[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Stonebeat certificates (was Re: Changing firewall object IP address)
Manuel, First, a disclaimer: I don't positively know any procedure to make it work again. I can make some suggestions, but I'm not sure if any of them will work. If this is a critical production system, I'd call StoneBeat tech support and have them help you work it out... Having said that: Are you using sbfcconfig to generate the certificates? If so, does it appear to succeed, or do you get any error messages? In other words, are you able to successfully generate new certificates, but still not able to monitor the cluster - or are you not able to generate new certificates at all? I assume that since you've already tried to regenerate the certs, you have some flexibility to troubleshoot the cluster. If I were in your situation, I'd probably do the following: BACKUP your existing certs on the CA *and* the nodes. (They're in $SBHOME/etc/*.pem, and you should probably backup the clients file in that directory, too.) This may not help you any, since they are expired, but it can't hurt. Find a maintenance window in which you can take down the whole cluster. Power down everything except the management console (or whatever is running your CA), and then start by running sbfcconfig on the CA to generate a new key and certificate for the CA, and new keys and certs for each node (with different passwords for the module keys than were originally used). Then bring up one node, copy the certs & keys over to it, run sbfcpassphrase on it to reset the password to whatever you used above, and bounce it to see if it can access the new certs on reboot. If that works, then you can just repeat for each of the other nodes. WARNING: if this doesn't work, and you can't bring the cluster back up on your original certs, then you will probably be forced to call Stonebeat and get them to help you fix it in order to get the cluster working again... Hope this helps. Do you have your manual? If not, drop me a line and I'll send you more specific details offlist. And remember, this is just a SWAG - I've never been in your situation before, so I'm not sure this will actually fix it; it just seems like the right thing to do based on how the certificates work. Regards, Lisa Standard disclaimer: the content of this message represents my personal views, not those of my employer. >>> [email protected] 11/06/2001 16:22:04 >>> Hi Lisa, maybe you can help me with Stonebeat implementation that has all certificates expired, even the CA certificate. Since all certificates are expired, I can't monitor the cluster with the GUI, and the command "sbfc status" returns: sbfc verify error: Certificate has expired ssl handshake failed However the cluster is working and I try to generate and deploy new certificates for all modules, clients and GUI, but I still can't monitor the cluster. Do you know any procedure to make it work again? Thanks for your help, Manuel Cabrera =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|