ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

LiveUpdate fails on Endpoint Protection Linux clients

book

Article ID: 186842

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) Linux clients fail to update content through LiveUpdate.

Cause

This problem can happen when the SEP client is configured to download content from an internal LiveUpdate server, such as LiveUpdate Administrator (LUA) over an HTTPS connection. 

The LiveUpdate Cross-Platform (LUX) engine used by the SEP Linux client verifies the validity of server certificates when it connects to HTTPS servers. By default LUA uses a self-signed certificate for HTTPS communications. Unless the LUA server is configured to use a certificate signed by a public certificate authority (CA) contained in the certificate store used by LUX, the connection will fail.

Resolution

1. Ensure any internal LiveUpdate servers are configured with a public CA signed certificate for HTTPS communications.

2. In test environments, add the LiveUpdate server's self-signed certificate, or the internal CA certificate to the SEP client's certificate store at /etc/symantec/sep/sepfl.pem.

Additional Information

Appending the certificate can be done in many ways. Here is an example of one method that may work for you though we recommend managing the procedure in accordance with your organization's policies and procedures.
 
First move a copy of the LUA certificate to the Linux machine.
from the /etc/symantec/sep/ directory:
cp sepfl.pem sepfl.pem.old
cat sepfl.pem luacrt.crt > sepfl.pem
 
Where luacrt.crt is the directory and name of the LUA certificate.
 
example:
cat sepfl.pem /tmp/luacrt.crt > sepfl.pem
 
 
You can confirm that the LUA certificate is added to the sepfl.pem file by using the diff command.
 
diff --normal sepfl.pem sepfl.pem.old
 
 
The difference should be the content of the LUA certificate.
 
 
Once this is done you can restart the smcd daemon or reboot the machine and confirm if definitions begin to update from the LUA using HTTPS.