The server certificates for the rule update servers used by Messaging Gateway and Messaging Gateway for Service Providers will be renewed on May 1, 2020. Following the server certificate change, neither SMG 10.6.5 and earlier or SMG-SP will be able to access rule updates or SMG software updates from the aztec.brightmail.com or swupdate.brightmail.com servers.

You will see an error, "Connection error 60: SSL certificate problem: unable to get local issuer certificate" when trying to install a license file or download definitions.

The new server certificates are signed with a certificate authority certificate which is not trusted by SMG 10.6.5 or earlier or by SMG-SP.

Legacy versions of the Brightmail products do not have access to the Certificate Authority certificates (i.e. "Digicert" CA) that are being used to sign the certificates that are being deployed on the migrated servers. This will result in connection failures when the SMG attempts to establish sessions with the Broadcom servers.

Release : SMG 10.6.5 or earlier, SMG-SP systems which have not updated their trusted CA bundle

SMG

After the certificate change there is no resolution for SMG versions 10.6.5 or earlier. Customers attempting to update following the server certificate change will need to do a clean install of a supported SMG release (10.7.x) and re-enter any custom rules or groups which have been created.

Due to schema changes, there is no supported mechanism by which a backup of 10.6.5 or earlier can be imported into a SMG 10.7 installation. Some configuration entities such as Certificates, Trusted Certificate Authorities, Application / API certificates and Good / Bad Senders lists can be exported from earlier releases and imported into SMG 10.7.

SMG-SP

Messaging Gateway for Service Providers may be updated to use the new trusted certificate authority bundle (trusted.cert.gz) attached to this knowledge base as follows:

1. Download that attached trusted.cert.gz file from this knowledge base
2. For each scanner
   1. Upload the file to the /opt/symantec/smg-sp/Scanner/etc directory. If you have installed to a different location, the trusted.cert.gz file will need to be uploaded to the Scanner/etc directory for your SMG-SP installation
   2. Log into the SMG-SP host and move to the Scanner/etc directory for your installation.
   3. Back up the existing trusted.cert file:
      cp trusted.cert trusted.cert-original
   4. Decompress the new trusted.cert file:
      gzip -k -d trusted.cert.gz
      You may see a warning that the trusted.cert file exists. This warning may be ignored.
   5. Restart the SMG-SP services:
      service mailwall restart