Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Durin
Contributor

Find out if fingerprint has changed on LDAPS server

Hi,

 

I am looking for a way to find out if the fingerprint on an LDAPS server has changed (an LDAP account unit).

Currently when the fingerprint is changed authentication stops working since the management server notices that the fingerprint has changed and one have to manually fetch and install the gateways so it reflects the new changes.

So i am looking for a way to detect this, for example where can i find the current fingerprint so i can compare ?

Management server is running R80.30

Thanks in advance

 

0 Kudos
11 Replies
Dor_Marcovitch
Advisor

you can try to connect to the DC and check if it has a "new" certificate issued to it

cpopenssl s_client -connect <IP>:636

if you have some other monitoring systems, then you can raise an event on the DC by monitoring the event log to see if a new certificate was enrolled

i am also looking for a solution for next re-authentication, not sure why CP uses the server's fingerprint and not just relaying on the PKI infrastructure

0 Kudos
JozkoMrkvicka
Mentor
Mentor

The certificate on the LDAP has to be changed by someone - it is not done automatically. Someone responsible for LDAP should (or have to ?) inform all consumers (firewall team) that the certificate is going to be changed.

Kind regards,
Jozko Mrkvicka
Durin
Contributor

Yes that is if routines is working as it should. But in a larger enterprise it can be a challenge.

Dor_Marcovitch
Advisor

If the ca is an enterprise ca and the dc has permissions this procedure happanes automaticly with auto enrollment. 

I still dont understand why they are using certificate pinning and not just trusting a root ca as pki is designed to.work.

(1)
Daniel_Westlund
Collaborator
Collaborator

I'm not sure that this doesn't happen automatically. I had a customer who had an ISP scheduled outage last night. When it came back up, they had intermittent issues which we ended up solving by refreshing the DCs fingerprints in the LDAP Account Unit in SmartConsole. I've had this issue come up several times with different customers in the past year, and never had it happen before. In every case, it doesn't seem like anyone updated this manually. I'm trying to find out why it changes, if there's a way to monitor it, and if there's a way to make it not break all authentication on the firewall when it does change?

0 Kudos
JozkoMrkvicka
Mentor
Mentor

You can also leave the fingerprint for all DCs blank. With that, the Check Point will not check the fingerprints, instead will accept everything. It is not the best security solution, but some organizations can accept that risk.

Kind regards,
Jozko Mrkvicka
JozkoMrkvicka
Mentor
Mentor

With R82 version, following feature should be available:

  • The LDAP Account Unit object now uses the LDAP server name and CA certificate for LDAP trust. The trust is automatically renewed if an administrator renews or replaces the LDAP server certificate. As a result, Check Point servers keep their connectivity to the LDAP server.
Kind regards,
Jozko Mrkvicka
Roman_Niewiado1
Contributor

You can also let the fingerprint field empty. Then it doesn´t matter, if the fingerprint changes.

Dor_Marcovitch
Advisor

and if i remove the fingerprint, does the FW perform validity checks on the certificate ? 

if the CA is an internal CA.. where do i put it's certificate to be trusted?

0 Kudos
XBensemhoun
Employee
Employee

The way to do so is:

cpopenssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | cpopenssl x509 -fingerprint -md5 -noout -in /dev/stdin

(found here and just adapted to cpopenssl) 

Information Security enthusiast, CISSP, CCSP
0 Kudos
David_C1
Advisor

You can also use the "test_ad_connectivity" command (at least in R80.40, I assume it is available in R80.30). Details are in the Identity Awareness Administration Guide in the Command Line Reference section. You can specify the fingerprint in the test. I used this to verify which DCs in our environment had different fingerprints than what I had configured in SmartConsole.

Dave

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events