Filter
Top Products
9-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 9 Troubleshooting Device Communication and Deployment
Managing Device Communication Settings and Certificates
Managing Device Communication Settings and Certificates
If you discover device inventory and policies directly from devices, or deploy configurations to devices
rather than to files, you must configure Security Manager to use the transport protocols that your devices
use. For some device types, only one transport protocol is supported, so you do not need to make a
choice. For other devices, such as Cisco IOS routers, you have options concerning the protocols you use.
Security Manager has default settings for transport protocols that are the most-used protocols for each
device type. To change these settings, select Tools > Security Manager Administration and select
Device Communication from the table of contents (see Device Communication Page, page 11-17).
For most users, the communication settings that require management are the certificates used for SSL
(HTTPS) connections and the public keys used for SSH connections. You might update the certificates
and keys on the device, which would leave Security Manager holding an outdated copy. The following
topics provide more information about managing certificates and keys, and how to troubleshooting
device communications:
• SSL certificates—You can configure Security Manager to automatically replace certificates using
the ones obtained from the device on the Device Communication page. If you decide to manually
manage the SSL certificate store, see Manually Adding SSL Certificates for Devices that Use
HTTPS Communications, page 9-4. The following topics provide more information about certificate
errors:
–
Security Certificate Rejected When Discovering Device, page 9-6
–
Invalid Certificate Error During Device Discovery, page 9-6
–
Managing IPS Certificates, page 43-10
Tip Ensure that all PIX Firewalls and Adaptive Security Appliances that you intend to manage with Security
Manager have a 3DES/AES license. See Understanding Device Communication Requirements,
page 2-1.
• SSH Public Keys—By default, Security Manager replaces public keys with the new ones obtained
during SSH connections. If you have problems with SSH communications, see Troubleshooting
SSH Connection Problems, page 9-7.
• General Device Communication Troubleshooting—For other problems you might encounter, see
Troubleshooting Device Communication Failures, page 9-7.
Manually Adding SSL Certificates for Devices that Use HTTPS Communications
Note In addition to the techniques described in this topic, for IPS devices you can use the IPS Certificates
utility to manage the certificates in Security Manager’s certificate data store. For more information, see
Managing IPS Certificates, page 43-10.
When you use SSL (HTTPS) as the transport protocol for communicating with IPS, PIX, ASA, or FWSM
devices, or Cisco IOS routers, you can configure Security Manager to automatically retrieve the device
authentication certificate when adding the device (see Device Communication Page, page 11-17).