search cancel

Manually imported Trusted Keys may cause Encryption Management Server upgrade to fail

book

Article ID: 240302

calendar_today

Updated On:

Products

Gateway Email Encryption Encryption Management Server

Issue/Introduction

When upgrading to Encryption Management Server release 10.5 or above using the New Installation method as described in article 211876 and running the pgpbackup command to restore the backup, the following error message is generated after the data is restored and when services are restarted:

*** Error in 'pgpsysconf': double free or corruption

The same error is generated when trying to restart Apache with this command:

pgpsysconf --apache

Searching the Apache configuration file /etc/httpd/conf/httpd.conf for VirtualHost entries shows that there are none present:

# grep -c '</VirtualHost>' /etc/httpd/conf/httpd.conf
0

Cause

One or more TLS certificates that were manually imported from the Keys / Trusted Keys page in the management console are incompatible with release 10.5 and above.

Environment

Symantec Encryption Management Server 10.5 and above.

Resolution

Please do the following to resolve this issue:

1. If you took a VMware snapshot prior to installing the new release from ISO, revert to snapshot. Otherwise, install the previous release from ISO and restore from backup.

2. Run this query to list the Trusted Keys that were manually imported, ordered by the expiration date:

psql oviddb ovidr -xc "SELECT tk.uuid, display_name, cer.creation, expiration
FROM trusted_key tk
LEFT JOIN key ON key.keyid = tk.keyid
LEFT JOIN certificate cer ON cer.key_uuid = key.uuid
WHERE tk.origin = 1
ORDER BY expiration"

3. From the management console, navigate to Keys / Trusted Keys and search for each expired trusted key from the query results using the display_name value. Delete each expired trusted key.

4. Export each trusted key that has not expired prior to deleting it.

5. Upgrade again using the New Installation method.

6. If the upgrade succeeds, navigate to Keys / Trusted Keys and import each trusted key that had not expired.

Alternatively, open a support case.

Additional Information

EPG-26391