topic Re: How to pair gateway with SMS? in General Topics

How to pair gateway with SMS?

tomasFuk — Mon, 30 Jun 2025 14:15:51 GMT

I am writing automation scirpts where i collect some info from gateway via ssh (interfaces, routing etc...) and some info from sms via API (fw rules, nat rules etc).

I didnt find a way yet how to 100% correctly pair gateway where i connect via ssh with "show-gateways-and-servers" api endpoint from sms.

Ideal would be to compare SIC certificates, but from SMS i was just able to get some shortened ones:

cp-2> cpca_client lscert -kind SIC
Operation succeeded. rc=0.
30 certs found.

Subject = CN=cp_mgmt,O=cp-2..5qabcd
Status = Valid Kind = SIC Serial = 3843 DP = 0
Not_Before: Mon Jun 24 11:34:04 2024 Not_After: Sun Jun 24 11:34:04 2029

Subject = CN=cp-vss,O=cp-2..5qabcd
Status = Revoked Kind = SIC Serial = 9159 DP = 0
Not_Before: Tue Jun 24 11:34:41 2025 Not_After: Mon Jun 24 11:34:41 2030

but i havent found any command which would show me full certificate.

On GW itself i wasnt able to found any cli command to show SIC certificates.

Is there some way how to show SIC cert on both sides? Or some other way how to pair gw with SMS?

FYI, pairing via gateway name or ip adress is a no go as i already encountered situations where they were duplicated and/or didnt match

Thank you!

Re: How to pair gateway with SMS?

Tal_Paz-Fridman — Mon, 30 Jun 2025 16:34:43 GMT

In the Security Gateway check the $FWDIR/conf/masters file: This file should contain the correct name or IP address of the Security Management Server or Domain Management Server.

Re: How to pair gateway with SMS?

PhoneBoy — Mon, 30 Jun 2025 16:48:32 GMT

I believe even on gateways, the actual cert used for SIC is in $CPDIR/conf.

Re: How to pair gateway with SMS?

Bob_Zimmerman — Mon, 30 Jun 2025 19:41:18 GMT

Yes, it's $CPDIR/conf/sic_cert.p12. On my management:

[Expert@DallasSC]# cpca_client lscert -kind SIC -stat Valid Operation succeeded. rc=0. 6 certs found. Subject = CN=DallasticVS1,O=DallasSC.mylab.test.popnik Status = Valid Kind = SIC Serial = 12159 DP = 0 Not_Before: Sat Jun 7 18:35:33 2025 Not_After: Sat Jun 8 18:35:33 2030 Subject = CN=DallasticXL,O=DallasSC.mylab.test.popnik Status = Valid Kind = SIC Serial = 89094 DP = 0 Not_Before: Sat Jun 7 18:17:01 2025 Not_After: Sat Jun 8 18:17:01 2030 ...

And on one of my VSNext members:

[Expert@DallasticXL-s01-01:0]# cpopenssl pkcs12 -passin "pass:vpn123" -nomacver -nokeys -in $CPDIR/CTX/CTX00001/conf/sic_cert.p12 | cpopenssl x509 -text | egrep "(Subject|Serial Number):" Serial Number: 12159 (0x2f7f) Subject: O = DallasSC.mylab.test.popnik, CN = DallasticVS1 [Expert@DallasticXL-s01-01:0]# cpopenssl pkcs12 -passin "pass:vpn123" -nomacver -nokeys -in $CPDIR/conf/sic_cert.p12 | cpopenssl x509 -text | egrep "(Subject|Serial Number):" Serial Number: 89094 (0x15c06) Subject: O = DallasSC.mylab.test.popnik, CN = DallasticXL

You can see the subjects match exactly (though you have to interpret the DN), as do the serial numbers.

Re: How to pair gateway with SMS?

the_rock — Mon, 30 Jun 2025 19:51:29 GMT

Yes, its definitely sic_cert.p12 in $CPDIR/conf dir

Andy

Re: How to pair gateway with SMS?

tomasFuk — Tue, 01 Jul 2025 06:24:55 GMT

thanks, exactly what i need!