Unexpected Server Error - SEPM Server Certificate has Expired
search cancel

Unexpected Server Error - SEPM Server Certificate has Expired

book

Article ID: 245441

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Administrators attempting to log in to the SEP Manager receive an "Unexpected Server Error"

SCM-Server-x.log shows the following errors:

java.sql.SQLException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "NotAfter: Mon Jan 01 00:00:00 EDT 2000". ClientConnectionId:xxxxxxxxxxxxxxxxxxxxxxx)

Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "NotAfter: Mon Jan 01 00:00:00 EDT 2000". ClientConnectionId:xxxxxxxxxxxxxxxxxxxxxxxx

Environment

14.3 RU1 and later

Cause

SQL Certificate has expired, causing handshake errors when communicating via SSL

Resolution

The following steps can be taken to correct the issue with a self-signed certificate.

  1. Open the SQL Server Configuration Manager
  2. Go to SQL Server Network Configuration -> Right-click and choose Properties on "Protocols for <databasename>"
    1. The default database name is SQLEXPRESSSYMC
    2. SQL server default database name in SEM5
  3. Set Force Encryption to No and click OK
  4. Restart the SQL Server service
  5. Edit the root.xml in <SEPM directory>\tomcat\conf\Catalina\localhost\ and change:
    encrypt=true
    to 
    encrypt=false
  6. Save and close the file
  7. Restart the Symantec Endpoint Protection Manager service
    Note: It may be necessary to stop the Symantec Endpoint Protection Manager API Service and the Symantec Endpoint Protection Manager Webserver services in order to successfully log in. The Webserver service should be started after successful login to allow clients to get the policy updates in the following steps.
  8. Follow the steps to update the server certificate without breaking communication.
    1. The SEPM will show an error on login and the top 3 tabs but should allow you to log in and complete this process.
  9. After that process is completed, run the Management Server Configuration Wizard to Reconfigure the Server. Do NOT use a recovery file! This will update the SQL certificate to the new one the SEPM is using and reenable Force Encryption.
  10. Login to the SEPM and confirm it is now working.

 

Note:
Sometimes modifying root.xml doesn't disable the TLS between SEPM and the database, and the user has to use SetSQLServerTLSEncryption.bat script under *:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\
The usage instructions of this tool can be found in *:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\SetSQLServerTLSEncryption.html