Check Point - A look at SecureID Files
In order to to enable SecureID authentication you will need to generate an 'sdconf.rec' file from your ACE SERVER.
You will then need to copy this file to the the '/var/ace' directory of your Check Point Firewall (if the directory does not exsist create one).
At the point that your ACE SERVER and your ACE AGENT (Check Point Firewall) start communicating a 'sdstatus.12' file will be generated.
When the communication is deemed successful a 'secureid' file will be generated. It is worth noting that 'secureid' is the default name given for the node secret file.
!! If no secureid file is generated you may want to check that the "Reset Node Secret" option was enabled at the point of the sdconf.rec file being generated on the ACE SERVER. !!
Once the sdstatus.12 and the secureid file have been generated encrypted communication between the ACE AGENT and SERVER can be established.
Below is a summary of these files :
|sdconf.rec||Generated by the ACE SERVER and copied to the /var/ace directory|
|sdopts.rec||Allows you to force the ACE AGENT to use a specific IP address when generating its hash|
|sdstatus.12||Automatically created at point of communication between the ACE AGENT and SERVER|
|securid||Automatically created at point of successful communication between the ACE AGENT and SERVER|
Packet Capture Example :
14:44:49.619735 [FIREWALL].1117 > [ACE SERVER].5500: udp 124 - FIREWALL queries ACE SERVER
14:44:50.387343 [ACE SERVER].5500 > [FIREWALL].1117: udp 124 – ACE SERVER responds
14:44:57.954218 [FIREWALL].1117 > [ACE SERVER].5500: udp 124 – FIREWALL confirms response
14:45:00.733002 [ACE SERVER].5500 > [FIREWALL].1117: udp 124 – ACE SERVER responds
You may see authentication issues after the initial authentication along with the error message :
[LOG_ERR] ACEAGENT: The message entry does not exist for message ID: 100x
This is down to the embedded hash of the Check Points IP address (that is sent to the ACE SERVER within the authentication request) being different the hash of the Check Point`s IP address that is generated by the ACE SERVER. This can be caused by multihomed or NAT configurations.
To resolve this :
- create the sdopts.rec file in the /var/ace directory
- using VI, edit the sdopts.rec file and insert the line: CLIENT_IP=[IP Address of the ACE AGENT (Check Point Firewall)]
- restart FW-1 using cpstop && cpstart
Note : it has been reported this will also correct issues using SecurID on Secure Platform.