encutilcmd server command returns timeout error
search cancel

encutilcmd server command returns timeout error

book

Article ID: 245748

calendar_today

Updated On: 10-09-2023

Products

CA Client Automation - IT Client Manager CA Client Automation

Issue/Introduction

Command 
encutilcmd server
 
returns error
A timeout occured.
 
 
In TRC_CF_ENCUTILCMD_.log there are these lines :
encUtilCmd|CcnfAgentApi|CCcnfAgentApi.cpp|001804|DETAIL | GetParameterValueInt(itrm/common/enc/general, revocationpolicy, ..., NULL) successfully completed. Parameter value: 1
...
encUtilCmd|encauthent |win32sspi.cpp|002303|INFO   | EncCheckForRevocation. Remote Peer Certificate subject name = <x509cert://[TLS-SCHANNEL]/CN=name1,DC=broadcom,DC=com> serial number <11AABBE27026A241ED9A54544388E9F9A7>
encUtilCmd|encauthent |win32sspi.cpp|002312|NOTIFY | EncCheckForRevocation. Successfully created the non default chain engine
encUtilCmd|encauthent |win32sspi.cpp|002337|NOTIFY | EncCheckForRevocation. Certificate chain has been created successfully
encUtilCmd|encauthent |win32sspi.cpp|002363|NOTIFY | EncCheckForRevocation. Certificate Trust status 64, Last error 0
encUtilCmd|encAuditAPI|encAuditAPI  |000000|WARNING| CENCAuditAPI::log: ID IDS_REMOTE_PEER_CERT: not in config
encUtilCmd|encAuditAPI|encAuditAPI  |000000|ERROR  | ENC-TLS: Remote Peer Certificate  
Subject: 'x509cert://[TLS-SCHANNEL]/CN=name1,DC=broadcom,DC=com' 
Serial number: '11AABBE27026A241ED9A54544388E9F9A7'  
Revocation Status: 'FAILED'
encUtilCmd|                |                    |000000|DETAIL | CENCAuditAPI::log: returned: 4010
encUtilCmd|                |                    |000000|DETAIL | EncAuditLog: returned: 4010
encUtilCmd|communicatorLib |communicatorLib     |000000|DETAIL | Timed out negotitating TLS encryption
encUtilCmd|communicatorLib |communicatorLib     |000000|ERROR  | CF1SocketCommunicator::DoConnect: Negotiation of encryption failed: error: 3007: ENC_TIMEOUT: A timeout occured

Environment

Client Automation - All Versions

Cause

This error could occur if parameter "Enable certificate revocation check" is set to True

DSM/Common Components/ENC Gateway/General/Enable certificate revocation check = True

Resolution

1- Unseal the configuration policy and update it like this :
DSM/Common Components/ENC Gateway/General/Enable certificate revocation check = False
 
2- Seal the policy and wait it is applied on the machines
 
3- Check if problem is resolved.
 
If machine has problem to receive the configuration policy we could force it with this command :
 
ccnfcmda -cmd SetParameterValue -ps itrm/common/enc/general -pn revocationmode -v 0 -manager
Powered by Wolken Software