Preparing the Authentication Certificate Configuration Files

Note:
Important:

You must prepare the Check Point firewall server before preparing the authentication certificate configuration files.

For more information, see Preparing the Check Point Firewall Server.

  1. Open a command prompt on the Control Manager server.
  2. Prepare the secure internal communication (SIC) certificate from the Check Point firewall server.
    1. Execute the following command: opsec_pull_cert –h <host> -n <object> -p <password> -o <path>

      Where:

      • -h <host>: Indicates the IP address of the Check Point firewall server

      • -n <object>: Indicates the name of the OPSEC application that you created in the Check Point SmartDashboard console

        For more information, see Preparing the Check Point Firewall Server.

      • -p <password>: Indicates the one-time password for the specified OPSEC application

      • -o <path>: Indicates the full path to the output opsec.p12 certificate file

      The opsec_pull_cert command returns the full entity sic name in the following format:

      CN=*,O=*

    2. Copy the full entity sic name returned by the opsec_pull_cert command.
    3. Move the opsec.p12 file to the <Control Manager installation directory>\SOTools directory.
  3. Go to the <Control Manager installation directory>\SOTools directory and locate the sam.conf file.
  4. Open the sam.conf file in a text editor and use the table below to modify the necessary keys.

    Key

    Description

    Example

    sam_server auth_type

    Indicates the authentication method

    sam_server auth_type sslca

    sam_server ip

    Indicates the IP address of the Check Point firewall server

    sam_server ip 192.168.127.130

    sam_server auth_port

    Indicates the OPSEC communication port on the Check Point firewall server

    sam_server auth_port 18181

    Important:

    You must provide the same sam_server auth_port number configured in the fwopsec.conf file.

    sam_server opsec_entity_sic_name

    Indicates the SIC name of the Check Point firewall server

    sam_server opsec_entity_sic_name "cn=cp_mgmt,o=gw-1e9412..7ny9dn"

    opsec_sic_name

    Indicates the SIC name returned by the opsec_pull_cert command

    opsec_sic_name "CN=CMtest,O=gw-1e9412..7ny9dn"

    Important:

    You must provide the exact full entity sic name returned by the opsec_pull_cert command.

    opsec_sslca_file

    Indicates the file name of the authentication certificate file

    opsec_sslca_file opsec.p12

    opsec_sic_policy_file

    Indicates the file name of the SIC policy file

    opsec_sic_policy_file sic_policy.ini

  5. Go to the <Control Manager installation directory>\SOTools directory and locate the Customized.config file.
  6. Open the Customized.config file in a text editor and use the table below to modify the necessary keys.

    Key

    Description

    Example

    Sender

    Location: <SOMigrationTool>

    Change the value to "CKP_SAM_Client.exe"

    <add key="Sender" value="CKP_SAM_Client.exe" />

    Arguments

    Location: <SOMigrationTool>

    Change the value to "-t <timeout> -g <fw-ip> -c <conf_path> -A notify any <IP_address>"

    Where:

    • -t <timeout>: Indicates the amount of time (in seconds) that the Check Point server waits before expiring a suspicious object

    • -c <conf_path>: Indicates the relative path of the sam.conf file

    • -g <fw-ip>: Indicates the IPv4 address of the Check Point firewall server

    • -A notify any <IP_address>: Requests the Check Point firewall server to notify a valid IPv4 address

    <add key="Arguments" value="-t 600 -g 192.168.127.130 -c sam.conf -A notify any 10.10.10.10" />

    Note:

    For more information about using Check Point sam_client_action arguments, refer to the Check Point firewall server documentation.

    outputFolderName

    Location: <OutputSettings>

    Change the value to "Check_Point"

    <add key="outputFolderName" value="Check_Point" />

    outputFile

    Location: <OutputSettings>

    Change the value to "SuspiciousObjectList.xml"

    <add key="outputFile" value="SuspiciousObjectList.xml" />

    description="IP"

    Location: <suspiciousObjectTypeList>

    Set isEnable="true"

    <add value="0" description="IP" isEnable="true"

    description="SourceType"

    Location: <suspiciousObjectSourceType>

    Change the value to "0"

    <add value="0" description="SourceType" isEnable="true"

    name="Entity"

    Location: <suspiciousObjectColumns>

    Set isEnable="true"

    <add id="3" name="Entity" isEnable="true"