This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Garrett_DirSec
Advisor
‎2022-03-23 10:47 AM

ICA issues with multiple "cn=cp_mgmt" certs and how this affect R81+ platform

Hello -- I have encountered various instances of the "certificate revoked" issue for a SmartConsole connecting to a newly upgraded R81 SmartCenter.    The issue happened to be ICA having issued multiple "cn=cp_mgmt" certs -- all valid -- for same smartcenter host.

I was surprised to encounter a customer environment with SmartCenter running default ISO R81, had TEN valid "cn=cp_mgmt" certs, upgraded from R77xx, and was NOT exhibiting the "certificate revoked" SmartCopnsole connect issue, 

We upgraded environment (including distributed gateways) to R81.10 with Jumbo GA take 30.    ICA and "cn=cp_mgmt" underlying issue not resolved.    Since this is known issue (SK169553  ), I figured that Checkpoint would adddress via hotfix and/or manager rev upgrade.

While we investigated another annoying problem with R81.10 breaking connectivity for LDAP account unit (and thus ADQuery), I checked on multiple "cn=cp_mgmt" certs and surprised to see multiple (in this case:  ten valid certs,  there should be only ONE).

Since the R81.10 (and subsequent R81 jumbos) not fixing this issue behind the scenes, what are the ramifications and potential issues customer would experience (other than "certificate revoked" in SmartConsole)?

What are the potential issues Checkpoint community will experience with potentially large number of customers have this issue and many unaware?

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2022-03-28 05:15 PM

There are two issues I see here:

  • The fact we generated more than one valid management cert
  • The fact there are "certificate revoked" and similar messages when there is more than one valid management cert

The first issue could have already been fixed in the JHF.
The second, which is probably caused by the first issue, might be difficult to clean up in an automated fashion without other side effects, which is probably why it's not in a JHF.

That's just my take, of course.

0 Kudos
Juan_
Collaborator
‎2022-03-29 05:36 AM

I've seen this issue many times in R80.20+.

With different symptoms but always quite easy to discover:

  • Customer sees a new fingerprint
  • Customer sees certificate revoked and can't login
  • Customer can log in but SIC is lost to gw
  • Customer can log in, GWs look "connected" but then you can't push policy
  • Errors opening gateway objects

All in all, its always been easy to fix recreating the the sic cert as per the sk you are sharing.

But am not sure what causes the issue or why it happens.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events