ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
LiveUpdate fails on Endpoint Protection Linux clients
Article ID: 186842
Updated On:
Products
Endpoint Protection
Issue/Introduction
Symantec Endpoint Protection (SEP) Linux clients fail to update content through LiveUpdate.
Cause
This problem can happen when the SEP client is configured to download content from an internal LiveUpdate server, such as LiveUpdate Administrator (LUA) over an HTTPS connection.
The LiveUpdate Cross-Platform (LUX) engine used by the SEP Linux client verifies the validity of server certificates when it connects to HTTPS servers. By default LUA uses a self-signed certificate for HTTPS communications. Unless the LUA server is configured to use a certificate signed by a public certificate authority (CA) contained in the certificate store used by LUX, the connection will fail.
The LiveUpdate Cross-Platform (LUX) engine used by the SEP Linux client verifies the validity of server certificates when it connects to HTTPS servers. By default LUA uses a self-signed certificate for HTTPS communications. Unless the LUA server is configured to use a certificate signed by a public certificate authority (CA) contained in the certificate store used by LUX, the connection will fail.
Resolution
1. Ensure any internal LiveUpdate servers are configured with a public CA signed certificate for HTTPS communications.
2. In test environments, add the LiveUpdate server's self-signed certificate, or the internal CA certificate to the SEP client's certificate store at /etc/symantec/sep/sepfl.pem.
Additional Information
Appending the certificate can be done in many ways. Here is an example of one method that may work for you though we recommend managing the procedure in accordance with your organization's policies and procedures.
First move a copy of the LUA certificate to the Linux machine.
from the /etc/symantec/sep/ directory:
cp sepfl.pem sepfl.pem.old
cat sepfl.pem luacrt.crt > sepfl.pem
First move a copy of the LUA certificate to the Linux machine.
from the /etc/symantec/sep/ directory:
cp sepfl.pem sepfl.pem.old
cat sepfl.pem luacrt.crt > sepfl.pem
Where luacrt.crt is the directory and name of the LUA certificate.
example:
cat sepfl.pem /tmp/luacrt.crt > sepfl.pem
You can confirm that the LUA certificate is added to the sepfl.pem file by using the diff command.
diff --normal sepfl.pem sepfl.pem.old
The difference should be the content of the LUA certificate.
Once this is done you can restart the smcd daemon or reboot the machine and confirm if definitions begin to update from the LUA using HTTPS.
cat sepfl.pem /tmp/luacrt.crt > sepfl.pem
You can confirm that the LUA certificate is added to the sepfl.pem file by using the diff command.
diff --normal sepfl.pem sepfl.pem.old
The difference should be the content of the LUA certificate.
Once this is done you can restart the smcd daemon or reboot the machine and confirm if definitions begin to update from the LUA using HTTPS.
Feedback
Yes
No
Powered by
