If you have a Stonesoft Firewall or IPS and you are having issues with connecting to the Management and/or Log Server then it is highly possible that the certificates have expired. There is a way to fix it.
Try the following:
On the Management Server in the Stonegate folder ../stonegate/bin there are a number of scripts to re-issue the required certificates.
Shutdown Management Server (first shutdown the service, if it is running):
Reset Certificate for Management Server:
On the Log Server in the Stonegate folder ../stonegate/bin there are a number of scripts to re-issue the required certificates.
Try the following:
On the Management Server in the Stonegate folder ../stonegate/bin there are a number of scripts to re-issue the required certificates.
Shutdown Management Server (first shutdown the service, if it is running):
sudo -u sgadmin sgStopMgtSrv.sh
sudo -u sgadmin sgCertifyMgtSrv.shStart up the service again, either reboot or :
sudo -u sgadmin sgStartMgtSrv.sh &
On the Log Server in the Stonegate folder ../stonegate/bin there are a number of scripts to re-issue the required certificates.
Shutdown Log Server (first shutdown the service, if it is running):
sudo -u sgadmin sgStopLogSrv.sh
Reset Certificate for Log Server:
And that is it. Start up your Management console via ./sgClient.sh & and you should be able to connect.
Your Firewall/IPS wont be able to connect anymore since the fingerprint would have changed. This means the new settings have to be pulled by the systems. The way I sorted it out was to SSH into the Firewall and issue a sg-reconfigure command.
One of the things needed now is the need to have a one-time password from the Management Console. This can be retrieved by selecting the device under Firewalls or IPS and right clicking on it then in the menu select, Configuration-> Save Initial Configuration. In the new window named Save Initial Configuration a new one-time password will be generated and the SSL Fingerprint will also be shown.
So once you have the one time password, move over to the sg-reconfigure command on the Firewall/IPS and skip all the bits until you reach the need for the one-time password (select Next->). You want to select Contact Management Server or the equivalent, enter the one-time password that is provided by the Management Center and you can enter the new fingerprint key or remove it as it is not required by default.
Errors usually include:
Log Server doesn't have any usable certificate.
Caused by: java.security.cert.CertificateExpiredException: NotAfter: date_here
sudo -u sgadmin sgCertifyLogSrv.shStart up the service again, either reboot or :
sudo -u sgadmin sgStartLogSrv.sh &
And that is it. Start up your Management console via ./sgClient.sh & and you should be able to connect.
Your Firewall/IPS wont be able to connect anymore since the fingerprint would have changed. This means the new settings have to be pulled by the systems. The way I sorted it out was to SSH into the Firewall and issue a sg-reconfigure command.
One of the things needed now is the need to have a one-time password from the Management Console. This can be retrieved by selecting the device under Firewalls or IPS and right clicking on it then in the menu select, Configuration-> Save Initial Configuration. In the new window named Save Initial Configuration a new one-time password will be generated and the SSL Fingerprint will also be shown.
So once you have the one time password, move over to the sg-reconfigure command on the Firewall/IPS and skip all the bits until you reach the need for the one-time password (select Next->). You want to select Contact Management Server or the equivalent, enter the one-time password that is provided by the Management Center and you can enter the new fingerprint key or remove it as it is not required by default.
Errors usually include:
Log Server doesn't have any usable certificate.
Caused by: java.security.cert.CertificateExpiredException: NotAfter: date_here
Thank you su much
ReplyDelete