Update the ABRCA Root CA Certificate for the Integrated Secure Gateway (Revised: March 5, 2021)

book

Article ID: 207145

calendar_today

Updated On:

Products

ISG Proxy ISG Proxy

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates used by Symantec products. This ABRCA root CA certificate for Integrated Secure Gateway (ISG) will expire on Dec 18 17:40:48 2021 GMT. When the root CA certificate expires, some features that use the appliance certificate for authentication will fail.  Additionally, when the root CA certificate expires, the intermediate CA for applications also expires.

IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient. Content Analysis requires a software upgrade to do proper certificate validation during subscription downloads.

The continued operation of your ISG applications requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021.

Resolution

 

For ProxySG and Content Analysis Applications Running on ISG

If you are using ProxySG and/or Content Analysis applications on an ISG appliance, you would have previously loaded one or more license files into the license inventory.

Check each of these license files to ensure they were created after Dec 11, 2020.

Note: For ISG 2.1.1.1 and earlier, to determine the date the license files were created, look for the ActivationDate in the licensing components rather than Date Generated.

To check the license files creation dates, from the ISG CLI, use the command:

(config-licensing)# view id <license-id_or_serial_number>

If the Date Generated is "2020-12-11" or later, the license files are up to date.

If the Date Generated is earlier than "2020-12-11", then install a new license file, restart all the applications that are using this updated license file, and validate the license file.

Install a New License File

This section is only necessary if the generated date for the license file date is earlier than 2020-12-11. 

To install a newer license file:

  1. In the ISG CLI, enter the following command and provide information when prompted:

(config)# licensing load id <license-id_or_serial_number> username                        
<myBroadcom-username> 

Value for ‘password’: <myBroadcom_password>
  1. Restart the application by using the following commands:

(config)# application stop <application_name>

(config)# application start <application_name>

Validate the License File for ProxySG Applications

After the application has started, confirm the application is using the new license file:

In the ProxySG CLI, validate the license file date:

# show licenses

In the output, look for the Creation date and confirm that it is more recent than 2020-12-11.

In the ProxySG CLI, view the appliance-key certificate details:

# show ssl keyring appliance-key

In the output, check the CN= value from the Certificate issuer. The certificate should contain the string "Virtual Appliance Birth Certificate Intermediate CA".

Update the Trust Package for ProxySG Applications

The ProxySG trust package includes a list of trusted root CA certificates. Because ProxySG applications automatically download the latest trust package every seven days by default, your applications should have the latest trust package unless they were restricted from accessing appliance.bluecoat.com or the trust package auto-update settings were changed from their defaults.

 

Enable Automatic Trust Package Updates for ProxySG Applications

To enable or confirm automatic trust package updates, in the ProxySG CLI, use the following command:

#(config)security trust-package auto-update enable
ok

Command output indicates if the setting is already enabled. 

Verify the Trust Package

To verify if you have an appropriate trust package installed, in the ProxySG CLI, use the following command:

#show security trust-package 

In the command output, look for the date beside Creation time. If the date is "October 13, 2020" or later, no further steps are required for this appliance. 

Download the Trust Package Manually

This section is only necessary is when you verified the trust package, doing so did not result in a trust package dated October 13 2020 or later.

To manually download the trust package, in the ProxySG CLI, use the following command:

#load trust-package
   Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
   The trust package has been successfully downloaded.
   trust package successfully installed

After downloading the trust package, follow the instructions in Verify the Trust Package to ensure that the latest trust package is installed.

Update the Trust Package for ProxySG Applications in a Closed Environment

If the appliance is in a closed environment, you must manually download the trust package and host it on a file server that the appliance can access. Then, on the ProxySG application, specify this file server location in the load trust-package command: 

  1. Download the trust package from  http://appliance.bluecoat.com/sgos/trust_package.bctp.

  2. Save the trust package to a location in the local network that the appliance can access via HTTP.

  3. In the ProxySG CLI, specify the download URL and load the trust package:

# (config) security trust-package download-path <local_URL>
  ok
#(config) exit
# load trust-package
  Downloading from "http://your_domain/sgos/trust_package.bctp"
    The trust package has been successfully downloaded.
    trust package successfully installed

Upgrade Content Analysis

Upgrade to a supported Content Analysis release.

Release Anticipated Release Date
Content Analysis 3.1.2.1 March 2021

Monitor this KB article for any updates to this release schedule. When the release is available, you can download the software package from the Broadcom download portal.

To upgrade your Content Analysis applications:

  1. Download the Content Analysis image to a location that the ISG can access.
  2. In the ISG CLI, stop the Content Analysis application:
    (config)# applications stop <application_name>
  3. Load the image onto the ISG:
    (config)# images load <image_location_URL>
  4. Retrieve the ID of the new image:
    (config)# images view
    Note the image ID.
  5. Upgrade the application:
    (config)# applications edit <application_name> image-id <new_image_id>
  6. Start the application:
    (config)# applications start <application_name>

After upgrading, verify that an appropriate trust package is installed. Use the following command in the Content Analysis CLI:

CAS# ssl trust-package view 

Trust package download completed. No update required

Consequences of an Expired Certificate

For the ISG, if the appliance certificate expires, the following issues will occur:

  • Inability to send diagnostic reports

  • Inability to send heartbeat reports

For ProxySG applications running on ISG, if the appliance certificate expires, the following issues will occur:

  • Subscription updates will fail

Other issues, yet to be identified, might also occur for both the ISG and its applications.