Решено checkpoint certificate revoked

Lexuz

Участник
Доброго времени суток! Не могу зайти в checkpoint smart console 80.40 . Когда пытаюсь открыть консоль получаю сообщение что certificate revoked. Подскажите как попасть на чекпойнт ?
 
Доброго времени суток! Не могу зайти в checkpoint smart console 80.40 . Когда пытаюсь открыть консоль получаю сообщение что certificate revoked. Подскажите как попасть на чекпойнт ?
Попробуйте открыть smart console с другого компа. Если конечно же есть возможность. Можно попробовать подключиться к менеджменту через ssh и проверить что там с SIC сертификатами командой:

Procedure​

Note: In Management HA configuration, implement the below steps on the Primary Security Management Server / Multi-Domain Management Server.

  1. Take a backup or snapshot of the machine (sk108902).

  2. Make sure that the SIC certificate is still valid:

    On Security Management Server:

    [Expert@HostName]# cpca_client lscert -stat Valid -kind SIC

    On Multi-Domain Management Server:

    [Expert@HostName]# mdsenv
    [Expert@HostName]# cpca_client lscert -stat Valid -kind SIC


    If the output does not show a certificate for "CN=cp_mgmt...", then proceed with the steps below. Verify the CN format. It could be different than what is seen above.

    If the output is "Operation failed. rc=-1" make sure the Management Server is Active as per sk98432.

  3. Back up the existing certificate:
    • For Gaia:
      On Security Management Server:

      [Expert@HostName]# cp $CPDIR/conf/sic_cert.p12{,_BACKUP}

      On Multi-Domain Security Management Server:

      [Expert@HostName]# mdsenv
      [Expert@HostName]# cp $CPDIR/conf/sic_cert.p12{,_BACKUP}


    • For Windows:
      1. Go to %CPDIR%\conf\ folder
      2. Create a copy of sic_cert.p12 file

  4. Revoke the current SIC server certificate:
    [Expert@HostName]# cpca_client revoke_cert -n "CN=cp_mgmt"

    Note: In Management HA, the CN should be same as that present in HKLM_registry. In case the management server was acting as a secondary in the past, the CN would be of the format CN=cp_mgmt_<OBJECT_NAME>.

    To check the CN in registry:
    [Expert@HostName]# grep MySICname $CPDIR/registry/HKLM_registry.data

    On Security Management Server:
    [Expert@HostName]# cpca_client revoke_cert -n "CN=cp_mgmt"

    On Multi-Domain Management Server:
    [Expert@HostName]# mdsenv
  5. Create the new SIC server certificate:

    On Security Management Server:
    [Expert@HostName]# cpca_client create_cert -n "CN=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

    On Multi-Domain Security Management Server:
    [Expert@HostName]# mdsenv
    [Expert@HostName]# cpca_client create_cert -n "CN=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

    Note
    : The certificate name is not a recommendation, it must be sic_cert.p12

  6. Restart Check Point services:

    On Security Management Server:

    [Expert@HostName]# cpstop
    [Expert@HostName]# cpstart


    On Multi-Domain Security Management Server:

    [Expert@HostName]# mdsstop
    [Expert@HostName]# mdsstart

    Note
    : This step is necessary to update the cache of processes running with the new SIC certificate details. On Multi-Domain Management Server, a full mdsstop is required. It is not enough to just restart the MDS level services with "mdsstop -m".

  7. Connect to the Security Management Server / Multi-Domain Management Server with SmartConsole.


Important: In case you lose VPN connectivity (IPSec/SSL) and access to the GW's WebIU, renew the vpn certificate also under Gateway Properties > IPSec VPN
 
Попробуйте открыть smart console с другого компа. Если конечно же есть возможность. Можно попробовать подключиться к менеджменту через ssh и проверить что там с SIC сертификатами командой:

Procedure​

Note: In Management HA configuration, implement the below steps on the Primary Security Management Server / Multi-Domain Management Server.

  1. Take a backup or snapshot of the machine (sk108902).

  2. Make sure that the SIC certificate is still valid:

    On Security Management Server:

    [Expert@HostName]# cpca_client lscert -stat Valid -kind SIC

    On Multi-Domain Management Server:

    [Expert@HostName]# mdsenv
    [Expert@HostName]# cpca_client lscert -stat Valid -kind SIC


    If the output does not show a certificate for "CN=cp_mgmt...", then proceed with the steps below. Verify the CN format. It could be different than what is seen above.

    If the output is "Operation failed. rc=-1" make sure the Management Server is Active as per sk98432.

  3. Back up the existing certificate:
    • For Gaia:
      On Security Management Server:

      [Expert@HostName]# cp $CPDIR/conf/sic_cert.p12{,_BACKUP}

      On Multi-Domain Security Management Server:

      [Expert@HostName]# mdsenv
      [Expert@HostName]# cp $CPDIR/conf/sic_cert.p12{,_BACKUP}


    • For Windows:
      1. Go to %CPDIR%\conf\ folder
      2. Create a copy of sic_cert.p12 file

  4. Revoke the current SIC server certificate:
    [Expert@HostName]# cpca_client revoke_cert -n "CN=cp_mgmt"

    Note: In Management HA, the CN should be same as that present in HKLM_registry. In case the management server was acting as a secondary in the past, the CN would be of the format CN=cp_mgmt_<OBJECT_NAME>.

    To check the CN in registry:
    [Expert@HostName]# grep MySICname $CPDIR/registry/HKLM_registry.data

    On Security Management Server:
    [Expert@HostName]# cpca_client revoke_cert -n "CN=cp_mgmt"

    On Multi-Domain Management Server:
    [Expert@HostName]# mdsenv
  5. Create the new SIC server certificate:

    On Security Management Server:
    [Expert@HostName]# cpca_client create_cert -n "CN=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

    On Multi-Domain Security Management Server:
    [Expert@HostName]# mdsenv
    [Expert@HostName]# cpca_client create_cert -n "CN=cp_mgmt" -f $CPDIR/conf/sic_cert.p12

    Note
    : The certificate name is not a recommendation, it must be sic_cert.p12

  6. Restart Check Point services:

    On Security Management Server:

    [Expert@HostName]# cpstop
    [Expert@HostName]# cpstart


    On Multi-Domain Security Management Server:

    [Expert@HostName]# mdsstop
    [Expert@HostName]# mdsstart

    Note
    : This step is necessary to update the cache of processes running with the new SIC certificate details. On Multi-Domain Management Server, a full mdsstop is required. It is not enough to just restart the MDS level services with "mdsstop -m".

  7. Connect to the Security Management Server / Multi-Domain Management Server with SmartConsole.


Important: In case you lose VPN connectivity (IPSec/SSL) and access to the GW's WebIU, renew the vpn certificate also under Gateway Properties > IPSec VPN
Спасибо! Это помогло. Долго не было возможности проверить.:coffee:
 
Назад
Верх