Secondary CMA/CLM SIC expiration renewal procedure

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services

Reset SIC between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 Primary CMA other keyworkds: certificate expired,

Solution ID: sk36359

Product: Multi-Domain Management / Provider-1

Version: All


Symptoms

1) Smartdashboard SIC communication test from the CMA reports... 

   "SIC Status for Inet-VPN-CLM2: Not Communicating
   Internal SSL authentication error [ Certificate expired]"

2) [Expert@mds]# cpca_client lscert -kind SIC|grep -A 2 CLM 

 Subject = CN=Inet-VPN-CLM,O=cr-provider-vpn..xcoz95
 Status = Expired   Kind = SIC   Serial = 73304
 Not_Before: Fri Oct 27 14:12:28 2006   Not_After: Mon Jan 18 22:00:08 2038

3) No new logs received on the CLM

Cause

Expired SIC certificates between the Provider-1 Secondary CMA/CLM and the respecitve Provider-1 CMA


Solution

Here are the steps to set SIC between the Secondary CMA/CLM and the respective CMA


On the Provider-1 MDS/MLM(the one containing the expired CMA/CLM) server : 

   Log into Expert mode (for SecurePlatform).


Run the 'mdsenv' command to change the current environment to that of the relevant Secondary CMA/CLM. 

   # mdsenv cma_name

Run the following command to re-initialize the SIC (pre-shared secret is 'abc123'): 

   # cp_conf sic init abc123

   Note: the CPD daemon for the relevant CMA/CLM is in a 'down' state at this point in time.

On the MDS (Manager) Provider-1 Server 

 mdsenv

Restart the CLM 

 mdscmd stopcma customer_name -i <secondary_cma/clm_ip>
 mdscmd startcma customer_name -i <secondary_cma/clm_ip>

On the MLM

Verify that the CPD process is up and running for the relevant Secondary CMA/CLM: 

   # mdsstat

In the SmartDashboard (logged into the CMA):

Select 'Manage' - then 'Network Objects'.

In the 'Network Objects' dialog box, select the relevant Secondary CMA/CLM network object from the network objects list.

Click on 'Edit'.

In the 'Check Point Host' dialog box, select the 'General Properties' branch from the left pane.

In the 'General Properties' pane, in the 'Secure Internal Communication' section, click on 'Communication'.

In the 'Communication' dialog box, click on 'Reset'.

A dialog box with the following message will be displayed: 

   Check Point SmartDashboard

For the reset operation to be complete, you must also reset the module in the configuration tool. No communication will be possible until you reset and re-initialize the communication properly

   Are you sure you want to reset?

   Click on 'Yes'.

A dialog box with the following message will be displayed: 

   Check Point SmartDashboard
   Reset is done.
   Please re-install the Security Policy in order to update the CRL list.
   You must install the Security Policy to ALL Modules.

Click on 'OK'.

In the 'Communication' dialog box, in the 'Activation Key' field, enter pre-shared secret (i.e., 'abc123').

In the 'Communication' dialog box, in the 'Confirm Activation Key' field, re-enter the pre-shared secret (i.e., 'abc123').

Click on 'Initialize'.

In the 'Communication' dialog box, click on 'Close'.

Reinstall policies to all firewalls managed by the CMA to re-establish logging.

Retrieved from "http://www.cpwiki.net/index.php?title=Secondary_CMA/CLM_SIC_expiration_renewal_procedure&oldid=104"