Regenerating the User Database

[BarryStiefel]

Regenerating the User Database

When your encryption keys are corrupt and need to be regenerated, you might experience problems with the GUI crashing when you edit encryption keys. The GUI won't let you regenerate the encryption keys, of course.



Answer The actual encryption keys are stored in $FWDIR/conf/fwauth.NDB (at least in FireWall-1 4.1 and earlier), which also happens to be the user database file. The only way I have been able to get out of this logjam so far is to basically delete and re-create fwauth.NDB. This is definitely not as easy as it sounds, especially if you have users in your user database. You also have to regenerate the encryption keys.



Here are the necessary steps to resolve this: 1. Make a list of the user groups you have created for your users. This will be used in the export and import of the user database later on. 2. Quit any GUIs that are running. Run the following command which will export your users to $FWDIR/conf/users.export # fw dbexport -f users.export 3. Make backup copies of your user database and rulebase files: # cd $FWDIR/conf # cp fwauth.NDB fwauth.NDB.bak # cp rulebases.fws rulebases.fws.bak # mkdir bak # cp *.W bak 4. Remove your user database file: # rm fwauth.NDB 5. Go back into the GUI and recreate all the user groups. Quit the GUI when you are done. 6. Check to see which rulebase files (*.W, rulebases.fws) have been recently modified. Restore these files from the backups you made previously. Most likely, rulebases.fws will have been modified: # cp rulebases.fws.bak rulebases.fws 7. Re-import your users database as follows: # fw dbimport -r -v -f users.export If any errors pop up, you will need to manually massage users.export in a text editor. Keep trying to import and massaging users.export until the import succeeds. 8. Regenerate your FWZ CA and DH keys, which is necessary if you are using FWZ encryption. If your firewall object is called tinderbox, the commands would look like: # fw keygen -manage # fw keygen tinderbox If you manage other firewalls, you should also regenerate their DH keys as well. For instance, if you manage fireplace and thewall, you would type: # fw keygen fireplace # fw keygen thewall 9. Regenerate your SKIP CA and DH keys, which is necessary if you are using SKIP encryption. If your firewall object is called tinderbox, the commands would look like: # fw keygen -s skip -manage # fw keygen -s skip tinderbox If you manage other firewalls, you should also regenerate their DH keys as well. For instance, if you manage fireplace and thewall, you would type: # fw keygen -s skip fireplace # fw keygen -s skip thewall 10. Reload the GUI and install your security policy and user database on any firewalls you manage.

If you have VPN partners that you work with, they will have to refetch your CA and DH keys again. SecuRemote users may have to delete and re-add the site.

-- RobertGraham - 13 Feb 2004

FAQForm FAQs.Class: EncryptionFAQs, TroubleshootingFAQs FAQs.OS: FAQs.Version: