Update the ABRCA Root CA Certificate on PacketShaper Appliances (Revised: May 18, 2021)

book

Article ID: 207670

calendar_today

Updated On:

Products

PacketShaper PacketShaper S-Series

Issue/Introduction

The Appliance Birth Registration Certificate Authority (ABRCA) root CA certificate is the ultimate root of trust for all appliance certificates that Symantec products use. Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older ABRCA root CA certificate expires, ensure that the new ABRCA root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT.

When the root CA certificate expires, some features that use the ABRCA root CA certificate for authentication will fail. See the end of this article for additional details.

Warning: The continued operation of your PacketShaper appliances requires that you upgrade Packetshaper and complete the following steps in a timely manner. To ensure the uninterrupted operation of your appliances, request a new appliance certificate and perform a software update by August 31, 2021.

Resolution

Required Step – Upgrade the PacketShaper OS: 

To update the ABRCA root CA certificate, you must upgrade PacketShaper to one of the following supported releases before the date listed in the previous section:  

  • PacketShaper 11.10.2.5

  • PacketShaper 11.10.3.4

The new ABRCA root CA certificate is included in these releases. Upgrading to one of these releases automatically updates the ABRCA root CA certificate; no manual action is required. These releases also include a feature which automatically renews the appliance certificate (this is different from the ABRCA root CA) if it is within 60 days of expiring. 

For information on upgrading the PacketShaper appliance, see page 325 in PacketGuide 11.9:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/packetshaper/11-9/generated-pdfs/PS-11.9.pdf

Or page 355 in PacketGuide 11.10:

https://techdocs.broadcom.com/content/dam/broadcom/techdocs/symantec-security-software/web-and-network-security/packetshaper/11-10/generated-pdfs/PS-11-10-2018.pdf

Additional Steps

You must update the appliance certificate in addition to the ABRCA root CA certificate. The system can automatically download the appliance certificate or you can manually force the update of the appliance certificate using the commands described in the next sections.

Access the PacketShaper CLI

Access the PacketShaper CLI using one of the following methods:

  • Use an SSH client
  • Click the Quick Commands button at the bottom of the Info pages in the PacketShaper user interface
  • Use a DB-9 connector to access the serial console

 

Appliance Certificate Update Requirements

Ensure that the PacketShaper appliance can access the following domain:

  • abrca.bluecoat.com  

Ping the domain from PacketShaper to see if it is accessible:

PacketShaper# ping abrca.bluecoat.com
PING abrca.bluecoat.com (192.19.237.69) 56(84) bytes of data.
64 bytes from abrca.broadcom.com (192.19.237.69): icmp_seq=1 ttl=248 time=81.3 ms
64 bytes from abrca.broadcom.com (192.19.237.69): icmp_seq=2 ttl=248 time=81.2 ms
64 bytes from abrca.broadcom.com (192.19.237.69): icmp_seq=3 ttl=248 time=81.1 ms
64 bytes from abrca.broadcom.com (192.19.237.69): icmp_seq=4 ttl=248 time=81.2 ms
64 bytes from abrca.broadcom.com (192.19.237.69): icmp_seq=5 ttl=248 time=81.2 ms

--- abrca.bluecoat.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4084ms
rtt min/avg/max/mdev = 81.175/81.250/81.355/0.062 ms

Manually Renew the Appliance Certificate

To manually update the appliance certificate, enter the following commands:

PacketShaper# sys set showdebugCommands 1

PacketShaper# acquire-cert

PacketShaper#  sys set showdebugCommands 0

Example:

PacketShaper# acquire-cert
Successfully acquired PacketShaper birth certificate.

Update the Hardware Appliance Certificate in a Closed Environment

If the appliance is in a closed environment, you must do the following to update the appliance certificate:

  • Add a firewall exception for abrca.bluecoat.com.

 

Verify that You Have Successfully Upgraded Your Appliance  Certificate

Enter the following command to show the appliance certificate expiration date:

PacketShaper# ver ver 

Example:

PacketShaper# ver ver
  Version:                   PacketShaper 11.10.2.5 build 261254 (DEBUG)
  Product:                   PacketShaper S400
Part Number:           xxxxxxxxxx-12345 REV BN
Serial Number:        xxxxxxxxxx
Memory:                  15.9GB RAM, 4GB System Disk total, 3.1GB System Disk available

  mgmt MAC Address:            00:d0:83:09:64:a3
  Slot2_in MAC Address:        00:d0:83:09:64:a5
Slot2_out MAC Address:      00:d0:83:09:64:a6
  Slot3_in MAC Address:        00:e0:ed:31:82:3c
Slot3_out MAC Address:      00:e0:ed:31:82:3d

  ABRCA root certificate expires Dec 31 00:04:16 2037 GMT
  Appliance birth certificate expires May 14 18:32:59 2026 GMT

  Installed Keys:
                  Visibility:   Activation 2020-08-12, Expiration Never
                     Control:   Activation 2020-08-12, Expiration Never
                         FDR:   Activation 2020-08-12, Expiration Never
              Packet Capture: Activation 2020-08-12, Expiration Never

                   MaxLinkSize:  2000000000
           MaxStaticPartitions:       10000
          MaxDynamicPartitions:       20000
                    MaxClasses:       10000
                   MaxPolicies:       10000
              MaxMatchingRules:       25000
      MaxMatchingRulesPerClass:        1000
                      MaxHosts:      550000
            MaxURLCacheEntries:     2000000
         MaxConcurrentTCPFlows:     1000000
      MaxConcurrentNonTCPFlows:      500000

 

Consequences of an Expired ABRCA Root CA Certificate

If the ABRCA root CA certificate expires, you will not be able to update the appliance certificate. When the appliance certificate expires, certain appliance-to-back-end communications flows that use the appliance certificate for authentication might stop working correctly, including:

  • Inability to download your license from Broadcom.

  • WebPulse service failure.

 

Other issues, yet to be identified, might also occur.

 

Attachments