Hi, I used the new "Identity Tags" feature instead. cfr https://community.checkpoint.com/thread/8800-how-to-use-identity-awareness-tags-in-r8020m1 

Yes, it is pretty messy to get working.

I basically generated a self signed client certificate from the ISE web interface (Adminstration -> PXgrid Services -> Certificates).

Converted that p12 file to .jks with "keytool" (you need the Java SDK installed for that)

$ keytool -importkeystore -srckeystore win2016-1.lab.p12 -destkeystore client.jks -srcstoretype PKCS12
Importing keystore win2016-1.lab.p12 to client.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias win2016-1.lab_ successfully imported.

Also exported the pxgrid ISE certificate, converted that to DER with openssl

$ openssl x509 -outform der -in OUCertificateServicesSystemC.pem -out iselab.der

And then converted that to a .jks with Java Keytool:

$ keytool -import -alias ise.lab -keystore server.jks -file iselab.der
Enter keystore password:
Re-enter new password:
Owner: CN=ise.lab, OU=Certificate Services System Certificate
Issuer: CN=Certificate Services Endpoint Sub CA - ise
Serial number: 53b3e07890554133b93b0e9d3fb77d93
Valid from: Thu Nov 22 08:45:29 CET 2018 until: Thu Nov 23 08:45:24 CET 2028
Certificate fingerprints:
SHA1: 92:87:FA:0E:E5:62:1B:46:3A:15:00:13:3E:F1:7D:78:4D:78:F4:ED
SHA256: F2:F4:80:2F:DD:4B:6F:24:03:66:32:5A:6A:87:48:C1:DF:0B:CC:A1:ED:E3:80:94:AD:AA:BD:0B:40:7D:1B:41
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 7B AE 66 EA 2F 60 6F 61 FA 12 64 4E BF 74 52 FD ..f./`oa..dN.tR.
0010: 32 AD BE 88 2...
]
[CN=Certificate Services Node CA - ise]
SerialNumber: [ 1d51f5ee bb2445aa 9328ac72 6a7858a1]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
serverAuth
clientAuth
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 20 86 63 F5 C1 02 3F 1D 8D 45 41 74 15 A6 C4 48 .c...?..EAt...H
0010: 63 F5 31 41 c.1A
]
]

Trust this certificate? [no]: yes
Certificate was added to keystore

I then used these certificates in the Identity Collector setup. You also have to "approve" the pxgrid client in ISE (also under "Pxgrid services" the first time it connects.

I had some issues to make it connect, but that was caused by the fact that I had not added the ISE to a query pool in Identity Collector. It will not connect if it is not part of a query pool...

Good luck,

Tom.

Thanks, now it's clear with certs, i was not aware that from pxgrid ISE certificate provided and was trying to use same cert for client/server.

Well the pxgrid api doc speaks of generating the client cert on the client, that probably will work as well but you definitely need a different cert for client and server...

Hi!

Is there a way to push the collector to connect to ise?

You need to create query pool for that..

I did, and also tied the query pool to the gateway. The collector and gateway are connected, but ISE does not show any attempts from the identity collector to connect, there are no pending requests... Now I did issue a client cert without CSR, I do not know if that matters...

Did you ever get your issue resolved?

I think we are in the same situation, I've created the client and server certificates (jks) and created the identity source and added it to a Query Pool, but no luck.

Wireshark shows that there is no trafik to or from our ISE.

Edit: Nevermind, hadn't installed JRE...

They will not support with generating certs on ISE for sure  as documentation state, "follow Cisco pxGrid documentation"

What i meant was help by TAC to get SXP-learned IP-SGT mappings into the CP IA blade, the certs for communication were configured successfully already - did you not read the original question ?

Well, I doubt Cisco TAC will want to help with the way a checkpoint product (identity collector) consumes SXP IP-SGT mappings. Also, this is a test lab setup for which I have no support contract... I was just hoping some of the checkpoint developers would be able to confirm if it is supported or not 😉

I have never talked of Cisco TAC here in community.checkpoint.com, but of CP TAC and can not understand why you do assume something else - but if you do not have any support contract and no CP customer in the back that needs this configured you are very well off and can just forget about this as an academic issue...

My mistake, when you say "TAC" I immediately think of Cisco TAC 😉

As i do nothing with Cisco, for me it is always CP TAC 😉

Does Identity Collector support IP-SGT mapping? 

The recommendation is to use GloudGuard Controller to import SGT-IP though REST API

Thanks for your reply, do we have any document or guide for this?

Thanks a lot for your big help, it is work😀