search cancel

Update the ABRCA Root CA Certificate for the Content Analysis Appliance (Revised: November 3, 2021)

book

Article ID: 207138

calendar_today

Updated On:

Products

Content Analysis Software

Issue/Introduction

Note: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient. Content Analysis requires a software upgrade to do proper certificate validation during subscription downloads.

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. The new certificate will have an expiration date of December 31, 2037. 

The continued operation of your Content Analysis appliances requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update as soon as possible to allow for adequate testing and troubleshooting before the certificate expires.

IMPORTANT: Plan to update your Content Analysis appliances as soon as possible to allow time for testing and troubleshooting. If you fail to update the appliances in a timely manner, they might experience failures as described in "Consequences of an Expired Appliance Certificate" below. In this case, upgrade to a supported Content Analysis release by November 2021 and update the appliance certificate as described in the following Resolution.

Note: To update Content Analysis applications on Integrated Secure Gateway (ISG), refer to Integrated Secure Gateway Birth Registration Certificate Authority (ABRCA) Root CA Certificate Update for instructions.

Monitor this KB article for any updates. 

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

  • Appliance certificate update
  • Licensing automatic update
  • Subscription updates
  • Diagnostics and Heartbeat uploads

Other issues, yet to be identified, might also occur. To prevent these issues from occurring, perform the applicable steps described below as soon as possible.

 

Recovery: What to Do If You Fail to Update Before the Certificate Expires

If you fail to update your Content Analysis appliances before the root CA expires in December 2021, the appliances might experience failures as described above. To renew the certificate, follow the steps described in the Resolution section below.

Resolution

To upgrade the ABRCA root certificate on the Content Analysis appliance:

  1. Upgrade Content Analysis to a supported release.
  2. Update the hardware or virtual appliance certificate.
  3. Verify the trust package.
  4. (Virtual appliances only) Verify the license.

Upgrade Content Analysis

Upgrade to a supported Content Analysis release ; see the following table.

IMPORTANT: All Content Analysis appliances must be updated to a supported version. Any previous versions will not be supported after November 2021.

Supported Release Release Date

Content Analysis 2.4.2.1 and later on S200 hardware appliances

Note: Content Analysis 2.4.2.0 was previously released with the updated ABRCA root CA certificate. Version 2.4.2.0 is no longer available and is superseded by version 2.4.2.1. If you are currently running Content Analysis 2.4.2.0 or any earlier release, please upgrade to version 2.4.2.1.

June 11, 2021

Content Analysis 3.1.2.4 and later on hardware appliances and virtual appliances

Note: Content Analysis 3.1.2.2 was previously released with the updated ABRCA root CA certificate. For a better experience, please upgrade to version 3.1.2.4 instead.

July 1, 2021

 

Note: If you are currently running Content Analysis 3.0 with an expired license, you must perform additional steps before upgrading to version 3.1. See Upgrade Steps for Content Analysis 3.0.

For upgrade instructions, refer to KB169313. You can download the software package from the Broadcom download portal.

 

Update the Appliance Certificate 

Refer to the appropriate instructions to update the appliance certificate:

 

Update the Hardware Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a hardware appliance, log into the Content Analysis CLI and enter the following command:

CAS# request-appliance-certificate
ok

If the appliance is in a closed environment, see Update the Appliance Certificate in a Closed Environment.

Update the Virtual Appliance Certificate

Note: Ensure that the appliance can access abrca.bluecoat.com for appliance certificate downloads.

To update the appliance certificate on a virtual appliance (VA), log into the Content Analysis CLI and enter the following command:

CAS(config)# licensing load username <username> password <password>
ok

where <username> and <password> are your Broadcom licensing portal credentials.

If the appliance is in a closed environment, see Update the Appliance Certificate in a Closed Environment.

Update the Appliance Certificate in a Closed Environment

In a closed environment, you must manually download the license file and host it on a file server that the appliance can access, or install it inline. 

To update the appliance certificate in a closed environment:

  1. Generate the license key from the Broadcom Support Portal following the instructions for Symantec products in KB145804. Specify a passphrase before generating the license key to ensure that the license includes appliance certificate information.
  2. Download the license key and put it on a file server the appliance can access.
  3. Install the license via the CLI using one of the following methods:

Install from file server


CAS(config)# licensing load url <url> passphrase <passphrase>

where <url> is the location of the file and <passphrase> is the passphrase you specified on the Support Portal.

 

Install inline


Open the license file and copy its contents. Paste the contents using the following command.

CAS(config)# licensing inline license-key passphrase <passphrase>

where <passphrase> is the passphrase you specified on the Support Portal.

 

Verify the Trust Package

After upgrading, verify that an appropriate trust package is installed. Use the following command in the Content Analysis CLI:

    CAS# show ssl ca-certificate ABRCA_root

In the command output, look for the date beside 'valid-until'. The date should be December 31, 2037 or later.

 

Verify the License (Virtual Appliances Only)

If you are running a Content Analysis virtual appliance, confirm the application is using the new license file after the application has started.

To do this, in the Content Analysis CLI, view the bluecoat-appliance certificate details:

    # show ssl keyring bluecoat-appliance

In the output, check the CN= value from the Certificate issuer. The certificate should contain the string "Virtual Appliance Birth Certificate Intermediate CA".

 

Upgrade Steps for Content Analysis 3.0 With an Expired License

If you are currently running Content Analysis 3.0 with an expired license, additional steps are required before an upgrade to version 3.1 (if your license is not expired or if you upgraded version 3.0 successfully, these steps are not required).

To upgrade version 3.0 with an expired license, perform an appropriate workaround before updating the appliance certificate:

Workaround 1 - Downgrade to Content Analysis 2.x First

Perform these steps if a Content Analysis 2.x release is available in the list of currently installed systems for your appliance. This procedure requires a factory reset.

  1. Issue the following command line interface (CLI) command:
    CAS# restore-defaults factory-defaults
  2. Proceed with the reset process. When the system reinitializes, you can select a Content Analysis 2.x as the default system to boot.  
  3. Upgrade to a supported 3.1 release. Refer to the Content Analysis Release Notes for the supported upgrade path; one or more interim upgrades might be needed.

 

Workaround 2 - (Virtual Appliances Only) Recreate the Virtual Appliance Running Content Analysis 3.1

Before proceeding, make note of the VA serial number.

  1. Delete your current VA.
  2. Create a new VA using the same serial number and running version 3.1.2.4 or later.
    Refer to the Content Analysis Release Notes for the supported upgrade path; one or more interim upgrades might be needed.
  3. Retrieve a new license. See https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/va_intro/CAS_initial_config/license.html.

Workaround 3 - Purchase and Install a New License

Note: You require a valid appliance certificate to perform these steps.
Note: After December 2021, this procedure will not work for virtual appliances. 

  1. Contact your Symantec accounts team or point-of-contact to purchase a new license.
  2. Install the license. In the Management Console, select System > Licensing and click Download license from Symantec.
    If the appliance is in a closed environment, follow the instructions in Update the Appliance Certificate in a Closed Environment.
  3. Upgrade to a supported 3.1 release. Refer to the Content Analysis Release Notes for the supported upgrade path; one or more interim upgrades might be needed.