topic If you are confident, you can in Web Security

WSA config load

cmazur — Mon, 13 Jun 2016 14:02:21 GMT

I am trying to load a configuration on my WSA appliance and I am receiving this error:

Error - Configuration File was not loaded. Parse Error on element "wga_config" line number 1090 column 15: Error in certificate validation: Signing key has expired.

I have loaded configs and the past and had No problems, can someone tell me what this msg means?

thanks

It looks a duplicated thread

Tao Yang — Tue, 14 Jun 2016 00:29:32 GMT

It looks a duplicated thread of

https://supportforums.cisco.com/discussion/13044706/wsa-config-load

Hi,

sunilferrao — Sun, 26 Jun 2016 04:39:03 GMT

Hi,

not able to open the link , i am having the same issue , what was done to resolve

any help highly appreciated

Cheers

The error advised that the

Handy Putra — Sun, 26 Jun 2016 06:33:25 GMT

The error advised that the signing certificate in the appliance has been expired.

You can check the expiry date of the certificate from your HTTPS proxy page (GUI -> Security Services -> HTTPS proxy)

Hello Handy

sunilferrao — Sun, 26 Jun 2016 07:41:30 GMT

Hello Handy

Thanks for your response

basically i am trying to restore the config from c160 to c170 box and stuck in WSA_config

What needs to done to bypass this error , the mentioned option is disabled ( https-proxy) in c160 config

cheers

Snl

Can you confirm the appliance

Handy Putra — Sun, 26 Jun 2016 07:46:59 GMT

Can you confirm the appliance is WSA or ESA since C160/C170 is Email security appliance not WSA.

Are you able to share the configuration file for me have a look.

Alternatively open TAC case for them to investigate which cert that showing as expired from the config file.

Hello Handy

sunilferrao — Sun, 26 Jun 2016 08:27:00 GMT

Hello Handy

its S160 wsa and we trying to migrate the xml config to S170 new rma box

sorry for the confusion

Thank you

snl

I think you are referring to

Handy Putra — Sun, 26 Jun 2016 08:32:35 GMT

I think you are referring to S160 model for WSA since anything that has C in front of it is dedicated for Email Security Appliance (ESA) not WSA.

would suggest open a TAC case for the engineer to check which cert in the config file that showing as expired

You can also search the cert from the config file:

- Open the config file using XML editor

- Search for any cert keywords such as: generated_cert or secure_auth_cert or uploaded_cert

- copy the cert and use SSLshopper to help you decode the cert to see if its still valid:

https://www.sslshopper.com/certificate-decoder.html

- If its showing expired, you can replaced it or delete it if the certs are generated cert or uploaded cert or you can use the cert that you have from the replacement unit and paste it to the same section of the configuration file that you need to loads.

However still recommend to contact TAC for further assistance

Hello Handy

sunilferrao — Sun, 26 Jun 2016 08:47:40 GMT

Hello Handy

thanks for your kind support , indeed cert expired

Certificate Information:

Common Name: IronPort Appliance Demo Certificate

Organization: IronPort Systems, Inc.

Locality: San Bruno

State: California

Country: US

Valid From: May 1, 2006

Valid To: May 1, 2016

Issuer: IronPort Appliance Demo Certificate, IronPort Systems, Inc.

Serial Number: 1 (0x1)

i may need to raise tac now

Regards

If you are confident, you can

Handy Putra — Sun, 26 Jun 2016 08:51:59 GMT

If you are confident, you can perform below:

- save the configuration file from the S170

- Go to the same section for that certificate from the S170 configuration file and check if the cert is valid.

- If its valid you can copy them (you will need to copy from the cert_name, the cert it self and the key)

- Then paste them(in the exact section in the config file) to the existing configuration file that you want to upload

If not you can always open TAC case to get assistance

Strangely new s170 box also

sunilferrao — Sun, 26 Jun 2016 09:05:34 GMT

Strangely new s170 box also have same certificate which is expired 😞

That is strange.

Handy Putra — Sun, 26 Jun 2016 09:08:58 GMT

That is strange.

You will need TAC case for them to use their internal WSA appliances that are still valid and edited your configuration file.

TAC has been raised , its a

sunilferrao — Sun, 26 Jun 2016 12:24:20 GMT

TAC has been raised , its a bug CSCuh31504

I got the same problem and

FM2011 — Tue, 05 Jul 2016 09:32:13 GMT

I got the same problem and opened a TAC case.

The engineer told me to delete everything between those tags:
<prox_config_secure_auth_cert_name></prox_config_secure_auth_cert_name><prox_config_secure_auth_cert></prox_config_secure_auth_cert>
<prox_config_secure_auth_key></prox_config_secure_auth_key>

Loading the config into the appliance worked just fine.

You are not authorized to

Artem Grigoryev — Mon, 01 Aug 2016 15:49:27 GMT

You are not authorized to access this page. Trying to open

https://supportforums.cisco.com/discussion/13044706/wsa-config-load