Difference between revisions of "Secondary CMA/CLM SIC expiration renewal procedure"
(Pushed from Themanclub.) |
|||
Line 1: | Line 1: | ||
Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA | Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA | ||
+ | other keyworkds: certificate expired, | ||
Solution ID: sk36359 | Solution ID: sk36359 |
Revision as of 22:49, 25 February 2013
Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA other keyworkds: certificate expired,
Solution ID: sk36359
Product: Multi-Domain Management / Provider-1
Version: All
Symptoms
1) Smartdashboard SIC communication test from the CMA reports...
"SIC Status for Inet-VPN-CLM2: Not Communicating Internal SSL authentication error [ Certificate expired]"
2) [Expert@mds]# cpca_client lscert -kind SIC|grep -A 2 CLM
Subject = CN=Inet-VPN-CLM,O=cr-provider-vpn..xcoz95 Status = Expired Kind = SIC Serial = 73304 Not_Before: Fri Oct 27 14:12:28 2006 Not_After: Mon Jan 18 22:00:08 2038
3) No new logs received on the CLM
Cause
Expired SIC certificates between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 CMA
Solution
Here are the steps to set SIC between the Secondary CMA/CLM and the respective CMA
On the Provider-1 MDS/MLM(the one containing the expired CMA/CLM) server :
Log into Expert mode (for SecurePlatform).
Run the 'mdsenv' command to change the current environment to that of the relevant Secondary CMA/CLM.
# mdsenv cma_name
Run the following command to re-initialize the SIC (pre-shared secret is 'abc123'):
# cp_conf sic init abc123
Note: the CPD daemon for the relevant CMA/CLM is in a 'down' state at this point in time.
On the MDS (Manager) Provider-1 Server
mdsenv
Restart the CLM
mdscmd stopcma customer_name -i <cma_ip> mdscmd startcma customer_name -i <clm_ip>
On the MLM
Verify that the CPD process is up and running for the relevant Secondary CMA/CLM:
# mdsstat
In the SmartDashboard (logged into the CMA):
Select 'Manage' - then 'Network Objects'.
In the 'Network Objects' dialog box, select the relevant Secondary CMA/CLM network object from the network objects list.
Click on 'Edit'.
In the 'Check Point Host' dialog box, select the 'General Properties' branch from the left pane.
In the 'General Properties' pane, in the 'Secure Internal Communication' section, click on 'Communication'.
In the 'Communication' dialog box, click on 'Reset'.
A dialog box with the following message will be displayed:
Check Point SmartDashboard For the reset operation to be complete, you must also reset the module in the configuration tool. No communication will be possible until you reset and re-initialize the communication properly.
Are you sure you want to reset?
Click on 'Yes'.
A dialog box with the following message will be displayed:
Check Point SmartDashboard Reset is done. Please re-install the Security Policy in order to update the CRL list. You must install the Security Policy to ALL Modules.
Click on 'OK'.
In the 'Communication' dialog box, in the 'Activation Key' field, enter pre-shared secret (i.e., 'abc123').
In the 'Communication' dialog box, in the 'Confirm Activation Key' field, re-enter the pre-shared secret (i.e., 'abc123').
Click on 'Initialize'.
In the 'Communication' dialog box, click on 'Close'.
Reinstall policies to all firewalls managed by the CMA to re-establish logging.