Failed to Connect to Server error when logging into management console
search cancel

Failed to Connect to Server error when logging into management console


Article ID: 164295


Updated On:


Endpoint Protection


You are no longer able to log into the management console after updating the Symantec Endpoint Protection Manager (SEPM) certificate.

scm-server0/1.log shows:

2016-09-20 15:31:23.367 THREAD 120 SEVERE: in: com.sygate.scm.server.task.SecurityAlertNotifyTask java.lang.RuntimeException: Could not generate DH keypair
Caused by: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)...



This problem happens after importing a SEPM certificate with a keypair larger than 2048 bits. The SEPM Java/Web console both attempt to connect to the SEPM Apache server over HTTPS, and fail to do so because the Apache server is using Diffie-Hellman keys that are equivalent in key length to the SEPM certificate. The Java 8.0 implementation used by the SEPM Tomcat server isn't able to use DH keys larger than 2048-bit.


This issue is resolved in Symantec Endpoint Protection (SEP) 14 RU1 For more information on upgrading, please see Upgrade or migrate to Endpoint Protection 14.

As a workaround, configure the SEPM Apache server to use a custom Diffie-Hellman parameters file that contains only 2048-bit DH keys.

  1. Open a command-prompt as Administrator
  2. Change directories to the SEPM Apache binaries folder (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin by default)
  3. Generate a dhparams file using the following command-line:

    openssl dhparam -out dhparam.pem 2048
  4. Open the dhparam.pem file, generated in the previous step, in a text editor and copy the entire contents.
  5. Open the the SEPM Apache server certificate (server.crt) in a text editor (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl and paste the contents from the dhparam.pem file to the end of the file and save the changes.
    • Note: Ensure no extra line breaks or whitespace are added.
  6. Restart the Symantec Endpoint Protection Manager, Symantec Endpoint Protection Manager Webserver and Symantec Endpoint Protection Manager API services.

This workaround process will need to be repeated for each SEP Manager.