KB Article | Forcepoint Support

Problem Description

Environment

Sidewinder Control Center 5.3.2

Summary

All Control Center certificate authority certificates (CA) will expire on or about December 26, 2019. The CA certificate expiration applies to all deployed Control Center Servers. The procedure described in this article describes how to generate a new Control Center CA certificate. We highly recommended that you run this procedure before December 26, 2019. Otherwise, all communication to the Control Center server will cease on or after that date.

Resolution

Determine if the CA certificate needs to be updated

To show the contents of the current Control Center Certificate Authority and its validity dates, type the following command and press ENTER:

openssl x509 -text -in /usr/local/tomcat/JavaCA/cacert.pem

If the expiration date of the validity is far in the future, no further actions are needed.

If the expiration date is upcoming, create a new CA certificate for Control Center

Before you complete any steps in this Knowledge Base article, we recommend that you do the following to ensure that the process works correctly:

  • Create a backup of your Control Center server. For instructions, see "Back up your configuration files" in the "Control Center maintenance" chapter of the Control Center Product Guide.
  • Upgrade to 532P14, especially if you use Control Center in FIPS mode.

Important:  If the Management Server is running with the High Availability (HA) option, use the High Availability Removal Wizard to stop HA. Perform the following steps on both the primary and secondary servers after HA has been stopped.

  1. Check the Control Center and firewall settings to ensure that they are as expected and that the Control Center and the firewall are communicating with each other.
  2. Log in to Control Center and become root:
    1. At the console, log in as admin (for example, mgradmin).
    2. Type the following command and press ENTER:
      su - root
    3. Type the root password and press ENTER.
    4. Wait for the root prompt.
  3. Type the following command and press ENTER:
    sed -i 's/2000/2018/g' /etc/firstboot/cclib/makejavaca.sh
  4. Type the following command and press ENTER:
    /usr/local/bin/clear_cacert.sh
  5. Type the following command and press ENTER:
    reboot
  6. To retrieve the Control Center server certificate, launch the Control Center client, then click '...' next to Server.
  7. Type the username and password, then click OK.
  8. Confirm the Control Center server certificate.
  9. Log in to the Control Center server using the Control Center client.
    All firewalls should show a red status.

Important: You will continue to receive a pop-up about the CA certificate expiration even after creating a new CA certificate. Select the check box in the pop-up message to disable the notification. If you want to verify that a new CA certificate has been created, use the 'openssl' command as explained in the beginning of this article to check the validity dates of the new CA certificate. 

Important:  If the Management Server was originally part of an HA cluster, use the High Availability Setup Wizard to recreate HA. Be sure you have run the steps above on both the primary and secondary servers before recreating HA.

For each firewall, do the following:

  1. Log in to the Control Center server using the Control Center client.
  2. Select Policy, then expand the Firewalls tree to show the firewalls.
  3. Right-click the firewall, then select Re-register Device.
  4. Fill in the SSH username and password, then click Next.
  5. On the next screen, click Register.
  6. After the registration is done, click Next.
  7. Select Firewall Dialog Information.
    Other items are automatically selected.
  8. Press Finish and confirm the selection.
  9. Select Control Center server Dashboard > Firewalls.
  10. Click Update Status for the firewall.
    The status should be yellow with a Policy Mismatch message.
  11. Select Policy, then expand the Firewalls tree to show the firewalls.
  12. Right-click the firewall, then select Edit Firewall Settings.
  13. Browse to Settings > Other and verify that the Allow Secure Alerts to be sent to Control Center option is selected.
  14. Validate the firewall, save the changes, and then apply the changes to the firewall.

Article Feedback



Thank you for the feedback and comments.