Solved: issue logging into sensor (screenshot)

lukeprimm · ‎05-04-2012

I just recently took over here and was trying to gain access to the two sensors we have in the environment. I was able to log into one, but when I tried to login to the second sensor, it gave me a strange error (see screenshot). Im using the Cisco IME to access the sensors. Any ideas? Thanks

Todd Pula · ‎05-04-2012

It looks like the self-signed certificate on the 10.11.19.41 sensor has expired. If you try to SSH to the device with puTTY, you can issue the "show version" command to confirm. At the bottom of the output, you will see a section titled "Host Certificate Valid from:". To regenerate a new key, you can execute the "tls generate-key" command from the CLI. Once completed, go back to IME and open the 10.11.19.41 device settings and then click OK. This will force IME to poll the device for the update certificate. Below is a snippet from one of my lab sensors.

MainApp S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600 Running

AnalysisEngine S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600 Running

CollaborationApp S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600 Running

CLI S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600

Upgrade History:

* IPS-sig-S625-req-E4 00:25:24 UTC Wed Feb 15 2012

IPS-sig-S625-req-E4.pkg 00:29:25 UTC Wed Feb 15 2012

Recovery Partition Version 1.1 - 7.1(3)E4

Host Certificate Valid from: 16-Mar-2011 to 16-Mar-2013

R057-4270-2# tls ?

generate-key Regenerate server's self-signed X.509 certificate.

R057-4270-2# tls generate-key

View solution in original post

Todd Pula · ‎05-04-2012

It looks like the self-signed certificate on the 10.11.19.41 sensor has expired. If you try to SSH to the device with puTTY, you can issue the "show version" command to confirm. At the bottom of the output, you will see a section titled "Host Certificate Valid from:". To regenerate a new key, you can execute the "tls generate-key" command from the CLI. Once completed, go back to IME and open the 10.11.19.41 device settings and then click OK. This will force IME to poll the device for the update certificate. Below is a snippet from one of my lab sensors.

MainApp S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600 Running

AnalysisEngine S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600 Running

CollaborationApp S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600 Running

CLI S-2011_NOV_21_16_13_7_1_2_48 (Release) 2011-11-21T16:15:59-0600

Upgrade History:

* IPS-sig-S625-req-E4 00:25:24 UTC Wed Feb 15 2012

IPS-sig-S625-req-E4.pkg 00:29:25 UTC Wed Feb 15 2012

Recovery Partition Version 1.1 - 7.1(3)E4

Host Certificate Valid from: 16-Mar-2011 to 16-Mar-2013

R057-4270-2# tls ?

generate-key Regenerate server's self-signed X.509 certificate.

R057-4270-2# tls generate-key

lukeprimm · ‎05-07-2012

Thanks, since this is a production box, I need to know if this command could have any adverse affects on the system? I dont see why it would, but I cant really take any chances without doing my research, thanks

lp

Todd Pula · ‎05-08-2012

If this single instance of IME is the only log collector in your environment, it should be safe to regenerate the certificate on the production sensor. If you had a number of log collectors (ie. IME, MARS, CSM, etc.), you would want to coordinate the effort in order to prevent a DoS of the web server on the sensor due to certificate authentication failures.

lukeprimm · ‎05-08-2012

Fortunately it looks like the guys that installed the sensors (are all gone now) didn't set anything up other than the management IP addresses. I don't think they are doing anything at the moment.