Security policy installs fail with errors indicating invalid DN (Distinguished Name)
SecuRemote - SecureClient IKE negotiation fails with errors indicating CRL retrieval failure

The Internal Certificate Authority is broken and must be completely reinitialized. To do that:

On the Management Module

1. Close all GUI Clients

2. Issue cpstop

3. Make a complete backup of the $FWDIR/conf/objects_5_0.C file 4. Open the $FWDIR/conf/objects_5_0.C file with a text editor 5. Search for the ":servers" property in the properties that are listed for all firewall module network object(s). This section will look like the following:

-----------------------------------------------------------

:servers (servers
: (internal_ca
:AdminInfo (
:LastModified (
:Time ("Thu Nov 25 13:15:53 2004")
:By ("VPN-1 & Firewall-1 SmartCenter Server")
:From (win2kvm)
)
:chkpf_uid ("{AE1E0829-4484-4663-B94C-B4122FD2C85F}")
:ClassName (internal_ca_server)
:Deleteable (false)
:table (servers)
)
:ca_type (internal)
:cacertificate ()
:cacertsignkey (384e8afbd8e6390592f39b7a)
:color (black)
:comments ()
:crl_cache_timeout (86400)
:crl_cache_type (Timeout)
:crl_http (true)
:crl_ldap (false)
:dn ("O=win2kvm..sqi9qa")
:internal_CA_check_CRL (true)
:permissions_strings ()
:permissions_type (None)
:type (ca)
)
)
:resources_types (resources_types

-----------------------------------------------------------

remove the stuff in red so that all of its contents between the open parentheses and the close parentheses are deleted. After the edit, the same section should look like the following:

-----------------------------------------------------------

:servers (servers)
:resources_types (resources_types

-----------------------------------------------------------

Note:

Unless the certificates property information for all firewall module networks are completely removed, the fwm sic_reset process will fail to complete with the following warning messages:

-----------------------------------------------------------

*** Checking IKE Certificates ***

There are IKE Certificates that were generated by the

internal Certificate Authority.

Please remove them (using the Policy Editor) so that

the internal Certificate Authority can be destroyed.

SIC Reset operation could not be completed

-----------------------------------------------------------

6. Save the $FWDIR/conf/objects_5_0.C file

7. Issue cpstart

8. Make sure that the Fully Qualified Domain Name (FQDN) information can be obtained from the machine. For example, if the host name of the management module is saturn, the Fully Qualified Domain Name (FQDN) should be something like saturn.detroit.com.

In Windows 2000, the Primary DNS suffix can be set with the following procedures:

-----------------------------------------------------------

- Select Start > Settings > Control Panel

- Double click on the System applet

- In the System Properties dialog box, select the Network Identification tab

- In the Network Identification tab, click on the Properties button

- In the Identification Changes dialog box, click on More

- In the DNS Suffix and NetBIOS Computer Name dialog box, enter the DNS domain name (ie. detroit.com) in the Primary DNS suffix of this computer field

- Click on OK in the DNS Suffix and NetBIOS Computer Name dialog box

- Click on OK in the Identification Changes dialog box

- Click on OK in the System Properties dialog box

- Reboot the machine

-----------------------------------------------------------

9. Issue fwm sic_reset. The following interaction will take place during the fwm sic_reset operation:

-----------------------------------------------------------

C:\>fwm sic_reset

***************** Warning: ****************

This operation will reset the Secure Internal Communication (SIC). The internal Certificate Authority will be destroyed and Check Point Component s will not be able to communicate. You will have to perform the following operations to enable communication: 1. Re-initialize the internal Certificate Authority (use cpconfig). 2. Restart Check Point Services (cpstart, cpridstart). 3. Reset SIC on each Station that is managed by this Management Server. 4. Re-establish Trust with each Station that is managed by this Management Server.

*******************************************

This operation will stop all Check Point Services (cpstop)

Are you sure you want to reset? (y/n) [n] ? y

*** Checking IKE Certificates ***

*** Stopping services ***

The Check Point FireWall-1 service is stopping.

The Check Point FireWall-1 service was stopped successfully.

The Check Point SVN Foundation service is stopping...

The Check Point SVN Foundation service was stopped successfully.

The Check Point Remote Installation Daemon service was stopped successfully.

*** Destroying internal Certificate Authority ***

*** Updating objects database ***

SIC Reset operation completed successfully

C:\>

-----------------------------------------------------------

10. Issue cpstart

11. Select Start > Programs > Check Point Management Clients > Check Point Configuration NG 12. In the Check Point Configuration Tool, select the Certificate Authority tab 13. In the Certificate Authority tab, click on the Initialize and Start Certificate Authority button 14. The following messages will be displayed:

-----------------------------------------------------------

Your Certificate Authority was initialized successfully.

-----------------------------------------------------------

Click on OK

15. In the Management FQDN section, verify that the Management FQDN contains the Fully Qualified Domain Name of the management module (ie. saturn.detroit.com) 16. Click on the Send to CA button 17. The following messages will be displayed:

-----------------------------------------------------------

If the FQDN is incorrect, the Internal CA cannot function properly, and CRL retrieval will be impossible. Please re-check the FQDN.

Click OK only if you are sure the FQDN is correct

-----------------------------------------------------------

Click on OK

18. The following messages will be displayed:

-----------------------------------------------------------

The Management FQDN was sent successfully to the CA

-----------------------------------------------------------

Click on OK

19. Click on OK in the Check Point Configuration Tool dialog box 20. Issue cpstop 21. Issue cpstart

Note:

Please note that after going through all of the procedures above, the IKE certificates for the individual firewall modules must be regenerated, since at this point information about all IKE certificates for the firewall modules have been manually removed and the Internal Certificate Authority completely regenerated and reinitialized. The IKE certificates for the individual firewall modules can be generated by opening the VPN tab of the firewall module network object and clicking on "Set default IKE properties" button. The IKE certificate for the firewall module network object will also be generated when saving the network object.