cancel
Showing results for 
Search instead for 
Did you mean: 

Cluster CA

So this wasn't documented in my admin guide nor mentioned here, so I thought I'd share.  I was always wondering what restricted access to a cluster, as there wasn't any password or secret key.  Turns out in the configuration->appliances, there is a Cluster CA that you can change.  After talking to support, you can change this cert.  Running from an appliance or a linux machine (I think I ran this off a linux machine), the following command was good to go.  You'll have to give it a passphrase as well as fill out some cert stuff like OU, etc.

   openssl req -new -x509 -days 3650 -extensions v3_ca -newkey rsa:2048 -keyout newclustercakey.pem -out newclustercacert.pem

You'll get an output of two files which you should keep a close eye on.  Then import these files by clicking on the change CA and importing the associated info plus the passphrase.  It should be pushed out to all the members automatically. If a new machine is now going to be added to the Cluster, it first must have this CA imported. I usually configure a new appliance in a standalone mode, thus I import the cert at that point.  I see it as just another layer of security in my setup.  This shouldn't affect your SSL inspection setup, etc, as it is just for central management.  If any of this is incorrect support please chime in, but hope it helps someone!  Use this advice at your own risk, but just saying this worked just fine for me, after doing it on a test system and consulting with support.  

11-23-2011 8-55-25 AM.jpg

11-23-2011 8-55-52 AM.jpg

9 Replies
asabban
Level 17

Re: Cluster CA

Hello,

thanks for sharing the information. I have contacted our documentation team to find out/make sure this is/will be part of the documentation.

Best,

Andre

0 Kudos
asabban
Level 17

Re: Cluster CA

Hello,

FYI we will put this information into the official documentation with one of the next releases. Thanks again for sharing.

Best,

Andre

0 Kudos
belvincent
Level 9

Re: Cluster CA

Hi asabban,

Sorry for digging deep into the dust for this post, but I would like to know where to find more information in the documentation about this. I have a problem with an upgraded node and I think this is the root cause of my issue.

Thanks,

Vincent Bel

0 Kudos

Re: Cluster CA

Hello,

This is still NOT documented in 7.6.2.

If you do not change the Cluster CA certificate everyone can setup a new Web gateway and join your Web Gateway.

This will result in a complete overwrite of all defined rules, right?

Bye

  Rainer Tammer

0 Kudos
McAfee Employee

Re: Cluster CA

Hi Rainer,

If you have an existing cluster, and a new node tried to add your existing cluster nodes to it's own cluster, this would fail.

Only a single node can be added to a cluster, and this must be done from the existing cluster. If a "malicious" new node somehow got added to the cluster, you would see it in the console. Additionally this new node would inherit the admin login settings. So the existing admin would have the password, not the other admin.

If you had a single MWG1 (w/ default cluster ca), and a person setup a second MWG2 (w/ default cluster ca), and MWG2 added MWG1, then yes, MWG1 would receive whatever policy MWG2 had.

Let me know if this helps.

Best Regards,

Jon

0 Kudos

Re: Cluster CA

Hello,

I have just opened a support call regarding this issue.

I have a slightly longer config/command to generate the certificate. I like this procedure confirmed by McAfee/intel.

---clusterca.conf----

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

default_md     = sha256

[req_distinguished_name]

countryName = Country Name (2 letter code)

countryName_default = DE

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = XX

localityName = Locality Name (eg, city)

localityName_default = Town

organizationName = Organization Name

organizationName_default = Company

organizationalUnitName = Organizational Unit Name (eg, section)

organizationalUnitName_default = IT

emailAddress = E-Mail Address

emailAddress_default = email@mail.something

commonName = Common Name

commonName_default = New McAfee Web Gateway Cluster CA

commonName_max = 64

[ v3_req ]

# Extensions to add to a certificate request

# basicConstraints = CA:false

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# subjectAltName = @alt_names

####################################################################

# Extensions to use when signing a CA

[ v3_ca ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer:always

basicConstraints = CA:true

subjectAltName=email:move

---clusterca.conf----

openssl req -new -x509 -days 3650 -extensions v3_ca -newkey rsa:2048 -keyout clustercakey.pem -out clustercacert.pem -config clusterca.conf

openssl rsa -in clustercakey.pem -out plain-key.pem

Import the cert/key on the single system.

Import the cert/key on the central management cluster node (will this be distributed to all nodes?).

Bye

  Rainer

0 Kudos
McAfee Employee

Re: Cluster CA

Hi Rainer!

That's overkill! Just do it in the GUI under Policy > Settings > SSL Client content with CA, create a new setting for it, and click the "Generate" button and fill in the details (basically the same thing you just did).

This will pop out a CA crt and the corresponding key.

From now on you will need to import this certificate into any new MWG you have (this is what some customers struggle to understand). Yes, if you import it into the cluster, then it will be distributed.

2016-07-14_074122.png

Best Regards,

Jon

Re: Cluster CA

Hello,

I can check this method.

Bye

  Rainer

0 Kudos

Re: Cluster CA

Hello,

The description from

0 Kudos