9 Replies Latest reply on Jul 22, 2016 8:55 AM by rainer.tammer

    Cluster CA

      So this wasn't documented in my admin guide nor mentioned here, so I thought I'd share.  I was always wondering what restricted access to a cluster, as there wasn't any password or secret key.  Turns out in the configuration->appliances, there is a Cluster CA that you can change.  After talking to support, you can change this cert.  Running from an appliance or a linux machine (I think I ran this off a linux machine), the following command was good to go.  You'll have to give it a passphrase as well as fill out some cert stuff like OU, etc.

       

         openssl req -new -x509 -days 3650 -extensions v3_ca -newkey rsa:2048 -keyout newclustercakey.pem -out newclustercacert.pem

       

       

      You'll get an output of two files which you should keep a close eye on.  Then import these files by clicking on the change CA and importing the associated info plus the passphrase.  It should be pushed out to all the members automatically. If a new machine is now going to be added to the Cluster, it first must have this CA imported. I usually configure a new appliance in a standalone mode, thus I import the cert at that point.  I see it as just another layer of security in my setup.  This shouldn't affect your SSL inspection setup, etc, as it is just for central management.  If any of this is incorrect support please chime in, but hope it helps someone!  Use this advice at your own risk, but just saying this worked just fine for me, after doing it on a test system and consulting with support.  

      11-23-2011 8-55-25 AM.jpg

      11-23-2011 8-55-52 AM.jpg

        • 1. Re: Cluster CA
          asabban

          Hello,

           

          thanks for sharing the information. I have contacted our documentation team to find out/make sure this is/will be part of the documentation.

           

          Best,

          Andre

          • 2. Re: Cluster CA
            asabban

            Hello,

             

            FYI we will put this information into the official documentation with one of the next releases. Thanks again for sharing.

             

            Best,

            Andre

            • 3. Re: Cluster CA
              belvincent

              Hi asabban,

               

              Sorry for digging deep into the dust for this post, but I would like to know where to find more information in the documentation about this. I have a problem with an upgraded node and I think this is the root cause of my issue.

               

              Thanks,

               

               

              Vincent Bel

              • 4. Re: Cluster CA
                rainer.tammer

                Hello,

                This is still NOT documented in 7.6.2.

                 

                If you do not change the Cluster CA certificate everyone can setup a new Web gateway and join your Web Gateway.

                This will result in a complete overwrite of all defined rules, right?

                 

                Bye

                  Rainer Tammer

                • 5. Re: Cluster CA
                  Jon Scholten

                  Hi Rainer,

                   

                  If you have an existing cluster, and a new node tried to add your existing cluster nodes to it's own cluster, this would fail.

                   

                  Only a single node can be added to a cluster, and this must be done from the existing cluster. If a "malicious" new node somehow got added to the cluster, you would see it in the console. Additionally this new node would inherit the admin login settings. So the existing admin would have the password, not the other admin.

                   

                  If you had a single MWG1 (w/ default cluster ca), and a person setup a second MWG2 (w/ default cluster ca), and MWG2 added MWG1, then yes, MWG1 would receive whatever policy MWG2 had.

                   

                  Let me know if this helps.

                   

                  Best Regards,

                  Jon

                  • 6. Re: Cluster CA
                    rainer.tammer

                    Hello,

                    I have just opened a support call regarding this issue.

                     

                    I have a slightly longer config/command to generate the certificate. I like this procedure confirmed by McAfee/intel.

                     

                    ---clusterca.conf----

                    [req]

                    distinguished_name = req_distinguished_name

                    req_extensions = v3_req

                    default_md     = sha256

                     

                    [req_distinguished_name]

                    countryName = Country Name (2 letter code)

                    countryName_default = DE

                    stateOrProvinceName = State or Province Name (full name)

                    stateOrProvinceName_default = XX

                    localityName = Locality Name (eg, city)

                    localityName_default = Town

                    organizationName = Organization Name

                    organizationName_default = Company

                    organizationalUnitName = Organizational Unit Name (eg, section)

                    organizationalUnitName_default = IT

                    emailAddress = E-Mail Address

                    emailAddress_default = email@mail.something

                    commonName = Common Name

                    commonName_default = New McAfee Web Gateway Cluster CA

                    commonName_max = 64

                     

                    [ v3_req ]

                    # Extensions to add to a certificate request

                    # basicConstraints = CA:false

                    # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

                    # subjectAltName = @alt_names

                     

                    ####################################################################

                    # Extensions to use when signing a CA

                    [ v3_ca ]

                    subjectKeyIdentifier = hash

                    authorityKeyIdentifier = keyid:always,issuer:always

                    basicConstraints = CA:true

                    subjectAltName=email:move

                     

                    ---clusterca.conf----

                     

                     

                    openssl req -new -x509 -days 3650 -extensions v3_ca -newkey rsa:2048 -keyout clustercakey.pem -out clustercacert.pem -config clusterca.conf

                    openssl rsa -in clustercakey.pem -out plain-key.pem

                     

                    Import the cert/key on the single system.

                    Import the cert/key on the central management cluster node (will this be distributed to all nodes?).

                     

                    Bye

                      Rainer

                    • 7. Re: Cluster CA
                      Jon Scholten

                      Hi Rainer!

                       

                      That's overkill! Just do it in the GUI under Policy > Settings > SSL Client content with CA, create a new setting for it, and click the "Generate" button and fill in the details (basically the same thing you just did).

                       

                      This will pop out a CA crt and the corresponding key.

                       

                      From now on you will need to import this certificate into any new MWG you have (this is what some customers struggle to understand). Yes, if you import it into the cluster, then it will be distributed.

                       

                      2016-07-14_074122.png

                       

                      Best Regards,

                      Jon

                      1 of 1 people found this helpful
                      • 8. Re: Cluster CA
                        rainer.tammer

                        Hello,

                        I can check this method.

                         

                        Bye

                          Rainer

                        • 9. Re: Cluster CA
                          rainer.tammer

                          Hello,

                          The description from