How to move to a new RSA ACE server
When moving a Security Gateway that has already been configured to use an RSA server for SecurID authentication. It is recommended that you logon to the Security Gateway and clear the content of the /var/ace/ directory.
The reason this needs to be done is because when Check Point Management server applies the new sdconf.rec & sdopts.rec files to the /var/ace/ directory is does not remove the existing shared secret. This means that the gateway uses the existing "old" shared secret with the new RSA server rather than renegotiate a new shared key with the new RSA server. Because the shared secrets are not the same, the authentication process to fail.
Original Files cp-fw[root]# ls -ll /var/ace/ total 10 -rw-rw---- 1 root wheel 1024 Nov 25 10:08 sdconf.rec -rw-rw---- 1 root wheel 23 Nov 21 2011 sdopts.rec -rw-rw---- 1 root wheel 2418 Nov 25 09:26 sdstatus.12 -r-------- 1 root wheel 512 Nov 21 2011 securid
Remove the files from the /var/ace/ directory
cp-fw[root]# cd /var/ace cp-fw[root]# rm *.* cp-fw[root]# ls -ll total 0
Once all file have been removed from the /var/ace folder push the updated policy to the security gateway.
After Policy Installation cp-fw[root]# ls -ll /var/ace/ total 4 -rw-rw---- 1 root wheel 1024 Dec 11 15:51 sdconf.rec -rw-rw---- 1 root wheel 0 Dec 11 15:49 sdopts.rec
Initiate a VPN to the Security Gateway and try to authenticate a user. After you have successful authenticated a user check the /var/ace/ directory again to ensure all the.
After Successful Authentication cp-fw[root]# ls -ll /var/ace/ total 10 -rw-rw---- 1 root wheel 1024 Dec 11 15:51 sdconf.rec -rw-rw---- 1 root wheel 0 Dec 11 15:49 sdopts.rec -rw-rw---- 1 root wheel 2418 Dec 11 15:53 sdstatus.12 -r-------- 1 root wheel 512 Dec 11 15:53 securid