search cancel

ITMS 8.0 - Unable to add SMP Server to CEM Gateway after offbox migration and SMP Agent CA certificate move.

book

Article ID: 163325

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Unable to add SMP Server to CEM Gateway after offbox migration from ITMS 7.6 to ITMS 8.0 and SMP Agent CA certificate move.

ON SMP:
"Unable to get the client certificate associated with the specified request
(Request: <resource typeGuid=""2C3CB3BB-FEE9-48DF-804F-90856198B600""
name=""<Gateway Name>"" policyKey=""...JErZ7RwlwjME+XwISUSE1eobBQy1mpRLh0JVr2EkSG24YA3..."">
                                <key name=""name.domain"" value=""<Gateway Name>""/>
                                <key name=""fqdn"" value=""<Gateway Name>""/>
                                <regRequest fqdn=""<Gateway Name>"" publicKey=""...JErZ7RwlwjME+XwISUSE1eobBQy1m..."" certificateType=""nsagent""/>
                        </resource>)

Key not valid for use in specified state.
   [System.Security.Cryptography.CryptographicException @ mscorlib]
   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._ExportCertificatesToBlob(SafeCertStoreHandle safeCertStoreHandle, X509ContentType contentType, IntPtr password)
   at System.Security.Cryptography.X509Certificates.X509Certificate.ExportHelper(X509ContentType contentType, Object password)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.LoadMasterCertificate(X509Certificate2 masterCertificate, IntPtr& hIssuerProviderContext, IntPtr& pAuthorityKeyID, UInt32& issuerKeyType)
   at Altiris.NS.Security.Cryptography.CryptoHelper.NSCertificateManager.GenerateCertificate()
   at Altiris.NS.Security.Cryptography.CertificateManager.IssueCertificate(Guid id, Guid resourceID, Guid parentID, X500DistinguishedName subject, String scope, CertificateUsageFlags certificateUsage, AsymmetricAlgorithm publicKey, String caName, DateTime expiryTime, Boolean storePrivateKey, X509Certificate2 signingCert, String sAlternateNames)
   at Altiris.NS.Security.Cryptography.AgentCertificateManager.IssueClientCertificate(Guid certID, Guid ResourceID, Guid parentID, String sScope, X500DistinguishedName subject, AsymmetricAlgorithm publicKey)
   at Altiris.NS.AgentManagement.AgentCertificateDistributer.DistributePermanentCertificateByTemporary(CertificateRequestData requestData)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GetClientCertificate(CertificateRequestData& requestData)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.GenerateLegacyResponse(String requestXml, CertificateRequestData requestData, Guid certId, Boolean bAdminCall)
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process(String requestXml, Guid certId, Boolean bEncryptResponse, Boolean bAdminCall, Byte[]& encryptedData, ICertificateDistributor certDistributor)

Exception logged from:
   at Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process(String, System.Guid, Boolean, Boolean, Byte[]&, Altiris.NS.AgentManagement.ICertificateDistributor)
   at Altiris.Web.NS.Agent.GetClientCertificateHandler.HandleRequest(System.Web.HttpContext, Altiris.Web.NS.Agent.ClientCertificateRequestData, Int32)
   at Altiris.NS.WebHandlers.AltirisHttpHandlerBase<T>.ProcessRequest(System.Web.HttpContext, T, Int32)
   at Altiris.NS.WebHandlers.AltirisHttpHandlerBase<T>.ProcessRequest(System.Web.HttpContext)
   at System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(System.Web.HttpApplication+IExecutionStep, Boolean&)
   at System.Web.HttpApplication+PipelineStepManager.ResumeSteps(Exception)
   at System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, AsyncCallback)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)
","Altiris.NS.AgentManagement.NegotiateCertificateRequest.Process","Altiris.NS.dll","266","Errors"


ON GATEWAY:
"Failed getting certificateResponse from server:
<error number=""8000FFFF""><![CDATA[Unable to get the client certificate associated with the specified request
(Exception: Invalid SMP master certificate, private key can't be found. SMP authority system is corrupted and can't be auto-recovered.)]]></error>"
,"StatusReporting.RequestSignedCert","InternetGtwMngr.dll"

Cause

SMP Agent CA private key is not accessible and not exportable.

Resolution

When moving the SMP Agent CA certificate from the old SMP Server to the new SMP Server, the private key needs to be included in the export and during the import the private key needs to be set as exportable.
The private key of the SMP Agent CA needs to be accessible to sign the CEM Gateway certificate.