Update the ABRCA Root CA Certificate on Edge SWG (ProxySG Appliances)

search cancel

Update the ABRCA Root CA Certificate on Edge SWG (ProxySG Appliances)

book

Article ID: 207152

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older root CA certificate expires, ensure that the new root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

Important: The continued operation of your Edge SWG (ProxySG) appliances requires that:

The system trust package is up to date.
The appliance certificate has not expired.
For virtual appliances, a new license file is installed.

Consequences of an Expired Appliance Certificate

If the appliance certificate expires, the following issues might occur:

ADN peer-to-peer communications on hardware platforms and MACH5 virtual appliances fail.
Downloads of almost all subscription service databases fail.
SGOS integration with SSLV offload functionality will fail.

Other issues, yet to be identified, might also occur. To prevent these issues from occurring, perform the applicable steps described below as soon as possible.

Recovery: What to Do If You Fail to Update Before the Certificate Expires

If you fail to update your Edge SWG (ProxySG) appliances before the root CA expires in December 2021, the appliances might experience failures as described above. To renew the certificate, follow the steps described in the Resolution section below.

Resolution

To ensure the uninterrupted operation of your Edge SWG(ProxySG) appliances, perform the following updates immediately; if this is not possible, make it a priority to complete the updates by the specified dates below.

Appliance or application	Required updates	Update by	Instructions
Hardware platforms	Update the ABRCA root CA certificate. Upgrading SGOS first is recommended.	December 18, 2021	Upgrade to a recommended release. See Recommended Upgrade. Ensure the latest trust package is installed. See Verify the Trust Package below. Note: Retrieving a new appliance certificate is not required for updating the ABRCA root CA certificate; however, if you have to update the appliance certificate in the future, refer to KB article 168179. To update the appliance certificate in a closed environment, refer to KB article 222712.
Virtual appliances	Update the ABRCA root CA certificate and the appliance certificate. Upgrading SGOS first is recommended.	November 15, 2021	Upgrade to a recommended release. See Recommended Upgrade. Ensure the latest trust package is installed. See Verify the Trust Package below. Ensure the latest license file is installed. See Update the ProxySG Virtual Appliance License File below.

Appliance or application

Required updates

Update by

Instructions

Hardware platforms

Update the ABRCA root CA certificate.

Upgrading SGOS first is recommended.

December 18, 2021

Upgrade to a recommended release. See Recommended Upgrade.
Ensure the latest trust package is installed. See Verify the Trust Package below.

Note: Retrieving a new appliance certificate is not required for updating the ABRCA root CA certificate; however, if you have to update the appliance certificate in the future, refer to KB article 168179. To update the appliance certificate in a closed environment, refer to KB article 222712.

Virtual appliances

Update the ABRCA root CA certificate and the appliance certificate.

Upgrading SGOS first is recommended.

November 15, 2021

Upgrade to a recommended release. See Recommended Upgrade.
Ensure the latest trust package is installed. See Verify the Trust Package below.
Ensure the latest license file is installed. See Update the ProxySG Virtual Appliance License File below.

Note: To update Edge SWG(ProxySG) applications on Integrated Secure Gateway (ISG), refer to Integrated Secure Gateway Birth Registration Certificate Authority (ABRCA) Root CA Certificate Update for instructions.

1. Recommended Upgrade

An upgrade is not required to update the ABRCA root CA on the Edge SWG (ProxySG) appliance, but for best security, upgrade to one of the following releases:

SGOS 6.7.5.12 and later
SGOS 7.2.7.2 and later
SGOS 7.3.3.3 and later

These releases include a critical security vulnerability fix; see SYMSA18331 for more information.

2. Verify the Trust Package

To verify if you have an appropriate trust package installed, use the following Edge SWG (ProxySG) command line interface (CLI) command:

#show ssl summary ca-certificate ABRCA_root

Certificate ID:           ABRCA_root

Certificate Issuer:       Blue Coat Systems, Inc.

Valid from:               Sep 11 00:04:16 2020 GMT

Valid to:                 Dec 31 00:04:16 2037 GMT

Thumbprint:               B7:C6:E2:0F:35:64:1E:E5:D3:FC:CA:3F:A8:B5:79:12

In the command output, look for the date beside 'Valid from'. The date should be Sep 11 2020 or later.

Note: Updating SGOS to one of recommended versions listed above should also automatically update the trust package to a supported version. If the #show ssl summary ca-certificate ABRCA_root command shows that the trust package is not updated after upgrading SGOS on the appliance, update the trust package manually; see the following instructions.

Download the Trust Package Manually

This step is only necessary if the #show ssl summary ca-certificate ABRCA_root command does not show a 'Valid from' date of Sept 11 or later. Download the trust package by performing one of the following procedures, depending on your deployment:

If the appliance can access appliance.bluecoat.com, see Download the Trust Package from Symantec Servers. If the appliance is in a closed environment, see Update the Trust Package in a Closed Environment.

Download the Trust Package from Symantec Servers

To download the trust package manually, use the following Edge SWG (ProxySG) CLI command:

  #load trust-package
    Downloading from "http://appliance.bluecoat.com/sgos/trust_package.bctp"
    The trust package has been successfully downloaded.
    trust package successfully installed

After downloading the trust package, follow the instructions in Verify the Trust Package to ensure that the latest trust package is installed.

Update the Trust Package in a Closed Environment

In a closed environment, you must manually download the trust package and host it on a file server that the appliance can access. Then, on the Edge SWG (ProxySG) appliance, specify this file server location in the #load trust-package command:

Download the trust package from http://appliance.bluecoat.com/sgos/trust_package.bctp.
If clicking the previous link does not initiate the download, right-click the link and select Save As to download the file.
Save the trust package to a location in the local network that the appliance can access via HTTP.
Specify the download URL and load the trust package:

# (config) security trust-package download-path <local_URL>
  ok
#(config) exit
# load trust-package
  Downloading from "http://your_domain/sgos/trust_package.bctp"
    The trust package has been successfully downloaded.
    trust package successfully installed

3. Update the Edge SWG (ProxySG) Virtual Appliance License File

Virtual appliances require a license file created after December 11, 2020. Because Edge SWG (ProxySG) virtual appliances automatically update the license every 30 days that the appliance is running, your appliances should have the latest license file unless they were restricted from accessing download.bluecoat.com or the license auto-update settings were changed from their defaults.

Ensure Access to download.bluecoat.com

Ensure that the appliance can access download.bluecoat.com, as described in Required Ports, Protocols, and Services for Symantec Enterprise Security Products.

Enable Automatic License Updates

Note: This functionality is not yet available in the Admin Console.

To enable or confirm automatic license updates:

In the Management Console, select the Maintenance > Licensing > Install tab.
If Use Auto-Update is not selected, select it.
Select Apply.

Verify the Virtual Appliance License File

To verify if you have an appropriate license file installed, follow the appropriate steps for the Management Console or the Edge SWG (ProxySG) Admin Console (SGOS 6.7.4 and later).

In the Management Console:

Select Maintenance > Licensing > View.
In the General Licensing Information area, look for the License creation date. If the date is later than "2020-12-11", no further steps are required for this appliance.

Alternatively, use the CLI to check the license file:

#show licenses
The SG appliance is operating with a subscription license.

Subscription expiration date:  2020-12-03
Creation date:                 2021-03-03
Appliance serial number:        
Concurrent users:              unlimited
Maximum CPU count:             16
License validation enforced:   yes
License validation server:     connected
License validation state:      ok

In the command output, look for the "Creation date" line. If the date is later than "2020-12-11", no further steps are required for this appliance.

In the Admin Console:

Select Administration > Licensing > Licensed Components and Subscriptions.
In the View area, look for the License Creation date. If the date is later than "2020-12-11", no further steps are required for this appliance.

Alternatively, use the CLI to check the appliance-key certificate:

#show ssl keyring appliance-key

Keyring ID:               appliance-key
Private key showability:  no-show
Signing request:          absent
Certificate:              present
Certificate subject:      /C=US/ST=California/O=Blue Coat Systems, Inc./OU=Blue Coat SGVA Series/CN=1001598011
Certificate issuer:       /C=US/ST=California/L=San Jose/O=Broadcom Inc./OU=ABRCA/CN=Virtual Appliance Birth Certificate Intermediate CA
Certificate valid from:   Feb 24 08:33:40 2021 GMT
Certificate valid to:     Feb 25 16:33:40 2026 GMT
Certificate thumbprint:   89:D2:C9:19:58:05:B5:2B:A2:CC:5C:49:FE:DC:DD:F5

In the command output, look for the "Certificate issuer" line. If the "CN=" value is "Virtual Appliance Birth Certificate Intermediate CA", no further steps are required for this appliance.

Download the Virtual Appliance License File

This step is only necessary if the previous verification step indicated that you need to update to a new license file.

In the Management Console:

Select Maintenance > Licensing > Install.
Select Retrieve. The console displays the Request License Key dialog.
Enter the following information:
1. Enter your myBroadcom account login information.
2. Select Request License. The console displays the Confirm License Install dialog.
3. Select OK to begin license retrieval (the dialog closes).
(Optional) Select Show results to verify a successful retrieval. If any errors occur, verify that the appliance can connect to download.bluecoat.com.
Select Close to close the Request License Key dialog.

Alternatively, use the CLI to download the license file:

#licensing request-key
  User ID: <myBroadcom_ID>
  Password: <myBroadcom_password>
  Downloading license-key file (block 0)
  License install successful

In the Admin Console:

Select Administration > Licensing > Licensed Components and Subscriptions.
In the Install section, select Retrieve.
In the Retrieve License Key dialog, enter your myBroadcom account login information and select Request license.
(Optional) Select Show results to verify a successful retrieval. If any errors occur, verify that the appliance can connect to download.bluecoat.com.

Feedback

thumb_up Yes

thumb_down No