Support Center > Search Results > SecureKnowledge Details
How to renew SIC after changing IP Address of Security Management Server
Solution

Background

IP Address of the Internal Certificate Authority (ICA) of Security Management Server / Domain Management Server is automatically added to Check Point Registry file ($CPDIR/registry/HKLM_registry.data) on Security Gateway when SIC is first established (between Security Gateway and Management Server).

If the IP Address of Security Management Server / Domain Management Server is changed, and SIC is never manually reset (between Security Gateway and Management Server), then the AutoRenewal of the Certificate will fail.

 

Procedure

If you are manually changing the IP Address of Security Management Server / Domain Management Server, then follow the procedure below.

Notes:

  • Check Point recommends to manually reset the SIC between the managed Security Gateways and Management Server as described in sk65764 - How to reset SIC.
  • In cluster environment, this procedure must be performed on all members of the cluster.

You should verify that the new IP Address of Security Management Server / Domain Management Server was correctly configured in the Check Point Registry file on managed on Security Gateways.

  1. Connect to the command line on the relevant Security Gateway.

  2. Log in to the Expert mode.

  3. Check the Check Point Registry:

    [Expert@HostName]# cat $CPDIR/registry/HKLM_registry.data | grep -i -B 5 icaip
  4. Search for:

    :ICAip

    Example of the relevant section:

    : (SIC
        :ICAdn ("O=R77-Manager..ntk6rk")
        :MySICname ("CN=R77-MemberB,O=R77-Manager-SA..ntk6rk")
        :HasCertificate ("[4]1")
        :CertPath ("/opt/CPshrd-R77/conf/sic_cert.p12")
        :ICAip (192.168.41.80)
    
    
  5. If the :ICAip attribute contains wrong IP address, then edit the Check Point Registry and reboot the Security Gateway:

    [Expert@HostName]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL

    [Expert@HostName]# vi $CPDIR/registry/HKLM_registry.data

 

Related solutions

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment