search cancel

REST API connections no longer authenticate after upgrading the endpoint protection manager to 14.3.5427.3000

book

Article ID: 231144

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading a Symantec Endpoint Protection Manager (SEPM) to 14.3 RU3 build 5427 REST API requests are failing.  In the semapisrv_log.YYY-MM-DD.log the error below may be present.

021-12-17 21:40:52,251 [https-openssl-apr-0.0.0.0-8446-exec-10] ERROR c.s.s.s.c.e.h.GlobalControllerExceptionHandler - EXCEPTION: No subject alternative DNS name matching <name> found. 
javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <name> found.
 at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)

 

Additional scenario - SEPM and EDR integration issue due to "Incorrect username, password, or domain provided for SEPM" error message. 

In the semapisrv_log.YYY-MM-DD.log the error below may be present:

2022-02-16 16:56:45,583 [https-openssl-apr-0.0.0.0-8446-exec-2] ERROR c.s.s.s.c.e.h.GlobalControllerExceptionHandler - EXCEPTION: Account is locked or invalid username, password, or domain. 
com.symantec.sepm.core.exception.InvalidArgumentException: Account is locked or invalid username, password, or domain.

Cause

This occurs when the certificate does not include a host name entry SAN entry.  Starting with 14.3.5427.3000, the host used for the connection must now match one of the subject names in the certificate.

Environment

SEPM version 14.3.5427.3000

Resolution

Endpoint Protection Manager 14.3 (RU4) version 14.3.7388.4000 added the option to disable this verification.  To download the latest version see KB:  Download Symantec Enterprise Security software

To disable certificate validation on RU4, perform the following:

  1. Stop the SEPM services
  2. Open <SEPM directory>\tomcat\etc\conf.properties with notepad as an Administrator
  3. Add the following at the bottom on a new line: scm.webui.oauth.cert.validation.enabled=false
  4. Save and close the conf.properties
  5. Start the SEPM services

If your certificate does not match the hostname it is recommended that you update the certificate:

Generate a new SEPM server certificate using the Manage Server Certificate Wizard.  See the following link for more information.

Updating the server certificate on the management server without breaking communications with the client

Additional Information

ESCRT-8880

Attachments