search cancel

A prompt from Java to trust the Server Certificate occurs when logging into the Symantec Endpoint Protection Manager console

book

Article ID: 163124

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Each time a user or administrator attempts to log in to the Symantec Endpoint Protection Manager console, a pop-up box from Java appears, asking the user to "Accept", "Accept Always" or "Reject" the certificate.  Even if the certificate has previously been accepted, this message will appear with each login attempt to the console.

Warning - Security

Server Certificate is not present in your trusted store.

Do you want to trust the certificate?

<Certificate Details>

[Accept], [Accept Always], [Reject], [Help], [More Details...]

The scm-ui log, located in the user temp directory reveals:

Apr 5, 2016 11:17:49 AM  STDERR: java.io.FileNotFoundException: D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks (Access is denied)
Apr 5, 2016 11:17:49 AM  STDERR:  at java.io.FileInputStream.open(Native Method)
Apr 5, 2016 11:17:49 AM  STDERR:  at java.io.FileInputStream.<init>(FileInputStream.java:146)
Apr 5, 2016 11:17:49 AM  STDERR:  at java.io.FileInputStream.<init>(FileInputStream.java:101)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.util.ServerCertUtil.getCertificate(ServerCertUtil.java:178)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.util.DefaultCertHelper.getDefaultServerCertificate(CertificateHelper.java:61)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.util.ConsoleSSLSocketFactory.loadCertificate(ConsoleSSLSocketFactory.java:180)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.util.GUIManager.setupCommunicator(GUIManager.java:4592)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.util.GUIManager.login(GUIManager.java:2345)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.util.DataobjectManager.login(DataobjectManager.java:2737)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.handler.Manager.doLogin(Manager.java:106)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.handler.Manager.doLogin(Manager.java:98)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.ui.LoginPanel.login(LoginPanel.java:948)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.console.ui.LoginPanel$7$1.construct(LoginPanel.java:719)
Apr 5, 2016 11:17:49 AM  STDERR:  at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:159)
Apr 5, 2016 11:17:49 AM  STDERR:  at java.lang.Thread.run(Thread.java:745)
Apr 5, 2016 11:18:37 AM  STDERR: com.sygate.scm.console.util.ConsoleException: Your server certificate is not validated. If you trust the server, you must accept the certificate. Log in again and if the error persists, contact your administrator. [0x12910000]
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.console.util.GUIManager.constructConsoleException(GUIManager.java:2623)
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.console.util.GUIManager.login(GUIManager.java:2612)
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.console.util.DataobjectManager.login(DataobjectManager.java:2737)
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.console.handler.Manager.doLogin(Manager.java:106)
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.console.handler.Manager.doLogin(Manager.java:98)
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.console.ui.LoginPanel.login(LoginPanel.java:948)
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.console.ui.LoginPanel$7$1.construct(LoginPanel.java:719)
Apr 5, 2016 11:18:37 AM  STDERR:  at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:159)
Apr 5, 2016 11:18:37 AM  STDERR:  at java.lang.Thread.run(Thread.java:745)
Apr 5, 2016 11:18:38 AM  STDERR: com.sygate.scm.console.util.ConsoleException: Your server certificate is not validated. If you trust the server, you must accept the certificate. Log in again and if the error persists, contact your administrator. [0x12910000]
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.console.util.GUIManager.constructConsoleException(GUIManager.java:2623)
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.console.util.GUIManager.login(GUIManager.java:2612)
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.console.util.DataobjectManager.login(DataobjectManager.java:2737)
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.console.handler.Manager.doLogin(Manager.java:106)
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.console.handler.Manager.doLogin(Manager.java:98)
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.console.ui.LoginPanel.login(LoginPanel.java:948)
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.console.ui.LoginPanel$7$1.construct(LoginPanel.java:719)
Apr 5, 2016 11:18:38 AM  STDERR:  at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:159)
Apr 5, 2016 11:18:38 AM  STDERR:  at java.lang.Thread.run(Thread.java:745)

Cause

Certain events, such as a hostname mismatch with the certificate Common Name (CN) will cause the the certificate in the Java keystore, located by default in \tomcat\etc to not be trusted.  The prompt should allow the user to add the certificate into the Java keystore, however, file access issues can prevent this from occurring.  Review the scm-ui log located in the user temporary directory in Windows (%temp%) to investigate further.

Resolution

This issue has multiple potential solutions depending on root cause.  As discussed above, it may be necessary to review one or more Symantec Endpoint Protection Manager logs, starting with the scm-ui logging.

1: Create a new shortcut or utilize an existing shortcut for Symantec Endpoint Manager.  Under "Shortcut" tab in the properties of the shortcut, click "Advanced" button and check "Run as Administrator".

2: Recreate the self signed certificate for Endpoint Protection Manager.  This step may be necessary if the Common Name (CN) of the current self-signed certificate does not match the hostname of the machine.  This issue can occur when the SEPM has been moved from one physical server to another with the same IP but hostname is referenced by FQDN instead of NETBIOS name during certificate validation.  See Related Articles for further information.