How to I get an appliance certificate for Director 510?


<< Back to Knowledge Search

Solution

Overview

How do I get an appliance certificate for Director?

How do I get a birth certificate for Director?

I cannot access the Director Management Console (DMC) because there is no response from the web server on port 8082/8085 anymore. What troubleshooting steps could I take to correct this?

Cause
Resolution

All Blue Coat appliances manufactured after July 2006 have an appliance certificate, although there have been some issues reported with appliance certificates. You can use the instructions discussed in this article to verify whether or not your Director appliance has an appliance certificate and, if not, to obtain one.

NOTE: In some cases, renewing the appliance certificate can fix issues with accessing the Director Management Console. 

Director must have an appliance certificate to:

  • Register ProxySG appliances with Director
  • Enable you to log in to the Director Management Console available with SGME 5.4.2 and later

The PDF document attached to this article provides details about getting an appliance certificate for Director. The essential tasks follow:

NOTE: You will need to be connected, via SSH, to the Director Command Line Interface (CLI). In the CLI, enter the following commands:

director > enable
director # config t

Determine if your appliance has a certificate

  1. In the CLI, enter the following command:
    • director (config) # show ssl appliance-certificate
  2. If the CLI displays the certificate, Director has an appliance certificate and you do not have to perform further steps.

    If the CLI displays the following error message, you require an appliance certificate:

    appliance-certificate does not exist. Please request/import one first

Retrieve an appliance certificate

  1. Determine whether or not Director can connect to the Internet. In the CLI, you can use the ping or traceroute command to ping known IP addresses or DNS names. If your appliance has a IP address, you may only need to add a DNS server. If this is the case, enter config mode and run the ip name-server <ip address> command. Otherwise, refer to your network administrator for reasons why you can't access the internet or proceed to the next step.
  2.  Perform one of the following sets of tasks, depending on these results:
    • ​​If Director can access the Internet, use the following command to get an appliance certificate:

      director (config) #  ssl request-appliance-certificate

      The following messages confirm the appliance certificate imported successfully:

      Requesting certificate
      Verifying certificate

      Certificate verified successfully
    • If Director cannot access the Internet, perform all of the following tasks in the specified order.  For more details, see the PDF document attached to this article.
      1. Create a Certificate Signing Request (CSR):

        director (config) #  show ssl appliance-certificate-request
         
      2. Copy the CSR into a text editor.
      3. Open a browser and go to the Blue Coat CA Server Web site at https://abrca.bluecoat.com/sign-manual/index.html.
      4. Paste the CSR and signature into the form.
      5. Import the certificate into Director:

        director (config) #  ssl input appliance-certificate
        Enter your certificate now.
        Press Ctrl-D when finished, or Ctrl-C to abort.
      6. Display Director's appliance certificate:

        director (config) #  show ssl appliance-certificate

Troubleshoot the birth certificate

To check the status of  the HTTPD daemon, follow these steps.

  1. Open a SSH session to the Director box and enter enable mode:
    • director > enable
    • Password:
    • director #
  2. Enter config mode:
    • director # config t
    • director (config) #
  3. Enter shell mode:
    • director # shell
  4. Check to see if httpd is running by using the LINUX command:
    •  sh-3.2# ps -aef | grep httpd
  5. If it is not running, check its error log in /var/log. Use the Linux commands cd and cat as follows:
    • sh-3.2# cd /var/log
    • sh-3.2# cat http_ssl_error_log

The following example output indicates that the birth certificate is faulty:

[Fri Mar 25 17:46:32 2011] [error] Init: Pass phrase incorrect

[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag

[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

[Fri Mar 25 17:46:32 2011] [error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

If the birth certificate is faulty, use the following commands to resolve the issue:

  1. In shell mode, remove the file /etc/httpd/conf/ssl.csr/birth.csr. Use the Linux command rm as follows:
    • sh-3.2# rm /etc/httpd/conf/ssl.csr/birth.csr
  2. Exit out of the shell mode by typing exit.
  3. Enter config mode.
  4. Execute the command:
    • director (config) #show ssl appliance-certificate-request
    • This will display the Birth Certificate Signing Request (birth.csr) . If it displays your certificate, the appliance's eeprom is valid, and you can request another birth certificate.
    • If the output is empty or corrupt, you must request a new appliance from Blue Coat. See https://www.bluecoat.com/support/support-policies/rma-info for information.
  5. Follow the next steps if you see output on the screen.
  6. If your Director appliance has access to the internet, execute the following command:
    • director (config) #  ssl request-appliance-certificate
    • For more details on this command, or if your Director appliance does not have internet access, see the steps in the previous section Retrieve an appliance certificate.

Additional notes

  • Blue Coat ships its own certificate with each Director appliance. You cannot generate your own SSL certificates for use on the Director appliance. 
  • For details on another problem where the SSL certificate does not verify, see  0000085035.
  • For details on other files that may be helpful in solving Director issues, see 000011526.
  • For details on other CLI commands you can use to troubleshoot Director, see KB4178.
Workaround
Additional Information
Bug Number
InQuira Doc IdKB3288
Attachment Download File

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      01/09/2015
Last Published      01/09/2015
Article Audience
Product      Director
Software      SGME 5
Article Number      000011223
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat