Skip to content

Configuration of OpenJTS

Change the APP_SECRET

Gnmi and Netconf passwords are encrypted into the DB. JTSO uses an external secret that could be changed if needed. For that edit the .env file:

1
2
3
4
5
vi compose/.env

[...]
APP_SECRET="DEFAULT_APP_SECRET_CHANGE_ME"
[...]

A change of the secret requires a reboot of the stack (if this one was running during the modification):

1
2
3
4
cd compose/

docker compose down
docker compose up -d

Enable HTTPS (Optional)

If you want to enable HTTPS for both JTSO and Grafana, you can generate a self-signed certificate (see below) or use your own certificate.

1. Generate Self-Signed Certificates

1
2
3
4
5
6
7
8
# Go to the jtso certificate directory
cd ./compose/jtso/cert

sudo openssl genrsa -aes256 -passout pass:gsahdg -out server.pass.key 4096
sudo openssl rsa -passin pass:gsahdg -in server.pass.key -out server.key
sudo rm server.pass.key

sudo openssl req -new -key server.key -out server.csr

You will be prompted to enter certificate information:

1
2
3
4
5
6
7
Country Name (2 letter code) [AU]: FR
State or Province Name (full name) [Some-State]: France
Locality Name (eg, city) []: Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Juniper
Organizational Unit Name (eg, section) []: AWAN
Common Name (e.g. server FQDN or YOUR name) []: myserver
Email Address []: xxx@yyy.com

Then generate the certificate:

1
sudo openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

2. Enable HTTPS in JTSO

Edit the JTSO configuration file:

1
sudo vi compose/jtso/config.yml

Update the portal module by setting https to true:

1
2
3
4
5
modules:
  portal:
    https: true
    server_crt: "server.crt"
    server_key: "server.key"

Then change the JTSO port from 80 to 443 in .env file

1
2
3
4
5
vi compose/.env

[...]
JTSO_PORT=443
[...]

You must restart the stack then (if this one was running during the modification):

1
2
3
4
cd compose/

docker compose down
docker compose up -d

3. Copy Certificates to Grafana Cert Folder

1
2
cd compose/jtso/cert
sudo cp server.* ../../grafana/cert

4. Enable HTTPS in Grafana

Edit the Grafana configuration file:

1
sudo vi compose/grafana/grafana.ini

Update the server section like that:

1
2
3
4
[server]
protocol = https
cert_file = /tmp/server.crt
cert_key = /tmp/server.key

You must restart the Grafana container then (if this one was running during the modification):

1
2
3
cd compose/

docker compose restart grafana

Incoming Ports

By default:

  • JTSO Portal → TCP port 80
  • Grafana → TCP port 8080
  • Chronograf → TCP port 8080

You can modify these public-facing ports by editing the .env file before starting the stack.

1
2
3
4
5
cat compose/.env

GRAFANA_PORT=8080
CHRONOGRAF_PORT=8081
JTSO_PORT=80

If you change the Grafana public port, you must also update the JTSO configuration:

1
sudo vi compose/jtso/config.yml

1
2
3
modules:
  grafana:
    port: 8080

You must restart the Grafana container then (if this one was running during the modification):

1
2
3
cd compose/

docker compose restart grafana

Outgoing Ports

OpenJTS establishes TCP sessions toward routing devices for:

  • NETCONF → default TCP 830
  • gNMI (gRPC) → default TCP 9339

These ports can be modified if required. Once modified, it requires to restart JTSO - don't forget to modify your router's config as well. 

1
2
3
cd compose/

docker compose restart jtso

Change NETCONF Port

Edit:

1
sudo vi compose/jtso/config.yml

And modify the netconf port: 

1
2
3
protocols:
  netconf:
    port: 830

Change gNMI Port

Edit:

1
sudo vi compose/jtso/config.yml

And modify the gNMI port: 

1
2
3
protocols:
  gnmi:
    port: 9339

gNMI with TLS (Global Configuration)

To enable TLS for gNMI across all routers, create a self-signed CA.
⚠️ Keep the naming convention as shown below.

1. Create Root CA

1
2
3
4
cd compose/telegraf/cert

sudo openssl genrsa -out RootCA.key 2048
sudo openssl req -x509 -new -key RootCA.key -days 3650 -out RootCA.crt

2. (Optional) Generate Telegraf Client Certificate

1
2
3
sudo openssl genrsa -out client.key 2048
sudo openssl req -new -key client.key -out client.csr
sudo openssl x509 -req -in client.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out client.crt -days 365

3. Generate Router Certificate (Repeat for Each Router)

1
2
3
4
sudo openssl genrsa -out router.key 2048
sudo openssl req -new -key router.key -out router.csr
sudo openssl x509 -req -in router.csr -CA RootCA.crt -CAkey RootCA.key -CAcreateserial -out router.crt -days 365
cat router.crt router.key > router.pem

Upload the following files to each router (e.g., /var/tmp):

  • router.pem
  • client.crt
  • RootCA.crt

Then apply the following configuration:

1
2
3
4
5
6
edit exclusive
set security pki ca-profile ca1 ca-identity caid1
set security certificates local lcert load-key-file /var/tmp/router.pem
commit and-quit

request security pki ca-certificate load ca-profile ca1 filename /var/tmp/RootCA.crt

Configure Your Network Devices

Apply this generic configuration on each router

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
edit exclusive

# NETCONF User
set system login user netconf_user class super-user
set system login user netconf_user authentication encrypted-password ""

# gNMI User
set system login user gnmi_user class super-user
set system login user gnmi_user authentication encrypted-password ""

# NETCONF SERVICE
set system services netconf ssh
set system services netconf rfc-compliant  # optional

commit and-quit

Then prior to Junos/EVO 25.2 - use this config snippet for configuring gNMI service:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
edit exclusive

# Clear-text gRPC
set system services extension-service request-response grpc clear-text port 9339
set system services extension-service request-response grpc max-connections 8
set system services extension-service request-response grpc skip-authentication

# OR TLS gRPC
set system services extension-service request-response grpc ssl port 9339
set system services extension-service request-response grpc ssl local-certificate lcert

# Optional mutual authentication - Add:
set system services extension-service request-response grpc ssl mutual-authentication certificate-authority ca1
set system services extension-service request-response grpc ssl mutual-authentication client-certificate-request require-certificate-and-verify

commit and-quit

Starting from Junos/EVO 25.2 I recommend to use this new config snippet: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
edit exclusive

# Clear-text gRPC
set system services http servers server MY-SERVER port 9339
set system services http servers server MY-SERVER grpc gnmi
set system services http servers server MY-SERVER clear-text

# OR TLS gRPC
set system services http servers server MY-SERVER port 9339
set system services http servers server MY-SERVER grpc gnmi
set system services http servers server MY-SERVER tls local-certificate lcert

# Optional mutual authentication - Add:
set system services http servers server MY-SERVER tls mutual-authentication certificate-authority ca1
set system services http servers server MY-SERVER tls mutual-authentication authentication-type request-and-require-cert-and-verify

commit and-quit