Legacy agents using SHA1 can not connect to a recent Data Center Security Manager using SHA256

book

Article ID: 171432

calendar_today

Updated On:

Products

Data Center Security Server

Issue/Introduction

The difference is between the SHA1 and SHA256 (introduced in Data Center Security (DCS) 6.7 MP2)

When installing a clean 6.7MP2 manager the agent certificate will be based on SHA256. This certificate cannot be understood by many legacy agents (Windows 2000)

When upgrading from a DCS 6.x to 6.7MP2+ that certificate format will be kept to a SHA1

 

 

CURLE_SSL_CONNECT_ERROR

"ssl connect error -- retry
unsuccessful registration -- communications error 35 "

in SISIPSService.log

 

Cause

Old operating systems like Windows 2000 or Windows NT are not compatible with SHA256

Environment

6.7MP2

Resolution

If you need to use a SHA1 certificate for agent communication, you need to regenerate a certificate using the keytool

Creating the SHA1 certificates manually

  1. From the command-line, access the keytool utility that is present at the following location:

\server\jre\bin

  1. Create a temporary folder, for example: C:\TempDCS\
  2. Copy the server-cert.ssl to this temporary location C:\TempDCS\
  3. Using the command line, enter the following:

keytool.exe -delete -keystore C:\TempDCS\server-cert.ssl -alias sss -storepass [40 character alphanumeric string that is found in the server.xml file] -storetype PKCS12

  1. Using the command line, enter the following:

keytool.exe -genkey -keystore "C:\TempDCS\server-cert.ssl" -alias sss -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -storetype PKCS12 -storepass [40 character alpha-numeric string found in the server.xml file] -keypass [40 character alpha-numeric string found in server.xml] -dname "CN=SCSP_Management_Server, OU=[SCSP server hostname]"

  1. Using the command line, enter the following:

keytool.exe -export -Alias sss -rfc -keystore "C:\TempDCS\server-cert.ssl" -file "C:\TempDCS\agent-cert.ssl" -storepass [40 character alpha-numeric string found in the server.xml file] -storetype PKCS12

  1. Use the agent-cert.ssl created in Step 6 for agent-server communication.

Example of 3 commands to use (important section in yellow): 

keytool.exe -delete -keystore C:\TempDCS\server-cert.ssl -alias sss -storepass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -storetype PKCS12
 
keytool.exe -genkey -keystore "C:\TempDCS\server-cert.ssl" -alias sss -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -storetype PKCS12 -storepass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -keypass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -dname "CN=SCSP_Management_Server, OU=mymanager.symantec.com"
 
keytool.exe -export -Alias sss -rfc -keystore "C:\TempDCS\server-cert.ssl" -file "C:\TempDCS\agent-cert.ssl" -storepass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -storetype PKCS12
 
It will create a new agent cert based on SHA1 that an old windows can understand.

You must replace the existing certificates with the ones you have created in the above procedure.

To replace the existing certificates:

  1. Stop the Data Center Security: Server Advanced management service.
  2. Go to <DCS server Install Directory>\server and replace the following certificates with the newly created certificates:
    server-cert.ssl
    agent-cert.ssl
  3. Start the Data Center Security: Server Advanced management server service.
  4. If you are using Data Center Security: Server, restart the SVA virtual machines in your VMWare platforms.
  5. On the Data Center Security: Server Advanced agent, do the following:
    • Copy the newly created agent-cert.ssl to the agent computer.
    • On the command prompt, run the following command:
      sisipsconfig -c agent-cert.ssl
      This command enforces the agent to use the new agent-cert.ssl certificate.
  6. To test the connection from the command prompt:
    sisipsconfig -t

Refer to this kb article for additional information: https://support.symantec.com/us/en/article.doc10574.html