Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Upgrading Checkpoint management to R80.X from R77.30

Hi All

 

I have a 17 years old Checkpoint standalone management server, was originally 4.1 and was upgrade through the years to R77.30.

I would like to upgrade the management server to R80.X

 

I was able to export and import the configuration on a new R80.10 server, but the CPM service was not started.

I was found it is related to the ICA.

I understand I would need to upgrade the ICA certificate to a new version. (SHA-256)

I have many VPNs the relays on this ICA. In addition, I have many users in the internal database, that are using user certificates for remote access authentication, issued by the ICA.

What would be the best way to update the ICA certificate without causing problems to the VPNs and the user authentication?

Best regards,

Michael

 

0 Kudos
8 Replies
Highlighted

Have you seen this sk? I think it explains how to accomplish what it is you need to do.

R80 CCSA / CCSE
0 Kudos
Highlighted

Hi

Thanks for the article.

What about the ICA itself which is

Not Valid Before: Wed Jun 19 11:53:44 2002 Local Time
Not Valid After: Tue Jun 14 11:53:44 2022 Local Time
Serial No.: 1
Public Key: RSA (1024 bits)
Signature: RSA with SHA1

 

Will it block me from upgrading to R80.X?

0 Kudos
Highlighted

To be frank I would skip R80.10 altogether, I have a MDS which was migrated many times as well and I moved a number of domains manually from that server to another MDS running R80.10. I had loads of problems with validation errors and other stuff that did not work properly.
When we upgraded that R80.10 MDS to R80.30 we again ran into a lot of issues with validations on the same domains. Both times TAC and R&D were needed to resolve the problems.
Recently I migrated the R77.30 to R80.30 and had no problems of the sort at all.
Regards, Maarten
0 Kudos
Highlighted
Employee++
Employee++

You can start by downloading the R80.30 Migrate Tools and running the Pre-Upgrade Verifier

 

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/m...

0 Kudos
Highlighted

Tal,

I run the pre-upgrade tool of R80.30.

It did not stated any problems with the ICA, certificates, or SHA-1.

This is the behavior I had once I tried to migrate to R80.10, but once the migrate import had finished the CPM service was not started.

Regards,

Michael

0 Kudos
Highlighted
Employee++
Employee++

Hi Micheal

Thanks for updating me. I will check why this is not part of the Pre-Upgrade Verifier checks (and look into adding it to newer versions of the Migrate Tools.)

Thanks

Tal

0 Kudos
Highlighted

Tal,

While you are at that, could you also ask why the user.def file is not reported in the Pre-Upgrade Verifier?
Regards, Maarten
0 Kudos
Highlighted

Hi

I got a fix and below procedure from the support

  1. install provided hotfix
  2. cpca_client set_sign_hash sha256
  3. cpca_client re_sign_ca
  4. sicRenew -d
  5. mv $CPDIR/conf/new_sic_cert.p12 $CPDIR/conf/sic_cert.p12
  6. cpstop; cpstart (make sure the server is up again)
  7. mcc lca (copy the presented ca name)
  8. mcc replace ~/new_ica.cer
  9. cpstop; cpstart

I completed steps 1 to 6 and was able to start the management services including the CPM.

Do someone knows what steps 7 to 9 are doing?

Best regards,

Michael

0 Kudos