search cancel

Certificate error when deleting Symantec Services from vCenter

book

Article ID: 162625

calendar_today

Updated On:

Products

Data Center Security Server

Issue/Introduction

In order to re-deploy the Symantec Threat Protection you must delete the Symantec Services from vCenter. However when you try to delete the services you receive a Certificate Error.

 

Error during REST callback: DELETE to the registered ServiceManager at https://<IP of DCS:SA Server>/sis-ui/vcnsCallbackvmware/2.0/si/serviceprofile/serviceprofile-## caused by : I/O error.
java.security.cert.CertificateException <Thumbprint from previous certificate> not equal <Thumbprint from new certificate>; nested exception is javax.net.ssl.SSLHandshakeException:...

 

Cause

The Symantec Services in vCenter are from the previous deployment and have the Thumbprint from the previous deployments certificate.

 

Resolution

Connecting to NSX via REST Client

  1. Go to https://www.base64encode.org and use this site to encode the NSX Administrator Accounts username and Password in the format of; username:password.
    Example using Default NSX Administrator account:   admin:[email protected]
  2. Open the Rest Client you are using.
  3. Change the URL to https://<NSXIP>/api/2.0/si/servicemanagers
  4. Depending on your REST Client, the steps for adding the headers are different. But for the Header you want to use:
    Authorization: Basic <Encoded Username and Password from Step 2>
    Example: Authorization: Basic YWRtaW46cGFzc0AxMjM=
  5. With GET selected click Send
    Status should display 200 OK.

 

Finding the Symantec Service Manager object

  1. With the REST Client connected scroll down until you find:
    <name>Symantec Service Manager</name>
    <description>Symantec DCSS Service Manager</description>
  2. Make note of the object ID it falls under.
  3. Modify the URL https://<NSXIP>/api/2.0/si/servicemanagers to be https://<NSXIP>/api/2.0/si/servicemanager/<objectid from step 1>
  4. Click Send

 

Modifying the Thumbprint

  1. Copy the data returned.
  2. Paste the data you copied into the second section.
  3. Change the Call Type to PUT
  4. Set Content type to Application/xml
    1. If using RESTEasy in Firefox, at the top click Header and choose Custom Header.
    2. For Name, type Content-Type
    3. For Value, type Application/xml
    4. Click OK.
  5. Reproduce the error in vCenter.
  6. Copy the correct Thumbprint from the error.
    The correct thumbprint is the one after the words “not equal”
  • In the REST Client, delete the old thumbprint between the <thumbprint></thumbprint> tags.
  1. Paste the correct Thumbprint between the tags.
  2. Click Send

 

Adding Callback account Password

  1. In the DCS:SA Management Console, go to Admin > Users.
  2. Select the callback account and change the password to a known password.
  3. After adding the correct thumbprint, look for <login>callback</login>
  4. After the login tags add <password>Type the CallBack accounts Password</password>
  5. Click Send

 

Now you can remove the remaining Symantec Service Definitions and Profiles.