Basic troubleshooting steps for SSL implementation on SMP Server
search cancel

Basic troubleshooting steps for SSL implementation on SMP Server

book

Article ID: 181391

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

What are common issues that can occur when implementing SMP Server and IIS requiring SSL?

Environment

ITMS 8.x

Resolution

Note: Troubleshooting IIS and SSL issues should be done using information from Microsoft and its best practices.

The following are common issues that can exist when implementing SSL with SMP Server and links to articles that address each issue.

  1. The name on the certificate needs to match the name of the SMP Server. Certificates can be set up to use a wildcard such as *Example.com, in this case any server that is part of Example.com would work correctly. 

    To check this, open a console using the HTTPS address and then double-click on the lock icon.The value after "Issued to" is the common name of the certificate.This is what needs to be the exact same as the name of the SMP Server and the Web site that the agents are setup to communicate with. See the screenshot below.

    It is possible to use a DNS alias but it is not recommended.

    Note: Having the certificate setup to use the FQDN of the server and the clients set to use the server as the FQDN often helps.
  2. The Certificate needs to be trusted. If it is a private certificate (one created on a local Certificate Authority), it needs to be installed to the Trusted Root Certificates. If it is a public certificate it should already be trusted and should not need to be installed to the Trusted Root Certificates. Public certificates have many benefits over private and should be looked at if possible.

    Note: Opening a browser and installing the certificate does not install it to the Trusted Root Certificates it installs it as a user Certificate for Internet Explorer, this does not work for the Altiris Agent Communication.
  3. The dates on the Certificates need to be in the time frame specified in the certificate. This can be seen by looking at the General tab of the certificate. See screenshot below.
     
  4. Having communication going through port 80 for some clients and 443 for others does not work. The following is one example of problems caused by this.  

    If SSL is enabled the code bases are created as HTTPS code bases. If SSL is not enabled the code bases are created as HTTP code bases.Meaning the clients would need to have both ports open, the certificate installed on all machines, and be communicating with the same server name.If these three requirements exist and are met then SSL communication could be used.

             

Additional Information

"Configuring the Symantec Management Platform to use HTTPS (SSL) instead of HTTP." (KB 237409)

Configuring Notification Server to Use HTTPS After ITMS Installation Is Completed

Viewing an SSL Certificate