search cancel

Symantec Management Agent Removes SSL Certs after Image Deploy

book

Article ID: 162108

calendar_today

Updated On:

Products

Deployment Solution

Issue/Introduction

The Symantec Management Agent removes SSL certs on client machines after an image deploy in CEM environments.

There is no associated error however in the verbose agent logs(agent.logs) you can see the following calls being made:

<event date='06/04/2015 17:28:19.6630000 -05:00' severity='4' hostName='compname' source='CertificateManager' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='3048' thread='3068' tickCount='132710' >
  <![CDATA[Removing certificate 'ccccCertThumbPrintcccccc' during settings change]]>
</event>
<event date='06/04/2015 17:28:19.6630000 -05:00' severity='4' hostName='compname' source='CertificateManager' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='3048' thread='3068' tickCount='132710' >
  <![CDATA[Certificate 'ccccCertThumbPrintcccccc' successfully removed]]>
</event>
<event date='06/04/2015 17:28:19.6630000 -05:00' severity='4' hostName='compname' source='CertificateManager' module='AeXNetMon.dll' process='AeXNSAgent.exe' pid='3048' thread='3068' tickCount='132710' >
  <![CDATA[Certificate 'ccccCertThumbPrintcccccc' was unregistsred]]>
</event>
 

Cause

This issue is occurs when an image is captured in an SSL environment that also has CEM enabled.  There are CEM policies applied to the particular client that the image was captured from as well as registry settings that have been applied.  When the image is deployed to a new machine, that new machine is not included in those CEM policies because those are targeted through the console.  The Symantec Management Agent will detect that these policies are not enabled and therefore delete the SSL certs associated with CEM for security reasons.

Environment:
Deployment Solution 7.5 GA - 7.5 SP1 HF5

Deployment Solution 7.6 GA - 7.6 HF7

Deployment Solution 8.0 GA - 8.0 HF5

 

Resolution

To resolve this issue the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Communications\Block Gateway Settings must be edited either before the image is capture or after the image has been applied to a client machine, but before the client fully boots to production and tries to communicate. If the Symantec Management Agent starts the associated certificates will be immediately deleted.The Block Gateway Settings entry must be set to 1.  This is the default value if the CEM Installation Package is used. If it is set to 1 prior to the machine being booted to production the certificates will not be deleted.