ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Update the ABRCA_root Trust Package in a Closed Environment, for ProxySG, while hosting the Trust Package file on Symantec Management Center

book

Article ID: 226728

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy ISG Proxy Management Center Management Center - VA Management Center - VA

Issue/Introduction

The SG#load trust-package command, on ProxySG fails and returns the error shown in the snippet below.

Cause

Note: In the Trust Package URL, the "https" and port "8082" have been modified to "http" and "8080" respectively. These will form part of the key points in this implementation. These changes are required because the ProxySG appliance will utilize http/port 8080 to communicate with MC, to download the Trust Package. Only for this purpose, it is required to enable http on the MC appliance, from CLI. See the snippet below, for guidance. After the Trust Package is installed, ensure to disable http on the MC.

Resolution

To update the trust package in a closed environment, for ProxySG, see the summarized steps below.

  1. Download the trust package from http://appliance.bluecoat.com/sgos/trust_package.bctp.
    If clicking the previous link does not initiate the download, right-click the link and select Save As to download the file.
  2. Save the trust package to a location in the local network that the appliance can access via HTTP.
  3. Specify the download URL and load the trust package:
# (config) security trust-package download-path <local_URL>
  ok
#(config) exit
# load trust-package

Ref. Doc.: https://knowledge.broadcom.com/external/article/207152/update-the-abrca-root-ca-certificate-on.html

Utilizing the Management Center appliance, please ensure to add the file on MC. See the snippet below.

The next step will be to "Copy the URL". See the snippet below, for guidance.

Note: In the Trust Package URL, the "https" and port "8082" have been modified to "http" and "8080" respectively. These will form part of the key points in this implementation. These changes are required because the ProxySG appliance will utilize http/port 8080 to communicate with MC, to download the Trust Package. Only for this purpose, it is required to enable http on the MC appliance, from CLI. See the snippet below, for guidance. After the Trust Package is installed, ensure to disable http on the MC.

By default, http is disabled on MC. See the snippet below.

Next, Enable http on MC.

Next, add the copied Trust Package URL in the ProxySG appliance. See snippet below, for guidance.

Now, it's time to load the Trust Package. See the snippet below, for guidance.

This was successful. This time, the ProxySG appliance sees and downloads the Trust Package hosted on the Management Center. However, as it tries to install it, the ProxySG appliance finds a more recent version already installed. This is very OK.

In this last step, we will run the command to verify the Trust Package. See the snippet below.

Attachments