So this wasn't documented in my admin guide nor mentioned here, so I thought I'd share. I was always wondering what restricted access to a cluster, as there wasn't any password or secret key. Turns out in the configuration->appliances, there is a Cluster CA that you can change. After talking to support, you can change this cert. Running from an appliance or a linux machine (I think I ran this off a linux machine), the following command was good to go. You'll have to give it a passphrase as well as fill out some cert stuff like OU, etc.
openssl req -new -x509 -days 3650 -extensions v3_ca -newkey rsa:2048 -keyout newclustercakey.pem -out newclustercacert.pem
You'll get an output of two files which you should keep a close eye on. Then import these files by clicking on the change CA and importing the associated info plus the passphrase. It should be pushed out to all the members automatically. If a new machine is now going to be added to the Cluster, it first must have this CA imported. I usually configure a new appliance in a standalone mode, thus I import the cert at that point. I see it as just another layer of security in my setup. This shouldn't affect your SSL inspection setup, etc, as it is just for central management. If any of this is incorrect support please chime in, but hope it helps someone! Use this advice at your own risk, but just saying this worked just fine for me, after doing it on a test system and consulting with support.
Sorry for digging deep into the dust for this post, but I would like to know where to find more information in the documentation about this. I have a problem with an upgraded node and I think this is the root cause of my issue.
This is still NOT documented in 7.6.2.
If you do not change the Cluster CA certificate everyone can setup a new Web gateway and join your Web Gateway.
This will result in a complete overwrite of all defined rules, right?
If you have an existing cluster, and a new node tried to add your existing cluster nodes to it's own cluster, this would fail.
Only a single node can be added to a cluster, and this must be done from the existing cluster. If a "malicious" new node somehow got added to the cluster, you would see it in the console. Additionally this new node would inherit the admin login settings. So the existing admin would have the password, not the other admin.
If you had a single MWG1 (w/ default cluster ca), and a person setup a second MWG2 (w/ default cluster ca), and MWG2 added MWG1, then yes, MWG1 would receive whatever policy MWG2 had.
Let me know if this helps.
I have just opened a support call regarding this issue.
I have a slightly longer config/command to generate the certificate. I like this procedure confirmed by McAfee/intel.
distinguished_name = req_distinguished_name
req_extensions = v3_req
default_md = sha256
countryName = Country Name (2 letter code)
countryName_default = DE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = XX
localityName = Locality Name (eg, city)
localityName_default = Town
organizationName = Organization Name
organizationName_default = Company
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT
emailAddress = E-Mail Address
emailAddress_default = email@example.com
commonName = Common Name
commonName_default = New McAfee Web Gateway Cluster CA
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
# basicConstraints = CA:false
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# subjectAltName = @alt_names
# Extensions to use when signing a CA
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
openssl req -new -x509 -days 3650 -extensions v3_ca -newkey rsa:2048 -keyout clustercakey.pem -out clustercacert.pem -config clusterca.conf
openssl rsa -in clustercakey.pem -out plain-key.pem
Import the cert/key on the single system.
Import the cert/key on the central management cluster node (will this be distributed to all nodes?).
That's overkill! Just do it in the GUI under Policy > Settings > SSL Client content with CA, create a new setting for it, and click the "Generate" button and fill in the details (basically the same thing you just did).
This will pop out a CA crt and the corresponding key.
From now on you will need to import this certificate into any new MWG you have (this is what some customers struggle to understand). Yes, if you import it into the cluster, then it will be distributed.