search cancel

Update the ABRCA Root CA Certificate for the Integrated Secure Gateway (Revised: November 3, 2021)

book

Article ID: 207145

calendar_today

Updated On:

Products

ISG Proxy

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates used by Symantec products. This ABRCA root CA certificate for Integrated Secure Gateway (ISG) will expire on Dec 18 17:40:48 2021 GMT. When the root CA certificate expires, some features that use the appliance certificate for authentication will fail.  Additionally, when the root CA certificate expires, the intermediate CA for applications also expires.

IMPORTANT: The information in this article has changed. After additional testing, it was discovered that manually updating the trust package and appliance certificate was not sufficient. Content Analysis requires a software upgrade to do proper certificate validation during subscription downloads.

The continued operation of your ISG applications requires that you complete the following actions in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update in a timely manner.

Resolution

For ProxySG Applications Running on ISG

This section provides information on supported versions of SGOS, and steps for updating and verifying trust packages and license files for ProxySG applications.

Upgrade the ProxySG Applications

Upgrade your ProxySG applications to a supported SGOS release.

Supported SGOS Versions Release Date
6.7.5.12 and later 6.7.x releases June 2021
7.2.7.2 and later 7.2.x releases June 2021
7.3.3.3 and later 7.3.x releases June 2021

Monitor this KB article for any updates to this release schedule. When the release is available, you can download the software package from the Broadcom download portal.

To upgrade your ProxySG applications, see the steps in the “Update an Application Software Version” section of this article.

Update the Trust Package for ProxySG Applications

The ProxySG trust package includes a list of trusted root CA certificates. Because ProxySG applications automatically download the latest trust package every seven days by default, your applications should have the latest trust package unless they were restricted from accessing appliance.bluecoat.com or the trust package auto-update settings were changed from their defaults.

Verify the ProxySG Trust Package

To verify if you have an appropriate trust package installed, in the ProxySG CLI, use the following command:

#show ssl summary ca-certificate ABRCA_root
Certificate ID:           ABRCA_root

Certificate Issuer:       Blue Coat Systems, Inc.

Valid from:               Sep 11 00:04:16 2020 GMT

Valid to:                 Dec 31 00:04:16 2037 GMT

Thumbprint:               B7:C6:E2:0F:35:64:1E:E5:D3:FC:CA:3F:A8:B5:79:12 

In the command output, look for the date beside 'Valid to'. The date should be December 31, 2037 or later. If the #show ssl summary ca-certificate ABRCA_root command shows an older 'Valid from' date, update the trust package manually; see the following instructions.

Download the ProxySG Trust Package Manually

This section is only necessary if you verified the trust package was not dated December 31, 2037 or later.

To manually download the trust package, in the ProxySG CLI, use the following command:

#load trust-package
   Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
   The trust package has been successfully downloaded.
   trust package successfully installed

After downloading the trust package, follow the instructions in the "Verify the ProxySG Trust Package" section of this article to ensure that the latest trust package is installed.

Update the Trust Package for ProxySG Applications in a Closed Environment

If the appliance is in a closed environment, you must manually download the trust package and host it on a file server that the appliance can access. Then, on the ProxySG application, specify this file server location in the load trust-package command: 

  1. Download the trust package from  http://appliance.bluecoat.com/sgos/trust_package.bctp.

  2. Save the trust package to a location in the local network that the appliance can access via HTTP.

  3. In the ProxySG CLI, specify the download URL and load the trust package:

# (config) security trust-package download-path <local_URL>
  ok
#(config) exit
# load trust-package
  Downloading from "http://your_domain/sgos/trust_package.bctp"
    The trust package has been successfully downloaded.
  trust package successfully installed

Enable Automatic Trust Package Updates for ProxySG Applications

To enable or confirm automatic trust package updates, in the ProxySG CLI, use the following command:

#(config)security trust-package auto-update enable
ok

Command output indicates if the setting is already enabled. 

Verify ProxySG License Files are Up to Date

If you are using ProxySG applications on an ISG appliance, you would have previously loaded one or more license files into the license inventory.

To ensure the license files are valid and up to date, see the  “Validate and Update an Application License File” section of this article.

Validate the License File for ProxySG Applications

After the application has started, confirm the application is using the new license file:

In the ProxySG CLI, validate the license file date:

# show licenses

In the output, look for the Creation date and confirm that it is more recent than 2020-12-11.

In the ProxySG CLI, view the appliance-key certificate details:

# show ssl keyring appliance-key

In the output, check the CN= value from the Certificate issuer. The certificate should contain the string "Virtual Appliance Birth Certificate Intermediate CA".

For Content Analysis Applications Running on ISG

This section provides information on supported versions of Content Analysis, and steps for verifying trust packages and license files for Content Analysis applications.

Upgrade Content Analysis

Upgrade to a supported Content Analysis release.

IMPORTANT: Plan to update your Content Analysis appliances as soon as possible to allow time for testing and troubleshooting. If you fail to update your Content Analysis applications in a timely manner, they might experience failures. In this case, upgrade to a supported Content Analysis release by November 2021 and update the appliance certificate as described in the following section.

Release Release Date
Content Analysis 3.1.2.4 July 2021

Monitor this KB article for any updates to this release schedule. When the release is available, you can download the software package from the Broadcom download portal.

To upgrade your Content Analysis applications, see the steps in the “Update an Application Software Version” section of this article.

Verify the Trust Package for Content Analysis Applications

After upgrading, verify that an appropriate trust package is installed. Use the following command in the Content Analysis CLI:

CAS# show ssl ca-certificate ABRCA_root 

In the command output, look for the date beside 'valid-until'. The date should be December 31, 2037 or later.

Verify Content Analysis License Files are Up to Date

If you are using Content Analysis applications on an ISG appliance, you would have previously loaded one or more license files into the license inventory.

To ensure the license files are valid and up to date, see the  “Validate and Update an Application License File” section of this article.

Validate the License File for Content Analysis Applications

After the application has started, confirm the application is using the new license file:

In the Content Analysis CLI, view the bluecoat-appliance certificate details:

# show ssl keyring bluecoat-appliance

In the output, check the CN= value from the Certificate issuer. The certificate should contain the string "Virtual Appliance Birth Certificate Intermediate CA".

ISG-Specific Instructions

This section provides general instructions for using the ISG CLI to update software and verify license files for applications running on the ISG appliance.

Update an Application Software Version

To upgrade the software version of an application that is hosted on the ISG appliance:

  1. Download the application image to a location that the ISG can access.
  2. In the ISG CLI, stop the application:
    (config)# applications stop <application_name>
  3. Load the image onto the ISG:
    (config)# images load <image_location_URL>
  4. Retrieve the ID of the new image:
    (config)# images view
    Note the image ID.
  5. Upgrade the application:
    (config)# applications edit <application_name> image-id <new_image_id>
  6. Start the application:
    (config)# applications start <application_name>

Validate and Update an Application License File

Check each license file to ensure they were created after Dec 11, 2020.

Note: For ISG 2.1.1.1 and earlier, to determine the date the license files were created, look for the ActivationDate in the licensing components rather than Date Generated.

To check the license files creation dates, from the ISG CLI, use the command:

(config-licensing)# view id <license-id_or_serial_number>

If the Date Generated is "2020-12-11" or later, the license files are up to date.

If the Date Generated is earlier than "2020-12-11", then install a new license file, restart all the applications that are using this updated license file, and validate the license file.

Update an Application License File

This section is only necessary if the generated date for the license file date is earlier than 2020-12-11

To install a newer license file:

  1. In the ISG CLI, enter the following command and provide information when prompted:
    (config)# licensing load id <license-id_or_serial_number> username <myBroadcom-username> 
    Value for ‘password’: <myBroadcom_password>
  2. Restart the application by using the following commands:
    (config)# application stop <application_name>

    (config)# application start <application_name>

Update an Application License File in a Closed Environment 

This section is only necessary if the generated date for the license file date is earlier than 2020-12-11.

In a closed environment, you must manually download the license file and host it on a file server that the appliance can access, or install it inline. 

To update the appliance certificate in a closed environment:

  1. Generate the license key from the Broadcom Support Portal following the instructions for Symantec products in KB145804. Specify a passphrase before generating the license key to ensure that the license includes appliance certificate information.
  2. Download the license key and put it on a file server the appliance can access.
  3. Install the license via the CLI using one of the following methods:
    • Install the license from a file server:
      (config)# licensing load url <url> passphrase <passphrase>
      where <url> is the location of the file and <passphrase> is the passphrase you specified on the Support Portal.

    • Install the license inline by copying the contents of the license file and pasting the contents with the following command:
      (config)# licensing inline license-key passphrase <passphrase>
      where <passphrase> is the passphrase you specified on the Support Portal.

Consequences of an Expired Certificate

For the ISG, if the appliance certificate expires, the following issues will occur:

  • Inability to send diagnostic reports

  • Inability to send heartbeat reports

For ProxySG applications running on ISG, if the appliance certificate expires, the following issues will occur:

  • Subscription updates will fail

Other issues, yet to be identified, might also occur for both the ISG and its applications.

What to Do If You Fail to Update Before the Certificate Expires

If the ABRCA root certificate expires before it is updated, you can recover the ISG appliance by upgrading to ISG 2.3.2.1.

For recovery steps for ProxySG applications, perform the steps in the "For ProxySG Applications Running on ISG" section of this article.

For recovery steps for Content Analysis applications, see the "Upgrade Content Analysis" section of this article.