When you generate a Cloud-enabled Management (CEM) agent package, you see the error "Failed to generate package" and "Object reference not set to an instance of an object".

Module: w3wp.exe

Source: Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage

Description: Failed to generate agent package

Altiris.NS.Exceptions.AeXException (Altiris.NS.StandardItems): Object reference not set to an instance of an object.

at Altiris.NS.StandardItems.AgentManagement.CEMPackageRegistrator.BuildSitePackage(String siteIdentifier, IEnumerable`1 gateways, IEnumerable`1 resourceTargets, IEnumerable`1 organizationalGroups, String additionalInstallParams, DateTime requestedPackageExpiry, AgentPackageParameters packageParams, DateTime& packageExpiry)

at Altiris.NS.UI.Admin.ClientManagement.IbcmAgentInstallationPackage.OnGeneratePackage(Object sender, EventArgs e)

The self-signed "Client Authentication" SSL certificate cached on the SMP server lost its reference to a corresponding private key. As a result the certificate was insolvent and could not be used for secure communications by the thumbprint referenced in the package builder UI.

The certificate’s thumbprint is saved to the registry string:

HKLM\Software\Altiris\express\Notification Server\CA\Agent\Thumbprint

Steps to validate the certificate:

1. While logged in as App Identity (the account that starts the services in Service Manager), open the computer's certificates by running certmgr.msc.
2. Make sure to select the "Computer" level and not "User" or "Service".
3. Use the "Find Certificates" option and paste the thumbprint value from the registry entry listed above and search for it in the "Sha1 Hash" field.
4. It should be self-signed (the "issued to" and "issued by" fields should be the same).
   Example: SMP PURGATORY.tunnelback.myssl.com  Agent CA.
5. The "issued to" and "issued by" fields should contain the FQDN for the NS server in the name.
6. The expiration date should be far in the future.
7. "Intended purpose" should include client and server authentication.
8. Friendly name should be "CN=SMP <NSFQDN> Agent CA" where <NSFQDN> is the FQDN of the NS server.
9. The certificate should be stored in "Trusted Root Certification Authorities".
10. When opening the certificate, it should note that it has a private key associated with it.
11. Right click on the certificate and export it, make sure to export the private key.

In cases where the corresponding private key is broken, the solution is to remove the broken key and load a previously exported backup (.PFX file) of the original certificate.

If a backup of the certificate does not exist then a new one will need to be generated. This will require that the new certificate be deployed to all existing clients and gateway machines.

Steps to generate a new certificate and deploy it to existing clients:

1. Work through TECH225156. This is very important as it will cause other problems with the next step is done if this has not been completed.
2. Delete the current Agent CA certificate file.
   1. Bring up the certificate manager by running certmgr.msc.
   2. Expand "Trusted Root Certificate Authorities" and select the certificates folder.
   3. Locate the certificate called "<Server Name> Agent CA".
   4. Export the certificate to preserve a backup of the current certificate.
   5. Import the certificate and make sure not to check the 'delete the private key if the export is successful' box in the export wizard.
   6. Delete the Certificate called "<Server Name> Agent CA".
3. Run aexconfig against the CoreSolution.config file.
   1. Open a command prompt while logged in as the Application Identity.
   2. Change location to <Install Dir>:\Program Files\Altiris\Notification Server\Bin.
   3. Run aexconfig /configure "<Install Dir>:\Program Files\Altiris\Notification Server\Config\CoreSolution.config".
4. Verify the new certificate and export it.
   1. Open the Certificate Manager again by running certmgr.msc and verify that the "<Server Name> Agent CA" certificate is listed and contains a private key.
   2. Right click and export the certificate with the Private Key as a .pfx file.
5. Open the Symantec Management console and browse to Settings> Agents/Plug-ins> Targeted Agent settings.
   1. Click the "Advanced" tab.
   2. Check the option "Specify an alternate URL for the Symantec Management Agent to use to access the NS".
   3. Do not change the "Server Name" or "Server Web" fields.
   4. Check the option "Install SSL certificate on the Symantec Management Agent".
   5. Click the import button and locate the .pfx file exported in step 4.
   6. Enter the password and click Ok.
   7. Save Changes.
   8. Repeat steps a - g on each policy that is active.
6. Create a new CEM Agent Installation Package.
   1. Open the Symantec Management console and browse to Settings> Notification Server> Cloud-enabled Management> Setup and select "Cloud-enabled Management Setup".
   2. Select the "Symantec Management Agent Configuration" tab.
   3. Click the "Generate and Download Symantec Management Agent installation package" link.
   4. Follow the wizard making sure to change the expiry date for the package to something more than the default of 1 week.
   5. Use this to install all new CEM agents and send it out to computers that will not be on the network.
7. On Gateway servers.
   1. Open the Symantec Management Platform Internet Gateway Manager.
   2. Select the "Servers" tab.
   3. Click "Remove" on the Notification Server.
   4. Add the Notification Server again to populate the new "<Server Name> Agent CA" certificate.