Important DO NOT LEAVE THE ATTACHMENT ON CUSTOMER ENVIRONMENTS
For expired DLP CA.cer certificates, see the (now customer-facing) article Forcepoint DLP CA.CER Certificate Expires Every 5 Years / DLP Certificate Recreation Procedure.
The Infrastructure Installer creates the EIP certification with an expiration of 5 years by default. The installer uses the EIP.wsi file which includes steps for EIP ssl creation.
An existing customer has the option to only renew the EIP certifications rather than running the installation again. This is performed using the attached eip_createSSLScript.vbs script.
This script has the following features:
- A variable with default values at the top of the script (should be verified/edited before execution)
- Allows for a printout of the actual commands when running in trace mode (configurable)
- Can be run in silent mode with printouts to a log.
README for the script:
Purpose:
The script eip_createSSLScript.vbs will create/renew the certifications in the EIP machine for another 5 years by default (1825 days).
Guidelines:
Please check that the default variables are appropriate to the EIP machine as present in the script.
If not, please change the values according to your EIP installations details.
An example for the default values which appear in the script 'eip_createSSLScript.vbs':
//verify for the EIP installation path
installdir = "C:\Program Files (x86)\Websense\EIP Infra\"
//verify for the EIP's jre path
java_home = "C:\Program Files (x86)\Websense\EIP Infra\jre\"
//verify for the EIP's tomcat path
catalina_home = "C:\Program Files (x86)\Websense\EIP Infra\tomcat\"
//verify for the EIP's tomcat password
tomcatpass = "changeit"
//to see the commands which were actually executed by setting variable trace to "true"/"false"
trace = "true"
Instructions:
- Download the attached CustomerUse-eip_createSSLScript.zip file and transfer it to the customer's Infrastructure Server. For security purposes, this archive has been password-protected to better control it. The password to be typed in by Technical Support during a remote session (and not to be shared with customers) is "Websense_1". Extract out eip_createSSLScript.vbs from the archive.
- If the customer has Forcepoint Infrastructure installed on a non-default location/drive, update the locations in the file as mentioned above
- Run the following from an administrative Command Prompt:
- cscript eip_createSSLScript.vbs > output.log
- Confirm in the created log output.log that all of the return codes (RC) completed successfully (RC: 0 )
- DELETE the script and logs from the customer's environment before ending the remote session
Note Because the commands for creating the SSL certifications of EIP are very sensitive, ensure that you delete the manual script and the log after it has been run successfully on the customer machine.
Note This script does not touch the httpd-server certificates used by Apache when hosting the web UI. This is because some customers choose to use their own signed certificates. If there is a need to regenerate the default self-signed certificates for the Forcepoint Management Infrastructure, see
Reverting Custom Signed Forcepoint Management Infrastructure Certificates to Self-Signed Certificates.
Internal References:
EIP Certificate Creation/Renewal by Scripthttps://jira.cloud.fpdev.io/browse/EI-28261https://jira.cloud.fpdev.io/browse/DLP-12225CHANGELOG:
5/5/2021 - Removed customer visibility due to sensitivity and it not affecting anything.
2/7/2022 - Made customer-facing with approval from TEG.
4/24/2022 - Added Infrastructure certificate revert article link.
7/31/2023 - Fixed a minor typo.
