Solved: Hello, I have 3 questions about the FMC CLI, OCSCP and multiple certs

Eric R. Jones · ‎11-17-2024

We checked the box to enable OSCP and lost connectivity to the FMC GUI front end. Tried to run the commands found on line but it says get in "expert" mode but that's not apparently a real thing. I though I was in that mode when we first deployed FMC but it doesn't seem to do anything now.

So questions.

1. How can one disable or uncheck the mode to have OCSP enabled when you don't have access to the GUI and are relying on CLI access?

2. Does expert mode really exist and work when you don't have a Cisco Eng helping with access Root with the root kit?

3. My token card has root ca 6 signed certificate but our FMC has root ca 3. How does one import multiple certs on to the FMC so those with new tokens having the latest CA cert and those with older ones have access at the same time?

Eric R. Jones · ‎11-19-2024

ok now I feel stupid. We fixed the issue, and the fix was in a file I had to modify in order to use CAC/Token logins.

root@yvafmc1:/etc/httpd# more ssl_certificates.conf

CertificateFile /etc/ssl/server.crt

SSLCertificateKeyFile /etc/ssl/server.key

SSLCACertificateFile /etc/ssl/ca-cert.pem

SSLCACertificatePath /etc/ssl

SSLVerifyClient require ( my file that fmc reads to allow token cards access )

</Location>

SSLOCSPEnable off

We changed it to off and rebooted and now we have access.

My next question is why can't FMC have multiple CA's like ISE?

View solution in original post

ahollifield · ‎11-19-2024

Not sure on the OCSP question
Yes
What do you mean ca 6 and ca 3?

Eric R. Jones · ‎11-19-2024

CA = Certificate of Authority digital certificate. In this case it's a DOD root certificate. It has a unique value associated with it and you can tell if it's newer or older than a previously issued one. There's a serial number associated with this that is a alphanumeric string of 6 characters There's a version associated with it also. Used to provided digital security/authentication for accessing devices.

As for the "expert" mode all we have access to when enabling it is the root level of the Linux OS. I have googled around and found various commands to be used while in expert mode; however, none of these commands do anything other than return an error.

admin@yvafmc1:~$ expert
-bash: ./expert: Permission denied
admin@yvafmc1:~$ sudo su
Password:
root@yvafmc1:/Volume/home/admin# expert
sh: expert: command not found
root@yvafmc1:/Volume/home/admin#

According to Google you login to the FMC CLI using SSH, we use SecureCRT and we also use vSphere, as this is a virtual build, and select the console/remote console function to login. The outcome is the same either way.

How does one enable expert mode on the FMC and do you need to have something enabled during setup to access this later?

ej

Eric R. Jones · ‎11-19-2024

I got curious and hadn't tried it before, but I logged into one of our FTD's. I see the ">" symbol and enter expert mode. This put me in expert mode which is the same view I have in our FMC when we first ssh in. This tells me that we log into our FMC in expert mode from the beginning. I tried finding a way to exit out of this mode but to no avail. Now I'm looking at videos to see how to exit this mode and see if some commands can help.

Eric R. Jones · ‎11-19-2024

Well figured that out, "clish" puts me back in normal mode. Still working on how, if possible, to rollback that system change on the FMC. Will probably have to escalate that TAC ticket.

Marius Gunnerud · ‎11-19-2024

I think the fastest way back is if you have a backup of the FMC to restore the latest backup. I know how to configure the FTD from CLI but I am not sure how or if this can be done on the FMC.

--
Please remember to select a correct answer and rate helpful posts

Eric R. Jones · ‎11-19-2024

We do have backups of the FMC; however, I haven't found the method to run a restore from the CLI yet. I was more focused on a rollback mentioned by the TAC eng. I also downloaded the latest FMCv version incase we need to build a new VM and then restore from backup that way.

Marius Gunnerud · ‎11-19-2024

If this is a VM then building a new FMCv and restoring the backup is the fastest way to resolve the issue. Other than that you will need TAC to look into it.