ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Sysprep removes SSL certificates (certs) from images in an environment using Cloud Enabled Management(CEM)

book

Article ID: 161147

calendar_today

Updated On:

Products

Deployment Solution

Issue/Introduction

Sysprep removes SSL certs from images in an environment using Cloud Enabled Management(CEM).  CEM requires client's to use SSL certs to communicate with the notification server, but when Sysprep is run on an image it removes the SSL certs. Specifically, when using self-signed signed certs the client is required to have the Agent CA and Root certs.  This leaves the newly deployed images unable to communicate with the NS.
 

The error that would be seen in the client side agent logs would look similar to:

Client task agent.dll    CT Agent is not initialized yet, load of policy will be postponed
Client task agent.dll    CT Agent is not initialized yet, load of policy will be postponed
AeXNSAgent.exe      Next policy request from server Unspecified will be at 2014-04-03 13:18:48
AeXNSAgent.exe      Agent is not registered on the server, schedule the policy update for later
Client task agent.dll    CT Agent is not initialized yet, load of policy will be postponed
Client task agent.dll    CT Agent is not initialized yet, load of policy will be postponed
Client task agent.dll    CT Agent is not initialized yet, load of policy will be postponed

The main issue here is that agents and plugins including the Symantec Management Agent will not be able to communicate to the SMP.

Cause

Sysprep strips SSL certs required by CEM from the image which leaves the client's Symantec Management Agent in an un-initialized state.

Resolution

To resolve this issue the CEM required SSL certs should be copied over to the client during automation and before the reboot to production task. To do this we leverage copy file tasks to copy over the SSL certs as well as batch files that install the required SSL certs. Please note the exact SSL cert names and number of required certs may differ depending on the type of SSL certs used in an environment.

1.) Create copy file task to copy over the certmgr.exe program to the temp folder on the client.  
    
a.) First move the certmgr.exe program into a location that is accessible from the client machine such as the NScap folder on the NS.  
        

b.) In the console navigate to Manage > System Jobs and Tasks > Deployment and Migration. Right click the Deployment and Migration and select New > Task.  When creating the task, set the source as "Access from UNC location" and set the Location to the path of the certmgr.exe program.
        

c.) Set the destination to C:\temp.

2.) Create copy file tasks to copy over the certs required for the SMA to communicate.

a.) First move the certs into a location that is accessible from the client machine such as the NScap folder on the NS.  
 

b.) In the console navigate to Manage > System Jobs and Tasks > Deployment and Migration. Right click the Deployment and Migration and select New > Task.  When creating the task, set the source as "Access from UNC location" and set the Location to the 1 of the required certs.  Note the order in which the certs are copied does not matter.  Set the Destination field to C:\temp on the client machine. Repeat this step for all certs to be copied.
 

c.) Set the destination to C:\temp.

3.) Create the following batch files to install the SSL certs and place them in the same path as the certs in the NScap folder:

a.) CertificateInstall.bat (do not include this line in the batch file just give the bat file this name). Please also note that there are 3 echo commands list specific certs.  These will need to be adjusted specifically to the cert names being used.

REM Create temp batch file to install three cer files & delete
ECHO c:\temp\certmgr.exe -add c:\temp\SMP.cer -s -r localmachine root >  c:\temp\tempInst.bat
ECHO c:\temp\certmgr.exe -add c:\temp\CAS.cer -s -r localmachine root >> c:\temp\tempInst.bat
ECHO c:\temp\certmgr.exe -add c:\temp\NS.cer -s -r localmachine root >> c:\temp\tempInst.bat

ECHO del /f /q "c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\InstallCER.bat" >> c:\temp\tempInst.bat
ECHO del /f /q c:\temp\SMP.cer >> c:\temp\tempInst.bat
ECHO del /f /q c:\temp\CAS.cer >> c:\temp\tempInst.bat
ECHO del /f /q c:\temp\NS.cer >> c:\temp\tempInst.bat
ECHO del /f /q c:\temp\certmgr.exe >> c:\temp\tempInst.bat

ECHO exit >> c:\temp\tempInst.bat

REM Executes temporary batch file
start "" /MIN c:\temp\tempInst.bat
  

b.) pfxinstall.bat - again do not include this line in the batch file.  Just give it this name.  The whole batch file is the 1 line below.

certutil -f -p <password> -importpfx "C:\temp\<filename>.pfx"

4.) Create a copy file task to copy the batch files to the Windows startup directory so that upon boot to production before the agent starts to communicate it will run these batch files and install the required certs.

a.) First move the batch files into a location that is accessible from the client machine such as the NScap folder on the NS.  
    

b.) In the console navigate to Manage > System Jobs and Tasks > Deployment and Migration. Right click the Deployment and Migration and select New > Task.  When creating the task, set the source as "Access from UNC location" and set the Location to the path for 1 of the batch files. Repeat this process for the other batch file.
 

c.) Set the destination to "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup".

5.) Run each copy file task by combining them into a job or running them individually after deploying an image to a machine.  This should fix the issue of the SMA not being able to communicate upon startup.  This works because it installs the sll certs required to communicate on the network before the agent boots up.


Applies To

DS 7.5 SP1 up through HF2
CEM 7.5