A ProxySG's archived configuration contains these passwords which have all been encrypted with the configuration-passwords-key. Upon restoring an archive the ProxySG attempts to decrypt these passwords using its current configuration-passwords-key. Since this is not the original key, this process will fail (see ftp-client example below).
There are several remedies to this problem. The passwords can be manually reset one by one via the Management Console. Also, it is possible to edit the configuration file and replace these encrypted passwords with their "clear text" versions which will then be encrypted with the new configuration-passwords-key as the archived configuration is imported. However, these steps can be avoided by simply backing up the original key and restoring it to the new (or newly restored) ProxySG before restoring the configuration file. This will allow all previously configured passwords to remain valid after the restore is complete without any further manual intervention.
This is especially helpful when reinitializing a single disk system or whenever any system is restored to factory defaults as this will always result in the creation of a new configuration-passwords-key, thereby rendering the previously configured passwords invalid.
Below are instructions on how to backup and restore the "configuration-passwords-key".
I. Backing up the original key:
Here is the output from the serial console, or SSH console running from the command line interface:
Go into the command line interface, either through SSH, serial console, or telnet.
Enter enable mode (enable) and go to the configuration terminal (config t).
A listing of keyrings is displayed
view keypair des3 configuration-passwords-key
Encryption password (Write down this password... It will be used later to restore the key)
Copy and paste the private key to a text file
Here is the console output while performing these steps on a ProxySG:
ProxySG>enable Enable Password: ProxySG#config t Enter configuration commands, one per line. End with CTRL-Z. ProxySG#(config)ssl ProxySG#(config ssl)view keyring
II. Restoring the original key to the new (or newly restored) ProxySG:
Launch the Management Console
Go to the Configuration tab > SSL > Keyrings
configuration-passwords-key (NOTE: For SGOS 4.x, the name of this keyring contains a dash "-". If this key exists and is deleted, SGOS 4.x cannot recreate the name because of the dash "-" symbol in the name.)
Delete the existing key. Then save your changes by clicking the "Apply" button.
Create a new configuration-passwords-key using the exported key.
Keyring Name: configuration-passwords-key NOTE: In the 4.x code branch, it is not possible to create a new keyring that contains a dash "-" in keyring name.
Select "Show keypair"
Leave the default as "1024" -bit keyring
Click "Import Keyring"
Paste the configuration-passwords-key that was saved during the backup process. This is the data between the BEGIN and END RSA PRIVATE KEY.
Enter the password used to encrypt the key in step 5a of the backup procedure.
The configuration-passwords-key is now successfully imported.
Imported Document ID: 000012716
Subscribing will provide email updates when this Article is updated. Login is required.