Table of Contents
Advertisement
Understanding Certificate and Fingerprint Validation and Management
Three options exist for specifying how MARS should respond during attempts to establish a secure
connection. The three options are as follows:
Automatically always accept. This option, which is compatible with previous releases, allows a
•
MARS Appliance to connect to reporting devices regardless of how frequently the certificate or
fingerprint changes because MARS automatically accepts and stores the replacement certificate or
fingerprint for all devices. However, this option does not provide an opportunity to inspect and
authorize the changes to the certificates or fingerprints. When a conflict is detected or when a new
certificate or fingerprint is accepted, the event is logged to the internal log. The internal log entry
includes the name of the process that detected the conflict and the IP address of the reporting device.
The logs can be retrieved by queries and reports. See
page 24-10
Accept first time and prompt on change (default). This option accepts and stores a new certificate
•
or fingerprint the first time MARS Appliance connects to a device. For subsequent connection
attempts, the appliance checks the presented certificate or fingerprint against the stored value. If a
conflict is detected, the session is refused unless the new certificate or fingerprint is manually
accepted by the administrator. This option enables initial topology discovery to proceed without
administrator intervention. Internal system logs of the initial acceptance, conflict detection, and
acceptance of new change are created. The internal logs include the name of the process that
detected the conflict, the IP address of the reporting device, and the username of the account used
to accept the change.
If, when a change is detected by a web interface process, the session times out before administrative
intervention, the communication fails but no internal system log is generated to record the failure to
accept the changed certificate or fingerprint. Also, if a back-end process initiates the request, such
as auto discovery, then the session attempt always fails and no attempt to obtain administrative
acceptance is initiated. In such cases, any data the MARS Appliance would normally ascertain from
the device during such a session is not collected. This delay of data retrieval does not apply to
syslogs forward to the MARS Appliance by the reporting device and it resumes once the new
certificate is accept. The recommended method for manually kicking off the change detections is to
use the Test Connectivity or Discover button on the reporting device.
•
Always prompt on new and changed. This options requires an administrator to manually accept
the certificate or fingerprint before MARS can establish the desired communications each time the
certificate or fingerprint changes. During changes, the internal log includes the username of the
account used to accept the change. If the communication times out before administrative
intervention, the communication fails and an internal system log records the failure to accept the
changed certificate or fingerprint.
The implication of each option varies based on which MARS service is attempting the connection, not
in the enforcement of the option, but in the ability of the service to prompt for immediate administrative
intervention. In other words, if the service is a GUI-based services, you will be prompted to accept the
changed certificate or fingerprint. If the service is a backend service, the communications with the target
device will fail and the event will be logged.
The following services and operations are affected by the global certificate/fingerprint response setting:
Upgrade (SSL). When MARS uses the HTTPS option to download the upgrade package from the
•
remote server specified on the Admin > System Maintenance > Upgrade page.
•
Discovery operation. (SSH)
Test Connectivity operation. (SSL)
•
Cisco IDS, IPS, and IOS IPS router Event Processing (RDEP or SDEE over SSH)
•
CSM Policy Query Integration (SSL)
•
Qualys Report Discovery. (SSL)
•
User Guide for Cisco Security MARS Local Controller
24-8
for more information on studying these events.
Chapter 24
Monitoring Certificate Status and Changes,
System Maintenance
78-17020-01
Advertisement
Table of Contents
Troubleshooting
