Support Center > Search Results > SecureKnowledge Details
How to solve Multi-Domain Management server identical CA problem Technical Level
Solution

 

To fix the Duplicate CA key problem, perform the following:

  1. Remove all Internal CAs (ICAs), of all Domain Management Servers / CMAs (having the same public key).
  2. Create new Internal CAs for all those Domain Management Servers / CMAs.


Note: This operation will make all certificates issued by the removed CAs useless. This means that after this operation you will have to restart all SIC communications, re-generate all user certificates, and regenerate VPN certificates for all modules.

On each Domain Management Server/CMA:

 For each gateway that has an ICA certificate for VPN (probably all VPN gateways), remove the Security gateway object from all Communities.
To do so, open SmartDashboard, Simplified Mode VPN Configuration Method:

  1. Select Manage -> Network Objects.
  2. In the Network Objects dialog box, select the Security gateway object (i.e. fw_module) from the Network Objects list.
  3. Click 'Edit'.
  4. In the Check Point Gateway dialog box, select VPN from the left pane.
  5. In the VPN properties, note which VPN communities this Security gateway object (i.e. fw_module) is a member of. It will be necessary to temporarily remove this Security gateway object from those VPN communities.
  6. Click 'OK' in the Check Point Gateway dialog box.
  7. Click 'Close' in the Network Objects dialog box.
  8. Select Manage -> VPN Communities.
  9. In the VPN Communities dialog box, select the VPN community object, in which the Security gateway object is a member.
  10. Click 'Edit'.
  11. In the Remote Access Community Properties dialog box, select Participant Gateways from the left pane.
  12. In the Participant Gateways properties, select the Security gateway object from the Participant Gateways window.
  13. Click 'Remove'.
  14. Click 'OK' in the Remote Access Community Properties dialog box.
  15. Repeat steps 9 through 14 for any other community the Security gateway participates in.
  16. Click 'Close' in the VPN Communities dialog box.
  17. Repeat steps 1 through 16 for any other Security gateway objects with IKE certificates from the Internal CAs that are managed by this management.
  18. Save the current Security Policy and close SmartDashboard.


Removing all Internal CAs, of all CMAs having the same public key

Important: before modifying your current settings, record each action performed, to be able to restore the original configuration after a new ICA is created.

For each Security gateway that has an ICA certificate for VPN (probably all VPN gateways), remove the IKE Certificate from the firewall module network object:

  1. In SmartDashboard, select 'Manage > Network Objects'.
  2. In the Network Objects dialog box, select the Security gateway object (i.e. fw_module) with its IKE certificate from the Network Objects list.
  3. Click 'Edit'.
  4. In the Check Point Gateway dialog box, select VPN from the left pane.
  5. In the VPN properties, select 'IKE' from the Encryption schemes window.
    Note: The SmartDashboard GUI was changed in R77 and above. 'IKE' can be found under "IPSec VPN".

  6. Click 'Edit' in the Encryption schemes section. (From R77: Click 'Traditional mode configuration'.)
  7. In the IKE Properties dialog box, clear the following two checkboxes in the "Support authentication methods" section: 
    • Public Key Signatures
    • VPN-1 & FireWall-1 authentication for SecuRemote/SecureClient (Hybrid Mode)
  8. Click 'OK' in the IKE Properties dialog box.
  9. In the VPN properties of the Check Point Gateway dialog box, select the defaultCert IKE certificate from the Certificate List window (Internal CA).
  10. Click 'Remove' in the "Certificate List" section.

    A dialog box with the following message will be displayed:

    Check Point Policy Editor
    A new internal CA certificate will be created when clicking OK on a VPN-1 object
    If you delete this certificate the CRL list will be increased.
    Are you sure you want to delete this certificate?

  11. Click 'Yes'.

    A dialog box with the following message will be displayed:

    Check Point Policy Editor
    The removal of the certificate is irreversible
    Are you sure you want to remove this certificate?

  12. Click 'Yes'.

    A dialog box with the following message will be displayed:

    Check Point Policy Editor
    Certificate operation succeeded

  13. Click 'OK'.
  14. In the Check Point Gateway dialog box, select General Properties from the left pane.
  15. In General Properties, clear the "VPN-1 Pro" checkbox in the Check Point Products window.

    A dialog box with the following message will be displayed:

    Check Point Policy Editor
    You are removing the VPN-1 from a machine with encryption. This will remove the defined encryption key. Are you
    sure?

  16. Click 'Yes'.
  17. Click 'OK' in the Check Point Gateway dialog box.
  18. Click 'Close' in the Network Objects dialog box.
  19. Repeat steps 1 through 18 for any other Security gateway objects with IKE certificate from the Internal CA that are managed by this Management.


On the Domain Management Server/CMA, create new Internal CAs for all those CMAs

  1. At the command prompt, enter: csh (You need to be in csh for the fqdn to be set correctly when running the mdsconfig -ca command. This will ensure the customer is in the right environment and rule out any potential problems with this critical step.)
  2. Run the following command: mdsenv <CMA_name>
    Important: The following operation is irreversible, so make sure that you are working on the CMA environment by checking that $FWDIR environment variable points to the customer's directory.
  3. Run: fwm sic_reset 
  4. Run: $MDSDIR/bin/mdsconfig -ca <CMA_short_name> <CMA_virtual_IP_address>
    Note: This command should be issued only on a primary CMA.
  5. Delete the links manager in following way:  
    mcd conf; rm CPMILinksMgr.db*
  6. Run the mdsstop and mdsstart commands from the MDS environment.



Important: On 'SIC Reset' event, 'Management HA DB' (mgmtha.conf and mgmtha_stack files) resets (files are removed). Such a reset leads to a secondary management being marked as 'Never Synchronized' and 'Without CA DB'.
'SIC Reset' should be performed on BOTH Managements. 


Repeat these steps on all edited Domain Management Servers/CMAs:

  1. For each Domain Management Server/CMA: 
    Re-establish SIC communication with all gateways and other SIC entities, such as OPSEC objects that use SIC communication and peer VPN gateways.
    Reset SIC on all the CMA's gateways (with OTP). Reset SIC communication with all gateways through the PE and re-communicate.
  2. For each CMA, restore the old configuration. For each gateway that used VPN, re-check the VPN option in the network object global properties:
    1. Create a new Internal CA certificate for that gateway (by exiting the gateway object).
    2. Restore the matching criteria for that gateway (if such existed before the change).
    3. Add thegateway to the communities it was in before the change.
  3. For each Domain Management Server/CMA, initiate new user certificates for all users that had certificates before the change, and inform all those users that they should contact the administrator to get new certificates / registration key for certificates.



Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment