As described in this article, Symantec has created a new ABRCA root CA certificate to replace the one expiring in December 2021. Before the older ABRCA root CA certificate expires, ensure that the new ABRCA root CA certificate is installed on your appliances. The new certificate will have an expiration date of Dec 31 00:04:16 2037 GMT. Because of this, the ABRCA root CA certificate and optionally the Intermediate CA certificates need to be updated on the DLP Appliance detectors used in a DLP environment. If this CA certificate expires, certain appliance-to-back-end and appliance-to-appliance communications flows that use the birth certificate for authentication will fail. For example, the Enforce Server will fail to connect to the appliance, which will result in the inability to update policies or receive incidents.

The process of updating the ABRCA root CA certificate (required to be performed for both Hardware and Software Appliance detectors) described in the KB article works on a requirement that the Appliance will need outbound connectivity to port 80/TCP to download the new trust package. However, some customers may have the Appliances deployed in environments which will be closed off to external networks and thus, will not be able to allow the Appliance to send outbound HTTP traffic. 

The below instructions can be performed to attempt a local update of the ABRCA root CA certificate on the Appliance. 

When it comes to Appliance detectors, there is no option to easily upload any file to an Appliance. Due to its closed-box architecture, you do not have a possibility to do an SFTP/SCP session into an Appliance and upload a file. There's also no direct access to an Appliance's local disk and folders. 

Because of this, the options to update the ABRCA root CA certificate/trust package are limited to the below two:

1) Use the default location from which the Trust Package can be downloaded, that package contains the updated ABRCA root CA certificate. The location is: http://appliance.bluecoat.com/sgos/trust_package.bctp. This is the method which is described in the KB article and requires outbound HTTP traffic to be allowed from the Appliance. 

2) Manually download the .bctp file from the above default location and upload it on a local HTTP webserver (i.e. an IIS server). Then, change the URL which the Appliance should use to download the package to the local webserver URL, and download the trust package from there.

The Appliance commands to perform that second procedure would be:

a) Enter the enable mode, and then the config mode on the Appliance by running the below commands

enable

Enter the enable password when prompted.

configure

b) Run the below command to change the URL from the default to a custom one

ssl trust-package url <custom URL of the .btcp package goes here>

The default URL set on the Appliance, as stated above, is http://appliance.bluecoat.com/sgos/trust_package.bctp. 

c) Then, run the command for an actual download of the package - same as in method 1, only here, an internal URL is used instead of the external one:

ssl trust-package download-now

d) After the download command is ran, you should run the below command (possibly multiple times) to verify the status of the trust package download job:

ssl trust-package view

e) Finally, once the job is shown to be completed by the output of the previous command, run this to display the details of the ABRCA root CA certificate:

ssl view ca-certificate ABRCA_root

If the above command shows the ABRCA root CA certificate with expiration date updated to Dec 31st 2037, the update has been completed successfully.