Desperate Plea - Server Management

[nameif]

No body has so far managed to pst any replies to this question, because its a difficult one.

Anyway..

I am having some major problems with my Server Management.
As per server migration from an old server to new server i have followed all the procedures from Checkpoint Secureknowledge copying all $CPDIR and $FWDIR files accordingly.

The problem arises with our SVN not working with certificates. With an error message of
"Unable to contact Certifciate Authority on mangemnet Station. Please make sure the CA daemon is running"

Any ideas or help would be greatly appreciated.
Thanks

[Youngy]

Hi,

I should say that I am fairly new to Checkpoint myself and am swimming in the deep end as it were at the moment. But I will try and learn something as well as I am about to move our management server to a new box as well (perhaps I have been set-up for failure).

I found this on the checkpoint site which may help:

https://secureknowledge.us.checkpoin...t.do?id=sk9962

If you can't get to it. It is essentially talking about resetting the SIC connections - Run the command "fwm sic_reset" and then recreate ICA.
Note that in NG FP1 the command should be "fw sic_reset".

Please let me know if this is helpful and so on as I am stabbing in the dark a little.

Cheers

[nameif]

Many Thanks,.

I will now download the document and see if this rectifies the issue.

Fingers Crossed!

[Youngy]

Hi,

Just wondering if this worked out or not.

[nameif]

Hi,

I have not got an access to these PDFs... I need to have an account with Checkpoint.

Could you please email these pdf's to me on ali_17@hotmail.com

Cheers

[Youngy]

Hi,

It is not actually a pdf but a page display like what you find on technet. There is an option on the page to email the solution so I have done that but I suspect you may still need to log in to the checkpoint site.

So here is what it says:

Symptoms

While trying to install a policy, an error message is received
Error:"add_ca_cert_hash: failed to get internal_ca object"
While trying to edit the Management Server properties an error message is received
Error: "Unable to contact Certificate Authority on the Management Station. Please make sure the Certificate Authority daemon is running."
While trying to recreate the ICA an error message is received
Error:" The generation of the Internal CA certificate failed. This node will not be able to perform certain VPN-1 operations that require this certificate.
Error when clicking on "Set Default IKE Properties" on the Management Server object's properties.
Error: "Default IKE was not completed successfully. The reason could be that a creation of a certificate was needed and was not successful."
When clicking Get Topology under the Topology tab of the Management Server properties, an error is received.
Error: "Trust has not been established. To complete this operation click Communities in the General tab". However "Communities" is grayed out.

Cause

This problem is caused by an incomplete uninstall of previous FireWall-1 versions which left some info-files on the machine. That caused "cpconfig" not to create a new ICA

Solution

Run the command "fwm sic_reset" and then recreate ICA.
Note that in NG FP1 the command should be "fw sic_reset". For more information, refer to the following solution

The following solution above is this:

Symptoms

Error when trying to initialize Certificate Authority :
Error: ""Failed to initialize the Certificate Authority because the system was unable to create a certificate for the certificate Authority. error number : -2. Try to initialize the Certificate Authority later again"

Solution

The fw sic_reset operation will reset Secure Internal Communication (SIC) on the Management Server. The internal Certificate Authority will be destroyed and Check Point Components will not be able to communicate.

The command syntax is:
fw sic_reset
At the prompt, press y' to confirm the Reset.

This operation will stop all Check Point Services (cpstop).

To enable communication, perform the following operations:
1. Re-initialize the internal Certificate Authority (use cpconfig).
2. Restart Check Point Services (cpstart).
3. Reset SIC on each Module that is managed by this Management Server.
4. Re-establish Trust with each Station that is managed by this Management Server.

NOTE: In NG FP2, the syntax should be 'fwm sic_reset'.
To read more about how to resolve Internal CA problems in FireWall-1 NG FP2 please refer to the following solution.

If the above does not help run:
'cpca_create -d -dn "O=test"' to manually create the CA.

WARNING:
THIS OPERATION WILL CAUSE YOUR FIREWALL-1 NG ENVIRONMENT TO FAIL.
CONSIDER THE IMPLICATIONS VERY CAREFULLY BEFORE USING IT.

Hope that helps

[3lusiv]

Hello folks,

I recently had the same issue, and had performed the advice from the posts above, as well as some other more adventurous attempts to remove any exsisting certificates suggested by the phoneboy bible.

It did not however correct the problem, from what I could work out, the CA server itself was not operational. SIC was uninitialised between the enforcement module and Server, there was no DN, however we can burn rules to the gateway without problems (?). We ended up having to re-image the server from a tape backup to allow us to burn rules again after we ran the reset_SIC. The problem still exsists and our next step is going to have to re-install SmartCenter Server from the CD to re-initialise the CA.

The actual error we are getting is "Unable to contact CA on Management Server. Please make sure the CA daemon is running". Does anyone know what the name of the service is that runs this daemon? We have other customers running Checkpoint, have checked the services on these servers and can see nothing different....

I believe the problem is caused by the CA being tied to the hardware/MAC or something, however this is just a guess, does any one have any idea's, or maybe guidance if I am way off track?

Anyway, any ideas or advice that could prevent me from re-installing would be helpful.

Thanks :)

[nameif]

what would be good is to backup the Management Station without much of user intervention - like an automated process for management station. This means not using the Export_tool.

Any ideas Folks

[Youngy]

I would say still use the export_tool - just script it all. Have it use a time stamped file name and you could even have it ftp the file off the box once it is created.

[nameif]

Hi

Please advise me step by step

1. Where would I find a export_tool
2. Do i run the export tool on the managemnet server
3. scripts I have no ideas..please help me with the examples of existing scripts if possible.

[Youngy]

Well I guess you knew about the export_tool since you brought it up. But basically you look on your checkpoint cd

D:\windows

Grab all the files in the root of this directory -

568 checkpoint_ca_cert.cer
65,631 cpwget.exe
456,192 cygwin1.dll
124,928 gtar.exe
18,335 gtar-Copying.txt
48,640 gzip.exe
18,321 gzip-Copying.txt
7,548 Inspect.C
401,462 MSVCP60.DLL
278,581 MSVCRT.DLL
479,361 pre_upgrade_verifier.exe
1,770 TRANS.TBL
41,088 updates_download_helper.exe
90,231 upgrade_export.exe
856,183 upgrade_import.exe
872,567 verify_package.exe

These are all the files you need and as you can see there is a command line exe called upgrade_export.exe. How you use it:

http://www.checkpoint.com/techsuppor...and_Import.pdf

If you want to backup your file config etc including the users and rule base then yes run it on the management server.

Anything that you do on a command line can be scripted - in basic terms. There are plenty of forums on scripting an batch files. Once your comfortable doing the above manually then try and script it.

[3lusiv]

Hi again,

Can anyone give me any ideas as to why making a ghost image and installing this on a new server would cause these problems? The only differences would be the mac-address..

Our next step is to do the export, cpclean, then re-install SmartCenter server and import data back again to have a fresh copy of the CA.

Hopefully this fixes the problem, however would like to know what the cause of this problem is and any workaround if anyone can help... :)

Cheers.

[Youngy]

Quote:

Originally Posted by 3lusiv

.....Can anyone give me any ideas as to why making a ghost image and installing this on a new server would cause these problems?

Because your simply ghosting the problem and installing the problem on the new machine as well I would guess.