NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Stonebeat certificates (was Re: Changing firewall object IP address)



Manuel,

First, a disclaimer: I don't positively know any procedure to make it work
again.  I can make some suggestions, but I'm not sure if any of them will
work. If this is a critical production system, I'd call StoneBeat tech support
and have them help you work it out...

Having said that:

Are you using sbfcconfig to generate the certificates?  If so, does it
appear to succeed, or do you get any error messages?  In other words,
are you able to successfully generate new certificates, but still not able
to monitor the cluster - or are you not able to generate new certificates at
all?

I assume that since you've already tried to regenerate the certs, you
have some flexibility to troubleshoot the cluster.  If I were in your
situation, I'd probably do the following:

BACKUP your existing certs on the CA *and* the nodes.  (They're in
$SBHOME/etc/*.pem, and you should probably backup the clients
file in that directory, too.)  This may not help you any, since they are
expired, but it can't hurt.

Find a maintenance window in which you can take down the whole cluster.
Power down everything except the management console (or whatever
is running your CA), and then start by running sbfcconfig on the CA to
generate a new key and certificate for the CA, and new keys and certs
for each node (with different passwords for the module keys than were
originally used).

Then bring up one node, copy the certs & keys over to it, run
sbfcpassphrase on it to reset the password to whatever you used
above, and bounce it to see if it can access the new certs on reboot.
If that works, then you can just repeat for each of the other nodes.

WARNING: if this doesn't work, and you can't bring the cluster back
up on your original certs, then you will probably be forced to call
Stonebeat and get them to help you fix it in order to get the cluster
working again...

Hope this helps.  Do you have your manual?  If not, drop me a line
and I'll send you more specific details offlist.  And remember, this is just
a SWAG - I've never been in your situation before, so I'm not sure
this will actually fix it; it just seems like the right thing to do based
on how the certificates work.

Regards,

Lisa

Standard disclaimer:  the content of this message represents my personal
views, not those of my employer.

>>> [email protected] 11/06/2001 16:22:04 >>>
Hi Lisa, maybe you can help me with Stonebeat implementation that has all
certificates expired, even the CA certificate. Since all certificates are
expired, I can't monitor the cluster with the GUI, and the command "sbfc
status" returns:

sbfc verify error: Certificate has expired
ssl handshake failed

However the cluster is working and I try to generate and deploy new
certificates for all modules, clients and GUI, but I still can't monitor the
cluster. Do you know any procedure to make it work again?

Thanks for your help,

Manuel Cabrera

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.