Loading...

Knowledge Center


The Central Management Currently uses the default CA (How to replace the default Web Gateway cluster CA)
Technical Articles ID:   KB89292
Last Modified:  10/12/2018
Rated:


Environment

McAfee Web Gateway (MWG) 7.6.2.11 and later
McAfee Web Gateway (MWG) 7.7.1.4 and later
McAfee Web Gateway (MWG) 8.0 and later

 

Problem

Your MWG appliance is configured to use the default cluster CA; but, when you view the MWG Dashboard, you see the error:
 
The Central Management Currently uses the default CA

Cause

MWG versions from 7.6.2.11, 7.7.1.4 and 8.0 onwards, check for default private keys in use on the appliance.

If such a key is in use, the Web Gateway displays this error and the default key must be replaced. This message is a security warning because every installation is using the same CA and the system could be attacked.

Solution

To replace the default certificate for SSL-secured communication between cluster nodes with a certificate of your own, generate a certificate and import it to the cluster.

Create a cluster certificate
  1. On the user interface of an appliance that is a node of the cluster, select PolicySettings.
  2. In the settings tree, navigate to SSL Client Context with CA.
  3. Create settings for the certificate:
    1. On the settings toolbar, click Add.
    2. In the Name field, type a suitable settings name, for example, Own Cluster Certificate.
      Optional: In the Comment field, type a plain-text comment on the settings.
       
    3. Click OK.
    4. The new settings appear on the settings tree.
       
  4. Select the new settings.
    You see the settings parameters with default values displayed in the configuration pane under Define SSL Client Context (Certificate Authority).
     
  5. Generate a certificate of your own.
    1. Click Generate.
    2. Enter appropriate values in the various fields of the window, then click OK.
      A certificate with your values is generated. You see the window close and the manager display the certificate values under Define SSL Client Context (Certificate Authority).
       
    3. A private key for the certificate is also generated and ready for exporting.
       
  6. Export the certificate to make it available for distribution within the cluster.
    1. Click Export.
      You see the local file manager open.
       
    2. Browse to where you want to export the certificate to. In the File Name field, type a name for the certificate file, with a .cer or .crt ending as needed, then click Save.
       
    3. The certificate is exported to the selected location.
       
  7. Export the private key for the certificate.
    1. Click Export Key.
      You see the Save Private Key window open.
       
    2. Click Browse.
      You see your local file manager open, browse to where you want to export the private key to.
       
    3. In the File Name filed, type the file name that you used for the certificate, then click Save.
      The .pem file extension, is supplied by the export process.
       
    4. You see the path to the private key listed in the Exported private key location field of the Save Private Key window.
    5. Optional: For enhanced security, type a password for the key in the Password field.
    6. Click OK. The private key is exported to the selected location.
Distribute a certificate in the cluster
  1. Select ConfigurationAppliances.
  2. On the appliance tree, select Appliances, then click Cluster CA on the configuration pane.
     
  3. Click Change CA.
    You see the Import Certificate Authority for Cluster window open.
     
  4. Import your own cluster certificate:
    1. Next to Certificate, click Browse.
      You see the local file manager open.
       
    2. Browse to the file with your own certificate and click Open.
      The path to the certificate file is listed in the Certificate field of the Import Certificate Authority for Cluster window.
       
    3. Next to Private Key, click Browse. Browse to the file with the private key and click Open.
    4. If you created a password for the key, type it in the Password field.
    5. Click Import.
    6. You see the window close and the certificate imported to the node that you are presently working on.
      The cluster distribution process transfers the certificate to all other nodes.
NOTE: The distribution needs to happen manually for every cluster member. It is also required to import the cluster CA and a private key to a node that you want to add to an existing cluster of MWG appliances.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.