diff --git a/geant/gap_ansible/plugins/ansible.cfg b/geant/gap_ansible/plugins/ansible.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..341647c0a905e7842f08617d9381f563fadcd853
--- /dev/null
+++ b/geant/gap_ansible/plugins/ansible.cfg
@@ -0,0 +1,6 @@
+[defaults]
+library = ./modules
+host_key_checking = False
+
+[netconf_connection]
+ssh_config = False
diff --git a/geant/gap_ansible/plugins/connection/netconf.py b/geant/gap_ansible/plugins/connection/netconf.py
index 97e679c5ec097329a22edb08a9143e914bec0537..9275f5dc2687c62c53db5fa5b7d367239cff1cbb 100644
--- a/geant/gap_ansible/plugins/connection/netconf.py
+++ b/geant/gap_ansible/plugins/connection/netconf.py
@@ -403,6 +403,18 @@ class Connection(NetworkConnectionBase):
             self._manager = manager.connect(**params)
 
             self._manager._timeout = self.get_option("persistent_command_timeout")
+            if self._config_mode == "private" and "junos" in self._network_os.lower():
+                open_rpc = (
+                    '<open-configuration '
+                    'xmlns="http://xml.juniper.net/xnm/1.1/xnm" '
+                    'private="true"/>'
+                )
+                try:
+                    # exec_command() will wrap to_ele(...) + manager.rpc(...)
+                    self.exec_command(open_rpc)
+                    self.queue_message("log", "opened Junos private candidate")
+                except Exception as e:
+                    raise AnsibleError(f"Failed to open private candidate: {to_text(e)}")
         except SSHUnknownHostError as exc:
             raise AnsibleConnectionFailure(to_native(exc))
         except AuthenticationError as exc:
@@ -438,6 +450,16 @@ class Connection(NetworkConnectionBase):
             self._manager.close_session()
         super(Connection, self).close()
 
+        # if self._config_mode == "private" and "junos" in self._network_os.lower():
+        #     close_rpc = (
+        #         '<close-configuration '
+        #         'xmlns="http://xml.juniper.net/xnm/1.1/xnm"/>'
+        #     )
+        #     try:
+        #         self.exec_command(close_rpc)
+        #     except Exception:
+        #         pass
+
     def set_config_mode(self, config_mode):
         """Set the config_mode passed from the module."""
         if config_mode:
diff --git a/geant/gap_ansible/plugins/inventory.ini b/geant/gap_ansible/plugins/inventory.ini
new file mode 100644
index 0000000000000000000000000000000000000000..34e78ba6562415a75a211510e6e6a0bf7796e6ee
--- /dev/null
+++ b/geant/gap_ansible/plugins/inventory.ini
@@ -0,0 +1,2 @@
+[junos]
+my-junos ansible_host=62.40.119.4 ansible_user=gap-test ansible_password=concept_gear_ESSENTIAL93 ansible_connection=netconf ansible_network_os=juniper.junos.junos
diff --git a/geant/gap_ansible/plugins/test-junos-private.yml b/geant/gap_ansible/plugins/test-junos-private.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c6987085af5ff43630041e523677ec48ccb40bd4
--- /dev/null
+++ b/geant/gap_ansible/plugins/test-junos-private.yml
@@ -0,0 +1,16 @@
+- name: Test private-candidate junos_config
+  hosts: junos
+  gather_facts: no
+  collections:
+    - geant.gap_ansible      # <-- your locally installed collection
+
+  tasks:
+    - name: Open private candidate, push a change and commit
+      geant.gap_ansible.junos_config:          # <-- module from geant.gap_ansible
+        lines:
+          - set system services ssh root-login allow
+        config_mode: private
+      register: result
+
+    - debug:
+        var: result