Support Center > Search Results > SecureKnowledge Details
Security Gateway Virtual Edition (VE) VMWare OVF template security update Technical Level
Symptoms
  • Security Gateway Virtual Edition (VE) VMWare OVF template contains pre-defined SSH key-pair and WebUI SSL certificate (*.p12).

  • Multiple deployments of Security Gateway Virtual Edition (VE) created from this OVF template will have the same keys.

  • Affected versions of Security Gateway Virtual Edition (VE): R71 / R75.40 Network mode / R75.40 Hypervisor mode / R76 Network Mode.
Solution

Follow these steps:

  • For a new deployment, use the updated VMWare OVF template from the Download Center:

    Version Link
    R71 Virtual Edition (VE) Hypervisor Mode and
    Network Mode on SecurePlatform OS
    (TGZ)
    R75.40 Virtual Edition (VE) Network Mode on Gaia OS (TGZ)
    R75.40 Virtual Edition (VE) Hypervisor Mode (TGZ)
    R76 Virtual Edition (VE) Network Mode on Gaia OS (TGZ)


  • For an existing deployment, SSH and WebUI SSL keys need to be reset.

    Note: If the SSH keys or the WebUI SSL certificate were saved and used for authentication, they will need to be replaced.

    1. Connect to the command line on the Security Gateway.

    2. Log in to Expert mode.

    3. Reset the SSH key-pair:

      1. Remove the current SSH keys:

        [Expert@HostName]# rm /etc/ssh/ssh_host_*key*

      2. Restart the SSH service:

        [Expert@HostName]# /etc/init.d/sshd restart


    4. Reset the WebUI SSL certificate:

      • R75.40 Network Mode / R76 Network Mode running on Gaia OS:

        1. Remove the current certificate and key files:

          [Expert@HostName]# rm /web/conf/server.crt
          [Expert@HostName]# rm /web/conf/server.key

        2. Recreate the WebUI SSL certificate:

          • On R75.40:

            [Expert@HostName]# $CPDIR/bin/cpopenssl req -new -x509 -days 3652 -newkey rsa:1024 -nodes -keyout /web/conf/server.key -out /web/conf/server.crt

          • On R76:

            [Expert@HostName]# $CPDIR/bin/cpopenssl req -new -x509 -days 3652 -newkey rsa:2048 -nodes -keyout /web/conf/server.key -out /web/conf/server.crt


        3. Restart Gaia Portal:

          [Expert@HostName]# tellpm process:httpd2
          [Expert@HostName]# tellpm process:httpd2 t


      • R71 / R75.40 Hypervisor Mode running on SecurePlatform OS:

        1. Remove the current certificate files:

          [Expert@HostName]# rm /opt/spwm/servcert/servcert.p12
          [Expert@HostName]# rm /opt/spwm/servcert/servcert_ca.p12

        2. Restart the WebUI service:

          [Expert@HostName]# /etc/init.d/CPwebis restart
This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 01266243 , 01266266 , 01266268 , 01266270

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment