573c53dc3fc815e1d7f3  imagekey.cer
Old Image Key (download)
$ md5sum imagekey.cer 
ccfcd027e20c9cc38b5d8dac17c7199f  imagekey.cer

$ sha1sum imagekey.cer 
2af0d97abbb58821650445cd517050fd0cfa2684  imagekey.cer

$ sha256sum imagekey.cer 
bab2f722cbba13a73d9af4c17af9c34d62ac71b4c9e8bbb9bac5df1fdceb0261  imagekey.cer

Validating the Boot Loader and the ScreenOS Firmware

There are no code or contents changes on the newly released boot loaders and ScreenOS firmwares, these files are signed with the new image key only. Therefore, the version numbers are same as before.

In order to distinguish whether the device is running with old ScreenOS firmware that is signed with the old image key, you can check the non-zero values of the image key using hidden CLI exec pki test skey command. Refer to 2. Checking the Installed Image Key. Also you can refer to KB29296 – ScreenOS and Boot Loader Checksum Values Signed by Old and New Image Key.

Finally when you feel confident about the integrity of the new image key and know that the currently running ScreenOS firmware is signed by the old image key, you can follow the below steps to install the new image key, and boot loader/ScreenOS firmware that are signed with the new image key.

1. Saving the Configuration

Before you proceed the following steps, please make sure to backup the configuration, you can do it through either the WebUI and the CLI.

On the WebUI, navigate to Configuration > Update > Config File > click “Save to File

On the CLI, type save config to tftp <IP address of TFTP server> <config filename>

For example,
SSG550-> save config to tftp 172.22.152.251 ssg550_config_backup 
Read the current config.
 Save configurations (3064 bytes) to ssg550_config_backup on TFTP server 172.22.152.251.
!!!!!!!!!!!!!!
tftp transferred records = 6
tftp success!

TFTP Succeeded

2. Checking the Installed Image Key

If an image key is already installed, you will see output similar to the below (non-zero values). If the output shows all zero (0), then there is no installed image key.

NOTE: The device cannot store more than one image key. When you install the new image key, it overwrites the previous key. The installation status of the image key can be checked through hidden CLI exec pki test skey command only.

SSG550-> exec pki test skey

(snip)

KEY1  N/A len =432
 308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
 
KEY2  N/A len =432
 308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
 
KEY3  N/A len =432
 308201ac02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0


NOTE: The above non-zero values are indicating the old image key (308201ac ….). If you wish to update the image key to the new key, then go to next step 3. Updating the Image Key. The new image key’s values are starting with (308201ad ….) from left to right direction. If the new image key is installed already, then go to step 4. Upgrading ScreenOS.

The following example shows that an image key is not installed (all zero values).

SSG550-> exec pki test skey 

(snip)

KEY1  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234
 
KEY2  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234
 
KEY3  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=dead1234

NOTE: If no image key is installed and you do not want to authenticate the boot loader (for ISG Series and NetScreen Series only) and ScreenOS in future, skip Step 3. Updating the Image Key.

3. Updating the Image Key

If a WebUI access or a TFTP server is available, you can install the new image key through the WebUI or the CLI.

On the WebUI :

  1. Download the new image key (imagekey.cer)
  2. Save it to accessible local storage
  3. Login to the device.
  4. Navigate to ”Configuration > Update > ScreenOS/Keys” using the navigation tree on the left side of the screen
  5. Select the ”Image Signature Key Update” radio button and click Browse
  6. Navigate to the location where you saved the image key and click Open
  7. Click Apply

On the CLI :

  1. Download the new image key (imagekey.cer)
  2. Save it to TFTP server
  3. Make a console, Telnet, or SSH connection to the Juniper Networks security device
  4. Login to the device
  5. Type save image-key tftp (IP address of tftp server) imagekey.cer command
For example,
SSG550-> save image-key tftp 172.22.152.251 new/imagekey.cer
Load file  from TFTP 172.22.152.251 (file: new/imagekey.cer).
!!!!!
tftp received octets = 863
tftp success!
Done

TFTP Succeeded

If the image key is installed successfully, you will see output similar to the below (non-zero values). If the output shows all zero (0), then the image key is not installed.

SSG550-> exec pki test skey

(snip)

KEY1  N/A len =433
 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
 
KEY2  N/A len =433
 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0
 
KEY3  N/A len =433
 308201ad02010002818100fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b651     magic1 = f7e9294b magic2=0


If only a CLI access is available without TFTP server, you cannot install the new image key, then delete the installed old image key using CLI delete crypto auth-key command and go to next step 4. Upgrading ScreenOS.
The following example shows that no image key is available after deleting the image key.

SSG550-> delete crypto auth-key 
SSG550-> exec pki test skey 

(snip)

KEY1  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0
 
KEY2  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0
 
KEY3  N/A len =0
 0000000000000000000000000000000000000000000000000000000000000000000000000000000000     magic1 = f7e9294b magic2=0

NOTE: Please do not execute CLI delete crypto file command. It will delete all crypto files in the device that might be used for other services.

NOTE: You cannot delete image key through WebUI.

4. Upgrading ScreenOS

On ISG1000/2000, NS5200/NS5400 (boot loader upgrade is required) :

You must have a console connection and a TFTP server that can be reachable through the ‘mgt’ interface because the device will prompt you to install a boot loader if it cannot authenticate the installed boot loader using the new image key.
While the device boots up, it checks the integrity of installed boot loader and ScreenOS firmware.

NOTE: If the old image key is deleted using CLI delete crypto auth-key command, the device skips integrity check of the boot loader and ScreenOS firmware while boots up. You will see Ignore image authentication! message on the console while the device boots up.

On the CLI :

1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
2. Save it to TFTP server
3. Login to the device through the console port
4. Type save software from tftp (IP address of TFTP server) (ScreenOS image filename) to flash command
For example,
ns5200-> save software from tftp 172.22.152.251 new/ns5000.6.3.0-M2A.r17.0 to flash 
Load software from TFTP 172.22.152.251 (file: new/ns5000.6.3.0-M2A.r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)
tftp received octets = 13541072
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 15, cpu = 16, version = 18
 update new flash image (04243150,13541072)
platform = 15, cpu = 16, version = 18
offset = 20, address = 4000000, size = 13540994
date = 71c0efb8, sw_version = 71c0efbc, cksum = c491f61c
Image authenticated!
Program flash (13541072 bytes) ...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++done
Done


5. Reboot the device, type reset command and install the boot loader that is singed with the new image key

NOTE: While the device boots up, it will generate the following messages on the console to guide you to install the boot loader that is signed by the new image key.

OS Loader File Name []: (type boot loader file name)
Self IP Address []: (TFTP client (device) IP address)
TFTP IP Address []: (TFTP server IP address)
For example,
ns5200-> reset
System reset, are you sure? y/[n] y
In reset ...


Juniper Networks NS-5000-II BootROM Version 1.0.0 (Checksum: FE499CCD)
Copyright (c) 1998-2004 Juniper Networks, Inc.

Total physical memory: 2048MB
    Test - Pass
    Initialization................ Done

Hit key 'X' and 'A' sequentially to update OS Loader....

Loading OS Loader from on-board flash memory... ++++
Done!

********Invalid DSA signature <- The installed boot loader (OS Loader) cannot be authenticated using the new image key

********Bogus image - not authenticated


OS Loader File Name [new/ns5000.6.3.0-M2A.r17.0]: new/Load5000v104.d  <- Boot loader file signed with the new image key
Self IP Address [172.19.50.252]: 172.22.152.49
TFTP IP Address [172.19.50.129]: 172.22.152.251

Save loader config (56 bytes)... Done

Loading file "new/Load5000v104.d"...
(snip)
Loaded successfully! (size = 447,576 bytes)

Image authenticated!  <- Boot loader is authenticated using the new image key

Program OS Loader to on-board flash memory... ++++
Done!

Start loading...
....................
Done.


Juniper Networks NS-5000-II OS Loader Version 1.0.4

Initialize FBTL 0.. Done

Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware

Loading default system image from on-board flash disk...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Done! (size = 13,631,488 bytes)

Image authenticated! <- ScreenOS firmware is authenticated using the new image key

Start loading...
(snip)
Done.
Configuring Imperial FPGA... Done



Juniper Networks, Inc
NS-5000 System Software
Copyright, 1997-2008

Version 6.3.0r17.0
(snip)

NOTE: After the device boots up successfully, you can check the version of the installed boot loader through the CLI get system command, look for the value of “OS Loader Version”.

ns5200-> get system
Product Name: NetScreen-5200-II
Serial Number: 0040012001000011, Control Number: 00000000
Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.3.0r17.0, Type: Firewall+VPN
BOOT ROM Version: 1.0.0
OS Loader Version: 1.0.4

(snip)


On SSG 20/140/320M/350M/520/520M/550/550M :

It is not required to update the current boot loader because the integrity check of the boot loader is only done during the installation of a boot loader. During boot-up of the device there is no integrity check done for the boot loader using the image key. Therefore the existing boot loader on the SSG device will keep working correctly after updating the image key on the device.

NOTE: If the old image key is deleted using CLI delete crypto auth-key command, the device skips the integrity check of the ScreenOS firmware while the device boots up. You will see the Ignore image authentication! message on the console while the device boots up.

On the WebUI :

  1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
  2. Save it to accessible local storage.
  3. Login to the device.
  4. Navigate to ”Configuration > Update > ScreenOS/Keys” using the navigation tree on the left side of the screen.
  5. Select the ”Firmware Update (ScreenOS)” radio button and click Browse.
  6. Navigate to the location where you saved the new image key and click Open.
  7. Click Apply.

NOTE: If the device has the old image key and you try to install a ScreenOS firmware image that is signed by the new image key, the installation process will stop because the ScreenOS firmware cannot be authenticated using the old image key. You will see a pop-up window displaying “Firmware update failed”. In this case, you need to either install the new image key prior to installing the new ScreenOS firmware or delete the image key (refer to the above step 3. Updating the Image Key).

On the CLI :

1. Download the ScreenOS firmware signed with the new image key from the ScreenOS Download site
2. Save it to accessible local storage.
3. Login to the device
4. Type save software from tftp (IP address of TFTP server) (ScreenOS image filename) to flash command
SSG550-> save software from tftp 172.22.152.251 new/ssg500.6.3.0r17.0 to flash 
Load software from TFTP 172.22.152.251 (file: new/ssg500.6.3.0r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)

tftp received octets = 11627247
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu = 11, version = 2
 update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
Program flash (11627247 bytes) ...

(snip)

5. After successful ScreenOS firmware installation, type reset command to reboot the device

NOTE: If the ScreenOS firmware is not successfully authenticated by the new image key during installation, the error messages “Invalid image!!!” and “Bogus image – not authenticated!!!” will be displayed. When the upgrade went successfully, on the next reboot the device will show ”Image authenticated!”on the console.

SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...

(snip)

ScreenOS Saipanloader V1.0.7
Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloadermounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112

Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware
Hit any key to load new firmware/$nsboot$.bin 
file size = 11627247

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11

Image authenticated! 

(snip)

NOTE: If the device has the old image key and you try to install ScreenOS firmware that is signed with the new image key, the installation process will stop because the ScreenOS firmware cannot be authenticated using the old image key. You will see output similar to the below. In this case, you need to either install the new image key prior to installing the ScreenOS firmware or delete the image key (refer to the above step 3. Updating the Image Key).

SSG550-> save software from tftp 172.22.152.251 new/ssg500.6.3.0r17.0 to flash 
Load software from TFTP 172.22.152.251 (file: new/ssg500.6.3.0r17.0).
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(snip)
tftp received octets = 11627247
tftp success!

TFTP Succeeded
Save to flash. It may take a few minutes ...platform = 23, cpu = 11, version = 2
 update new flash image (02572fd0,11627247)
platform = 23, cpu = 11, version = 2
offset = 20, address = 0, size = 11627169
date = 9422, sw_version = 808031, cksum = 954806c3
********Invalid image!!! ********Bogus image - not authenticated!!!

(snip)

NOTE: If you would like to update the boot loader that is signed with the new image key on SSG Series, you must have a console connection and a TFTP server that can be reachable through the pre-assigned interface(s) in the boot loader mode (mostly ‘eth0/0’ interface) and manually interrupt the boot sequence by holding ‘Shift key’ and hit ‘X‘ and ‘A’ sequentially when the “Hit ‘X’ and ‘A’ to upgrade bootloader” message is shown on the console.

After installing the new image key, type CLI reset command to reboot the device. Then keep the ‘Shift key’ down and hit ‘X’ and ‘A’ sequentially.
SSG550-> reset
System reset, are you sure? y/[n] y
In reset ...

(snip)

ScreenOS Saipanloader V1.0.7
Built Mar 19 2009/15:54:12
watchdog_probe, 1132 bus/dev/fn = 0/248 ich = 2640
boot_drive = 80
start1 = 0768, start2 = 3840

Hit 'X' and 'A' to upgrade bootloader   <- Hold ‘Shift key’ and hit ‘X’ and ‘A’ in sequence
Loader File Name:new/Loadssg500v107.d   <- Bootloader filename signed with the new image key
Self IP Address :172.22.152.35          <- TFTP client IP address
TFTP IP Address :172.22.152.251         <- TFTP server IP address
IP MASK :255.255.255.0
Gateway IP Address :172.22.152.1


Saipan motherboard proto 3 or later detected
Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...


Initiating hardware and waiting for link up ...
self_ip = 172.22.152.35, tftp_server_ip = 172.22.152.251
ip = 172.22.152.35 mask = 255.255.255.0 gw = 172.22.152.1 svr = 172.22.152.251
network_ready = 1
new/Loadssg500v107.d


121078 bytes downloaded from tftp server
old img size = 121032, new img size = 121032, load = 121078, sig = 46
S
Image authenticated!    <- Bootloader is authenticated using the new image key
mounting FAT12 partition
file /boot2 size was 121079, new size is 121078
getting sector information
boot1 size = 512
boot2 size = 512
boot1_sector = 807, boot2_sector = 1051
offset = 512
[1052][1053][1054][1055][1056][1057][1058][1059][1060][1061][1062][1063][1064][1065][1066][1067][1068][1069][1070][1071][1072][1073][1074][1075][1076][1077][1078][1079][1080][1081][1082][1083][1084][1085][1086][1087][1088][1089][1090][1091][1092][1093][1094][1095][1096][1097][1098][1099][1100][1101][1102][1103][1104][1105][1106][1107][1108][1109][1110][1111][1112][1113][1114][1115][1116][1117][1118][1119][1120][1121][1122][1123][1124][1125][1126][1127][1128][1129][1130][1131][1132][1133][1134][1135][1136][1137][1138][1139][1140][1141][1142][1143][1144][1145][1146][1147][1148][1149][1150][1151][1152][1153][1154][1155][1156][1157][1158][1159][1160][1161][1162][1163][1164][1165][1166][1167][1168][1169][1170][1171][1172][1173][1174][1175][1176][1177][1178][1179][1180][1181][1182][1183][1184][1185][1186][1187][1188][1189][1190][1191][1192][1193][1194][1195][1196][1197][1198][1199][1200][1201][1202][1203][1204][1205][1206][1207][1208][1209][1210][1211][1212][1213][1214][1215][1216][1217][1218][1219][1220][1221][1222][1223][1224][1225][1226][1227][1228][1229][1230][1231][1232][1233][1234][1235][1236][1237][1238][1239][1240][1241][1242][1243][1244][1245][1246][1247][1248][1249][1250][1251][1252][1253][1254][1255][1256][1257][1258][1259][1260][1261][1262][1263][1264][1265][1266][1267][1268][1269][1270][1271][1272][1273][1274][1275][1276][1277][1278][1279][1280][1281][1282][1283][1284][1285][1286][1287][1288][1289][1290]
write boot2's start sector back at sector 1051
write mbr back at sector 0
mounting FAT16 partition
file size = 112
size = 112, sizeof(nvram_rec) = 112
system rebooting...  <- After successful bootloader installation, the device will automatically try to reboot

(snip)

********Invalid DSA signature  <- But if the previously installed ScreenOS firmware is signed with the old image key, the new image key cannot authenticate the ScreenOS firmware, then the device prompt to you install a ScreenOS firmware signed with the new image key

********Bogus image - not authenticated
mounting FAT16 partition
file size = 112
Serial Number []: READ ONLYc) = 112
BOM Version Number []: READ ONLY
Self MAC Address [0000-0000-0000]: READ ONLYip = 1.1.1.1 svr = 1.1.1.2
self_ip_buf = 1.1.1.1, tftp_ip_buf = 1.1.1.2


Firmware File Name [old/ssg500.6.3.0r17.0]: new/ssg500.6.3.0r17.0  <- Type the ScreenOS firmware filename signed with the new image key
Self IP Address [1.1.1.1]: 172.22.152.35   <- TFTP client IP address
TFTP IP Address [1.1.1.2]: 172.22.152.251  <- TFTP server IP address
IP MASK [255.255.255.0]:
Gateway IP Address [172.22.152.251]:

Save loader config (112 bytes)... Done

Saipan motherboard proto 3 or later detected
Probing...[Ethernet0/0 and Ethernet0/1]

Initiating hardware and waiting for link up ...
self_ip = 172.22.152.35, tftp_server_ip = 172.22.152.251
ip = 172.22.152.35 mask = 255.255.255.0 gw = 172.22.152.251 svr = 172.22.152.251
network_ready = 1
new/ssg500.6.3.0r17.0
offset = 0, maxposition = 11627247
11627247 bytes downloaded from tftp server

hdr->magic_number = 81ba16ee, hdr->platform_type = 1700, hdr->cpu_type = 11

Image authenticated!  ← ScreenOS is authenticated

Save to on-board flash disk? (y/[n]/m) No  <- You should press ‘n’ key 
Run downloaded system image? ([y]/n) Yes   <- You should press ‘y’ key

(snip)

System change state to Active(1)

login:

Categorised as: Hardware/Software, Juniper


Leave a Reply