The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.
Important: The continued operation of your Edge SWG (ProxySG) appliances requires that:
If the appliance certificate expires, the following issues might occur:
Other issues, yet to be identified, might also occur. To prevent these issues from occurring, perform the applicable steps described below as soon as possible.
If you fail to update your Edge SWG (ProxySG) appliances before the root CA expires in December 2021, the appliances might experience failures as described above. To renew the certificate, follow the steps described in the Resolution section below.
To ensure the uninterrupted operation of your Edge SWG(ProxySG) appliances, perform the following updates immediately; if this is not possible, make it a priority to complete the updates by the specified dates below.
Appliance or application |
Required updates |
Update by |
Instructions |
Hardware platforms |
Update the ABRCA root CA certificate. Upgrading SGOS first is recommended. |
December 18, 2021 |
Note: Retrieving a new appliance certificate is not required for updating the ABRCA root CA certificate; however, if you have to update the appliance certificate in the future, refer to KB article 168179. To update the appliance certificate in a closed environment, refer to KB article 222712. |
Virtual appliances |
Update the ABRCA root CA certificate and the appliance certificate. Upgrading SGOS first is recommended. |
November 15, 2021 |
|
Note: To update Edge SWG(ProxySG) applications on Integrated Secure Gateway (ISG), refer to Integrated Secure Gateway Birth Registration Certificate Authority (ABRCA) Root CA Certificate Update for instructions.
An upgrade is not required to update the ABRCA root CA on the Edge SWG (ProxySG) appliance, but for best security, upgrade to one of the following releases:
These releases include a critical security vulnerability fix; see SYMSA18331 for more information.
To verify if you have an appropriate trust package installed, use the following Edge SWG (ProxySG) command line interface (CLI) command:
#show ssl summary ca-certificate ABRCA_root
Certificate ID: ABRCA_root
Certificate Issuer: Blue Coat Systems, Inc.
Valid from: Sep 11 00:04:16 2020 GMT
Valid to: Dec 31 00:04:16 2037 GMT
Thumbprint: B7:C6:E2:0F:35:64:1E:E5:D3:FC:CA:3F:A8:B5:79:12
In the command output, look for the date beside 'Valid from'. The date should be Sep 11 2020 or later.
Note: Updating SGOS to one of recommended versions listed above should also automatically update the trust package to a supported version. If the #show ssl summary ca-certificate ABRCA_root command shows that the trust package is not updated after upgrading SGOS on the appliance, update the trust package manually; see the following instructions.
This step is only necessary if the #show ssl summary ca-certificate ABRCA_root command does not show a 'Valid from' date of Sept 11 or later. Download the trust package by performing one of the following procedures, depending on your deployment:
If the appliance can access appliance.bluecoat.com, see Download the Trust Package from Symantec Servers. If the appliance is in a closed environment, see Update the Trust Package in a Closed Environment.
To download the trust package manually, use the following Edge SWG (ProxySG) CLI command:
#load trust-package
Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
The trust package has been successfully downloaded.
trust package successfully installed
After downloading the trust package, follow the instructions in Verify the Trust Package to ensure that the latest trust package is installed.
In a closed environment, you must manually download the trust package and host it on a file server that the appliance can access. Then, on the Edge SWG (ProxySG) appliance, specify this file server location in the #load trust-package command:
# (config) security trust-package download-path <local_URL>
ok
#(config) exit
# load trust-package
Downloading from "http://your_domain/sgos/trust_package.bctp"
The trust package has been successfully downloaded.
trust package successfully installed
Virtual appliances require a license file created after December 11, 2020. Because Edge SWG (ProxySG) virtual appliances automatically update the license every 30 days that the appliance is running, your appliances should have the latest license file unless they were restricted from accessing download.bluecoat.com or the license auto-update settings were changed from their defaults.
Ensure that the appliance can access download.bluecoat.com, as described in Required Ports, Protocols, and Services for Symantec Enterprise Security Products.
Note: This functionality is not yet available in the Admin Console.
To enable or confirm automatic license updates:
In the Management Console, select the Maintenance > Licensing > Install tab.
If Use Auto-Update is not selected, select it.
Select Apply.
To verify if you have an appropriate license file installed, follow the appropriate steps for the Management Console or the Edge SWG (ProxySG) Admin Console (SGOS 6.7.4 and later).
In the Management Console:
Select Maintenance > Licensing > View.
In the General Licensing Information area, look for the License creation date. If the date is later than "2020-12-11", no further steps are required for this appliance.
Alternatively, use the CLI to check the license file:
#show licenses
The SG appliance is operating with a subscription license.
Subscription expiration date: 2020-12-03
Creation date: 2021-03-03
Appliance serial number:
Concurrent users: unlimited
Maximum CPU count: 16
License validation enforced: yes
License validation server: connected
License validation state: ok
In the command output, look for the "Creation date" line. If the date is later than "2020-12-11", no further steps are required for this appliance.
In the Admin Console:
Select Administration > Licensing > Licensed Components and Subscriptions.
In the View area, look for the License Creation date. If the date is later than "2020-12-11", no further steps are required for this appliance.
Alternatively, use the CLI to check the appliance-key certificate:
#show ssl keyring appliance-key
Keyring ID: appliance-key
Private key showability: no-show
Signing request: absent
Certificate: present
Certificate subject: /C=US/ST=California/O=Blue Coat Systems, Inc./OU=Blue Coat SGVA Series/CN=1001598011
Certificate issuer: /C=US/ST=California/L=San Jose/O=Broadcom Inc./OU=ABRCA/CN=Virtual Appliance Birth Certificate Intermediate CA
Certificate valid from: Feb 24 08:33:40 2021 GMT
Certificate valid to: Feb 25 16:33:40 2026 GMT
Certificate thumbprint: 89:D2:C9:19:58:05:B5:2B:A2:CC:5C:49:FE:DC:DD:F5
In the command output, look for the "Certificate issuer" line. If the "CN=" value is "Virtual Appliance Birth Certificate Intermediate CA", no further steps are required for this appliance.
This step is only necessary if the previous verification step indicated that you need to update to a new license file.
In the Management Console:
Select Maintenance > Licensing > Install.
Select Retrieve. The console displays the Request License Key dialog.
Enter the following information:
Enter your myBroadcom account login information.
Select Request License. The console displays the Confirm License Install dialog.
Select OK to begin license retrieval (the dialog closes).
(Optional) Select Show results to verify a successful retrieval. If any errors occur, verify that the appliance can connect to download.bluecoat.com.
Select Close to close the Request License Key dialog.
Alternatively, use the CLI to download the license file:
#licensing request-key
User ID: <myBroadcom_ID>
Password: <myBroadcom_password>
Downloading license-key file (block 0)
License install successful
In the Admin Console:
Select Administration > Licensing > Licensed Components and Subscriptions.
In the Install section, select Retrieve.
In the Retrieve License Key dialog, enter your myBroadcom account login information and select Request license.
(Optional) Select Show results to verify a successful retrieval. If any errors occur, verify that the appliance can connect to download.bluecoat.com.