Print Download PDF Send Feedback

Previous

Next

The ICA Management Tool

The ICA Management Tool lets you:

Note - The ICA Management Tool supports TLS.

Check Point ICA is fully compliant with X.509 standards for both certificates and CRLs. See the related X.509 and PKI documentation, and RFC 2459 for more information.

For more information, see:

Using the ICA Management Tool

Use the ICA management tool for user certificate operations only, such as certificate creation. Do not use the ICA management tool to change SIC certificates or VPN certificates. Change SIC and VPN certificates in SmartConsole.

To use the ICA management tool, you must first enable it on the Security Management Server.

Enabling and Connecting to the ICA Management Tool

The ICA Management Tool is disabled by default.

To enable the ICA Management tool

Run this command on the Security Management Server:

cpca_client [-d] set_mgmt_tool on|off [-p <ca_port>] [-a|-u "administrator|user DN" ... ]

The command options are:

Option

Description

on

Starts the ICA Management Tool (by opening port 18265)

off

Stops the ICA Management Tool (by closing port 18265)

-p

Changes the port used to connect to the CA (if the default port is not being used)

-a "administrator DN" ...

Sets the DNs of the administrators that will be allowed to use the ICA Management Tool

-u "user DN" ...

Sets the DNs of users allowed to use the ICA Management Tool. An option intended for administrators with limited privileges.

Note - If cpca_client is run without -a or -u parameters, the list of the allowed users and administrators remains unchanged.

To Connect to the ICA Management Tool

  1. Add the administrator's certificate to the browser's certificate repository.
  2. Open the ICA Management tool from the browser using this address:

    https://<Management_Host_Name>:18265

    Authenticate when requested.

The ICA Management Tool GUI

Item

Description

1

Menu Pane

Shows a list of operations

2

Operations Pane

Manage certificates. The window divides into Search attributes configuration and Bulk operation configuration.

Create Certificates.

Configure the CA. Contains configuration parameters You can also view the CA's time, name, and the version and build number of the Security Management Server.

Manage CRLs. Download, publish, and recreate CRLs.

3

Search Results Pane. The results of the applied operation show in this pane. This window consists of a table with a list of certificates and certificate attributes.

Connect to the ICA Management tool using a browser and HTTPS connection.

Important: Before connecting, make sure to add an administrator certificate to the browser's store.

User Certificate Management

Internally managed User Certificates can be initialized, revoked or have their registrations removed using the ICA Management Tool. User Certificates of users managed on an LDAP server can only be managed using the ICA Management Tool.

This table shows User Certificate attributes that can be configured using the ICA Management Tool

Attributes

Default

Configurable

Comments

validity

2 years

yes

 

key size

2048 bits

yes

Can be set to 4096 bits

DN of User certificates managed by the internal database

CN=user name, OU=users

no

This DN is appended to the DN of the ICA

DN of User certificates managed on an LDAP server

 

yes

Depends on LDAP branch

KeyUsage

5

yes

Digital signature and Key encipherment

ExtendedKeyUsage

0 (no KeyUsage)

yes

 

Modifying the Key Size for User Certificates

If the user completes the registration from the Remote Access machine, the key size can be configured in the Advanced Configuration page in SmartConsole.

To configure the key size:

  1. From the Menu, select Global Properties.
  2. Go to Advanced, and in the Advanced Configuration section, click configure.

    The Advanced Configuration window opens.

  3. Go to the Certificates and PKI properties page.
  4. Set the new key size for this property: user_certs_key_size.
  5. Click OK.

You can also change the key size using the GuiDBedit Tool (see sk13009). Change the key size as it is listed in users_certs_key_size Global Property. The new value is downloaded when you update the site.

Performing Multiple Simultaneous Operations

The ICA Management Tool can do multiple operations at the same time. For example:

These operations can be done simultaneously:

ICA Administrators with Reduced Privileges

The ICA Management Tool supports administrators with limited privileges. These administrators cannot execute multiple concurrent operations, and their privileges include only these:

Management of SIC Certificates

SIC certificates are managed using SmartConsole.

Management of Gateway VPN Certificates

VPN certificates are managed in the VPN page of the corresponding network object. These certificates are issued automatically when the IPSec VPN blade is defined for the Check Point gateway or host. This definition is specified in the General Properties window of the corresponding network object.

If a VPN certificate is revoked, a new one is issued automatically.

Management of User Certificates in SmartConsole

The user certificates of users that are managed on the internal database are managed in SmartConsole.

For more information, see User Certificates in the R80.10 Remote Access VPN Administration Guide.

Notifying Users about Certificate Initialization

The ICA Management Tool can be configured to send a notification to users about certificate initialization. To send mail notifications

  1. In the Menu pane, click Configure the CA.
  2. In the Management Tool Mail Attributes area, configure:
    • The mail server
    • The mail "From" address
    • An optional 'To' address, which can be used if the users' address is not known

      The administrator can use this address to get the certificates on the user's behalf and forward them later.

  3. Click Apply.

Retrieving the ICA Certificate

For trust purposes, some gateways and remote clients, such as peer gateways that are not managed by the Security Management Server or clients using Clientless VPN, must retrieve the ICA certificate.

To retrieve the ICA Certificate:

  1. Open a browser and enter the applicable URL.

    Use this format:

    http://<Management Server IP address>:18264

    The Certificate Services window opens.

  2. Use the links to download the CA certificate to your computer or (in Windows) install the CA certification path.

Searching for a Certificate

There are two search options:

To do a certificate search:

In the Manage Certificates page, enter the search parameters, and click Search.

Basic Search Parameters

Advanced Search Attributes

In addition to the parameters of the basic search, specify these parameters:

The Search Results

The results of a search show in the Search Results pane. This pane consists of a table with a list of searched certificate attributes such as:

Note - The status bar shows search statistics after each search.

Viewing and Saving Certificate Details

You can view or save the certificate details that show in the search results.

To view and save certificate details:

Click on the DN link in the Search Results pane.

Removing and Revoking Certificates and Sending Email Notifications

  1. In the Menu pane, click Manage Certificates.
  2. Search for certificates with set attributes.

    The results show in the Search Results pane.

  3. Select the certificates, as needed, and click one of these options:
    • Revoke Selected - revokes the selected certificates and removes pending certificates from the CA's database
    • Remove Selected - removes the selected certificates from the CA's database and from the CRL

      Note - You can only remove expired or pending certificates.

    • Mail to Selected - sends mail for all selected pending certificates

      The mail includes the authorization codes. Messages to users that do not have an email defined are sent to a default address. For more, see Notifying Users about Certificate Initialization.

Submitting a Certificate Request to the CA

There are three ways to submit certificate requests to the CA:

To initiate a certificate:

  1. In the Menu pane, select Create Certificates > Initiate.
  2. Enter a User Name or Full DN, or click Advanced and fill in the form:
    • Certificate Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)
    • Registration Key Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two weeks from the date of creation)
  3. Click Go.

    A registration key is created and show in the Results pane.

    If necessary, click Send mail to user to email the registration key. The number of characters in the email is limited to 1900.

  4. The certificate becomes usable after entering the correct registration key.

To generate a certificate:

  1. In the Menu pane, select Create Certificates > Generate.
  2. Enter a User Name or Full DN, or click Advanced and fill in the form:
    • Certificate Expiration Date - Select a date or enter the date in the format dd-mm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)
    • Registration Key Expiration Date - Select a date or enter the date in the format dd-mm-yyyy [hh:mm:ss] (the default value is two weeks from the date of creation)
  3. Enter a password.
  4. Click Go.
  5. Save the P12 file, and supply it to the user.

To create a PKCS#10 certificate:

  1. In the Menu pane, select Create Certificates > PKCS#10.
  2. Paste into the space the encrypted base-64 buffer text provided.

    You can also click on Browse for a file to insert (IE only) to import the request file.

  3. Click Create and save the created certificate.
  4. Supply the certificate to the requester.

Initializing Multiple Certificates Simultaneously

You can initialize a batch of certificates at the same time.

To initialize several certificates simultaneously:

  1. Create a file with the list of DNs to initialize.

    Note - There are two ways to create this file - through an LDAP query or a non-LDAP query.

  2. In the Menu pain, go to Create Certificates > Advanced.
  3. Browse to the file you created.
    • To send registration keys to the users, select Send registration keys via email
    • To receive a file that lists the initialized DNs with their registration keys, select Save results to file

      This file can later be used in a script.

  4. Click Initiate from file.

Files created through LDAP Queries

The file initiated by the LDAP search has this format:

Here is an example of an LDAP Search output:

not_after
86400
otp_validity
3600
uid=user_1,ou=People,o=intranet,dc=company,dc=com
mail=user_1@company.com
<blank_line>

uid=…

For more information, see User Directory.

Files created through a Simple Non-LDAP Query

It is possible to create a simple (non-LDAP) query by configuring the DN + email in a file using this format:

<email address> space <DN>
… blank line as a separator …
<email address> space <DN>

CRL Management

By default, the CRL is valid for one week. This value can be configured. New CRLs are issued:

It is possible to recreate a specified CRL using the ICA Management Tool. The utility acts as a recovery mechanism in the event that the CRL is deleted or corrupted. An administrator can download a DER encoded version of the CRL using the ICA Management Tool.

CRL Modes

The ICA can issue multiple CRLs. Multiple CRLs prevent one CRL from becoming larger than 10K. If the CRL exceeds 10K, IKE negotiations can fail when trying to open VPN tunnels.

Multiple CRLs are created by attributing each certificate issued to a specified CRL. If revoked, the serial number of the certificate shows in the specified CRL.

The CRL Distribution Point (CRLDP) extension of the certificate contains the URL of the specified CRL. This ensures that the correct CRL is retrieved when the certificate is validated.

CRL Operations

You can download, update, or recreate CRLs through the ICA management tool.

To do operations with CRLs:

  1. In the Menu pane, select Manage CRLs.
  2. From the drop-down box, select one or more CRLs.
  3. Select an action:
    • Click Download to download the CRL.
    • Click Publish to renew the CRL after changes have been made to the CRL database.

      This operation is done at an interval set by the CRL Duration attribute.

    • Click Recreate to recreate the CRL.

CA Cleanup

To clean up the CA, you must remove the expired certificates. Before you do that, make sure that the time set on the Security Management Server is correct.

To remove the expired certificates:

In the Menu pane, select Manage CRLs > Clean the CA's Database and CRLs from expired certificates.

Configuring the CA

To configure the CA:

  1. In the Menu pane, select Configure the CA.
  2. Edit the CA data values as necessary.
  3. In the Operations pane, select an operation:
    • Apply - Save and enter the CA configuration settings.

      If the values are valid, the configured settings become immediately effective. All non-valid strings are changed to the default values.

    • Cancel - Reset all values to the values in the last saved configuration.
    • Restore Default - Revert the CA to its default configuration settings.

      Entering the string Default in one of the attributes will also reset it to the default after you click Configure. Values that are valid will be changed as requested, and others will change to default values.

CA Data Types and Attributes

The CA data types are:

These are the CA attributes, in alphabetical order:

Attribute

Comment

Values

Default

Authorization Code Length

The number of characters of the authorization codes.

min-6

max-12

6

CRL Duration

The period of time for which the CRL is valid.

min-5 minutes

max-1 year

1 week

Enable Renewal

For User certificates. This is a Boolean value setting which stipulates whether to enable renewal or not.

true or false

true

Grace Period Before Revocation

The amount of time the old certificate will remain in Renewed (superseded) state.

min-0

max-5 years

1 week

Grace Period Check Period

The amount of time between sequential checks of the Renewed (superseded) list in order to revoke those whose duration has passed.

min-10 minutes

max-1 week

1 day

IKE Certificate Validity Period

The amount of time an IKE certificate will be valid.

min-10 minutes

max-20 years

5 years

IKE Certificate Extended Key Usage

Certificate purposes for describing the type of the extended key usage for IKE certificates. Refer to RFC 2459.

 

means no KeyUsage

IKE Certificate Key usage

Certificate purposes for describing the certificate operations. Refer to RFC 2459.

 

Digital signature and Key encipherment

Management Tool DN prefix

Determines the DN prefix of a DN that will be created when entering a user name.

possible values

CN=

UID=

CN=

Management Tool DN suffix

Determines the DN suffix of a DN that will be created when entering a user name.

 

ou=users

Management Tool Hide Mail Button

For security reasons the mail sending button after displaying a single certificate can be hidden.

true or false

false

Management Tool Mail Server

The SMTP server that will be used in order to send registration code mails. It has no default and must be configured in order for the mail sending option to work.

 

-

Management Tool Registration Key Validity Period

The amount of time a registration code is valid when initiated using the Management Tool.

min-10 minutes

max-2 months

2 weeks

Management Tool User Certificate Validity Period

The amount of time that a user certificate is valid when initiated using the Management Tool.

min-one week

max-20 years

2 years

Management Tool Mail From Address

When sending mails this is the email address that will appear in the from field. A report of the mail delivery status will be sent to this address.

 

-

Management Tool Mail Subject

The email subject field.

 

-

Management Tool Mail Text Format

The text that appears in the body of the message. 3 variables can be used in addition to the text: $REG_KEY (user's registration key);

$EXPIRE (expiration time); $USER (user's DN).

 

Registration Key: $REG_KEY

Expiration: $EXPIRE

Management Tool Mail To address

When the send mail option is used, the emails to users that have no email address defined will be sent to this address.

 

-

Max Certificates Per Distribution Point

The maximum capacity of a CRL in the new CRL mode.

min-3

max-400

400

New CRL Mode

A Boolean value describing the CRL mode.

0 for old CRL mode

1 for new mode

true

Number of certificates per search page

The number of certificates that will be displayed in each page of the search window.

min-1

max-approx 700

approx 700

Number of Digits for Serial Number

The number of digits of certificate serial numbers.

min-5

max-10

5

Revoke renewed certificates

This flag determines whether to revoke an old certificate after it has been renewed. The reason for not revoking this is to prevent the CRL from growing each time a certificate is renewed.

If the certificate is not revoked the user may have two valid certificates.

true or false

true

SIC Key Size

The key size in bits of keys used in SIC.

possible values:

1024

2048

4096

2048

SIC Certificate Key usage

Certificate purposes for describing the certificate operations. Refer to RFC 2459.

 

Digital signature and Key encipherment

SIC Certificate Validity Period

The amount of time a SIC certificate will be valid.

min-10 minutes

max-20 years

5 years

User Certificate Extended Key Usage

Certificate purposes for describing the type of the extended key usage for User certificates. Refer to RFC 2459.

 

means no KeyUsage

User Certificate Key Size

The key size in bits of the user's certificates.

Possible values:

1024

2048

4096

2048

User Certificate Key usage

Certificate purposes for describing the certificate operations. Refer to RFC 2459

 

Digital signature and Key encipherment

 

Certificate Longevity and Statuses

Certificates issued by the ICA have a defined validity period. When period ends, the certificate expires.

SIC certificates, VPN certificates for Security Gateways and User certificates can be created in one step in SmartConsole. User certificates can also be created in two steps using SmartConsole or the ICA Management Tool. The two steps are:

The advantages are:

Enhanced security

Pre-issuance automatic and administrator-initiated certificate removal

If a user does not complete the registration procedure in a given period (two weeks by default), the registration code is automatically removed. An administrator can remove the registration key before the user completes the registration procedure. After that, the administrator can revoke the user certificate.

Explicit or Automatic Renewal of User certificates ensuring continuous User connectivity

A user certificate of type PKCS12 can be renewed explicitly by the user. A PKCS12 certificate can also be set to renew automatically when it is about to expire. This renewal operation ensures that the user can continuously connect to the organization's network. The administrator can choose when to set the automatic revoke old user certificates.

One more advantage is:

Automatic renewal of SIC certificates ensuring continuous SIC connectivity

SIC certificates are renewed automatically after 75% of the validity time of the certificate has passed. If, for example, the SIC certificate is valid for five years. After 3.75 years, a new certificate is created and downloaded automatically to the SIC entity. This automatic renewal ensures that the SIC connectivity of the gateway is continuous. The administrator can revoke the old certificate automatically or after a set period of time. By default, the old certificate is revoked one week after certificate renewal.