Re: IDSMC 2.0 TLS trusted host

shannong · ‎11-30-2004

I just upgraded to IDSMC 2.0 today. When I try to do signatures updates to a 4.1 sensor, the job fails with this error below. I already added the VMS server as a trusted TLS host on the sensor. Rebooted.

Any ideas? Do I need to add the sensors cert to the VMS server somehow?

Status Messages

Sensor bbimainsae01: Signature Update Process

TLS Trusted Host Certificate difference found, updating sensor certificate for the MC.

The trusted certificates on the sensor 172.16.1.153 have been updated.

An error occurred while running the update script on the sensor named bbimainsae01. Detail = An error occurred at the sensor during the update, sensor message = The host is not trusted. Add the host to the system's trusted TLS certificates.

brhamon · ‎11-30-2004

We've seen a few of these cases, but have not been able to gather enough information to understand where the breakage is occurring.

The first thing to do is to log into the IDS unit as an administrative user (i.e., "cisco"). Make sure the time on the sensor is accurate. Then take a look at the list of trusted certificates. Next, remove the certificate for the VMS server and re-trust it manually. Finally, attempt the upgrade command manually from the IDS CLI.

Here are the commands to enter into the IDS CLI to perform these actions. The example uses "10.1.2.3" for the IP address of the VMS host, and "IDS-sig-4.1-4-S128.rpm.pkg" as the name of the package you want to apply to the sensor:

sensor# show clock

*03:27:22 UTC Wed Dec 01 2004

sensor# configure terminal

sensor(config)# service trustedCertificates

sensor(config-TrustedCertificates)# show settings

trustedCertificates (min: 0, max: 500, current: 0)

-----------------------------------------------

sensor(config-TrustedCertificates)# exit

sensor(config)# tls trusted-host ip-address 10.1.2.3 port 443

Certificate MD5 fingerprint is 0A:CB:6F:B5:F8:F8:85:05:5B:5D:7D:0B:73:E1:14:A6

Certificate SHA1 fingerprint is CF:9D:85:60:CA:31:99:26:64:26:39:23:AE:66:E8:3C:BC:68:12:02

Would you like to add this to the trusted certificate table for this host?[yes]:

Certificate ID: 10.1.2.3 succesfully added to the TLS trusted host table.

sensor(config)# upgrade https://10.1.2.3/ids-config/vms/sensorupdate/IDS-sig-4.1-4-S128.rpm.pkg

Warning: Executing this command will apply a signature update to the application partition.

Continue with upgrade? : yes

If the tls trusted-host command does not succeed, we will need to obtain a packet capture to diagnose why. I've provided instructions for doing this elsewhere in this forum. (Search for recent articles by me.)

If you can get the tls trusted-host command to succeed, but the upgrade command fails, then we need to see what might be wrong with the certificate on the VMS server.

If both commands succeed manually, you can re-import the sensor in VMS so it will detect it is running the new version. We will then need to wait until the next signature update to see what happens when you use VMS to upgrade the sensor.

patricko · ‎12-08-2004

I have this exact problem. I went through the steps you suggested here and failed at the update command with the error

"The host is not trusted. Add the host to the system's trusted TLS certificates."

Can you explain how to check the certificates on the server or how to regenerate the server certificate?

Thanks,

pob

shannong · ‎12-08-2004

I found that my problem was caused by using the CiscoWorks certificate for Common Services instead of its own. You can do this, but you'll need to add the certificate to the sensor while using the Commmon Services and then switch back. Note that you need to restart the services when switching certs.

saif.cev · ‎05-03-2005

Hi Shannong,

Could you please let me know the proceedures to do this

Thanks,

Saif