How to recover Symantec Critical System Protection (SCSP 5.2.x only) Manager/Agent Communication Without a Backup Database (SCSPDB), Using the Backup Files: "server.xml", "server-cert.ssl", "agent-cert.ssl"


Article ID: 180268


Updated On:


Critical System Protection





Note: The following steps can only be successful if the following files were able to be recovered from the failed SCSP Management Server:
·                     Win2k3 and earlier: C:\progra~1\Symantec\Critic~1\Server\tomcat\conf\server.xml
          Win2k8: C\program files (x86)\Symantec\Critic~1\Server\tomcat\conf\server.xml

·                     Win2k3 and earlier: C:\progra~1\Symantec\Critic~1\Server\server-cert.ssl
Win2k8: C\program files (x86)\Symantec\Critic~1\Server\server-cert.ssl

·                     Win2k3 and earlier: C:\progra~1\Symantec\Critic~1\server\agent-cert.ssl
Win2k8: C\program files (x86)\Symantec\Critic~1\server\agent-cert.ssl
Recovery steps:
  1. Configure the new server's IP address and hostname to correspond with that of the failed SCSP manager host
  2. Install SQL SERVER with a named instance of "SCSP"
  3. Install SCSP Manager for the first time by clicking on "server.exe".  Do a full production install so that the “scspdb” database is created.
  4. Install the Management Console and verify you can log into the console.
Username: symadmin
Password: <blank>

  1. Uninstall CSP Manager and reboot (DO NOT uninstall the Management Console).

    ATTENTION:   DO NOT REMOVE “SCSPDB” DATABASE or any of the SCSP security logins located on the database server. Leave the database alone at this point because we want this infrastructure to remain.
  2. Copy the “server.xml” and “server-cert.ssl” from the failed Management Server to the root of C:\ on the new Management Server.
Begin re-installation of the SCSP Manager, making sure to select, “TOMCAT only:

     1.  Insert and/or open the installation CD, then double-click "server.exe".

     2.   In the Welcome panel, click “Next".

     3.   In the License Agreement panel, select "I accept the terms in the license
           agreement”, then click Next".

     4.   In the Installation panel, click "Production Installation", click "Install Tomcat
           component ONLY

     5.  In the Installation panel, specify the file paths to the old cert and config file you copied to C:\ in step 6 (above):  "C:\server.xml" and "C:\server-cert.ssl".  Click "Next".

     6.  In the “Destination Folder panel”, change the folder, if necessary, then click "Next".

     7.  In the "Service User Configuration" panel, select one of the following authentication methods:
          • Click "Use Local System Account", and then click "Next" (Recommended). 
          • Click "Use an alternate Account", type a user name in the Username and the Password, then click "Next". 

     8.  In the “Ready to Install the Program” panel, click "Install".
     9. After the install finishes, stop the manager service, then browse to:
            Win2k3 and earlier: C:\progra~1\Symantec\Critic~1\Server\tomcat\conf\server.xml
            Win2k8: C\program files (x86)\Symantec\Critic~1\Server\tomcat\conf\server.xml
    10. Open “server.xml” in notepad and copy the hash from the line that begins with “Password=”. The following line must be “username=”scsp_ops”.
    11. Open SQL Server Management Studio and log into the SCSP database instance.
    12. Expand the “Security” module, then expand “Logins”.
    13. Right-Click “scsp_ops”, select “Properties” and paste the password hash copied in step 10 from the old server.xml into the “Password” and “Confirm password” boxes, then click “Ok”.
             14. Start the SCSP Manager service and confirm you can log into the console.
    15. Copy the old agent cert from the failed SCSP Management Server to the following location on the new management server, so that the agents can communicate with the new manager:
Win2k3 and earlier: C:\progra~1\Symantec\Critic~1\server\agent-cert.ssl
Win2k8: C\program files (x86)\Symantec\Critic~1\server\agent-cert.ssl 
    16. You should begin to see agents show up in the "Assets" tab in management console. You can speed up the process by restarting the IPS service on one of the agents to force it to
          check in sooner.