Reconfigure Security Engine settings

On the command line of the Security Engine, you can use the Security Engine Configuration Wizard to change settings that were defined during the installation of the Security Engine.

The Security Engine Configuration Wizard also allows you to re-establish a trust relationship between the Security Engine and the Management Server if the trust is lost.

Note: On Security Engines that are fully configured, you can change each setting individually without changing the other settings. All steps are optional.

Steps

  1. Start the Security Engine Configuration Wizard using one of the following commands:
    • sg-reconfigure --no-shutdown — The Security Engine Configuration Wizard starts without shutting down the Security Engine. You cannot change network interface settings in this mode.
    • sg-reconfigure — The Security Engine shuts down and the Security Engine Configuration Wizard starts. All options are available if you have a local connection. If you have a remote SSH connection, you cannot change network interface settings.
  2. Change the general settings.
    • Change the keyboard layout for command-line use.
    • Change the time zone for command-line use.
    • Change the host name of the engine.
    • Enable or disable SSH access to the engine command line.
      Note: Unless you have a specific reason to enable SSH access to the engine command line, we recommend leaving it disabled.
  3. Change the password for the root user account.
    1. Highlight Change, then press Enter.
    2. Enter and confirm the new password for the root user account.
    3. Highlight OK, then press Enter.
  4. Change the bootloader password.
    The bootloader password prevents unauthorized editing of parameters in the second-level grub menu on the Security Engine.
    1. Highlight Change, then press Enter.
    2. Enter and confirm the new bootloader password.
    3. Highlight OK, then press Enter.
  5. Change the network card settings and the mapping of network cards to Interface IDs.
  6. Change the settings on the Prepare for Management Contact screen.
    Note: The Management Server contact details are not used by the Security Engine after a policy has been installed from the Management Server. They are shown for your reference only.
    • To re-establish the trust relationship between the Security Engine and the Management Server, select Contact Management Server, then enter a new one-time password.
      Select this option when you want to replace a missing or expired certificate, or if the trust relationship with the Management Server is lost for any other reason, such as changing the Management Server’s IP address.
      CAUTION:
      If there is a Engine or Layer 2 Engine between a remote Security Engine and the Management Server, you must allow the connection in the Engine or Layer 2 Engine Access rules. If there is a NAT device between a remote Security Engine and the Management Server, you must also configure NAT rules for the connection in the Engine Policy. Otherwise, the Security Engine cannot contact the Management Server.
    • To reset the Security Engine to the post-installation state, select Switch to Initial Configuration.
      CAUTION:
      Selecting this option removes all configuration and policy information that has been transferred to the Security Engine. The post-installation state uses a policy that allows communication only between the Security Engine and the Management Server. You must install a policy on the Security Engine before it can be operational again.