Troubleshooting Symantec VIP integration with Epic Hyperdrive
search cancel

Troubleshooting Symantec VIP integration with Epic Hyperdrive

book

Article ID: 271584

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Common issue with the Symantec VIP integration for Epic Hyperdrive.

Resolution

  • VIP Integration Guides for Epic can be found here.
  • Enable viewing file name extensions and hidden items to confirm actual .P12 and .PEM file extensions. (for example, cert.p12 isn't actually cert.p12.p12,  or cert.pem isn't actually cert.pem.cer). 
  • Use alphanumeric characters in the cert name. (for example, my.domain.com.p12  → mydomainp12.p12).  
  • The SAML issuer URL is a unique identifier for that Epic server instance (your Epic engineer can assist in determining this value). Each server value needs to be unique. (example: https://epicserver1.example.com, https://epicserver2.example.com
  • Plain text passwords for the .P12 cert and RADIUS shared secret cannot contain the following characters prior to using the camouflage.exe tool: " $ =
  • It is normal for the camouflaged password to contains non-alphanumeric characters, such as  $ or =
  • The public key only is required when extracting the .PEM file from the .p12.
    • OpenSSLCommand to extract public certificate from p12:
      openssl pkcs12 -in certificate.p12 -out certificate-pub.pem -clcerts -nokeys

      Use any text editor to open the certificate-pub.pem and remove "Bag Attributes" information (example: remove all lines above ----BEGIN CERTIFICATE----)

    • Optional: DigiCert Cert Utility can be used to extract the PEM without the private key.

  • The VIP Plugin for Epic will continue to function if the .PEM SAML signing cert expires. Renewing or replacing it is not required regardless of the following error in the log: 
     8/26/2025 12:53:33 PM : Radius authentication process started for user : BROADCOM

     8/26/2025 12:53:33 PM : ValidateUserPush: Client.OperationResult.Challenge and _state:xxxxxxxxx3539

     8/26/2025 12:53:33 PM : Radius authentication process started for user : BROADCOM

     8/26/2025 12:53:39 PM : Authenticate: Client.OperationResult.Accept and REPORT_VALIDATION_RESULT.VR_NONE

     8/26/2025 12:53:39 PM : Radius authentication process ended for user : BROADCOM

     8/26/2025 12:53:39 PM : User BROADCOM authentication successful

     8/26/2025 12:53:39 PM : SAML Signing Certificate has expired

     8/26/2025 12:53:40 PM : saml assertion is signed successfully
  • The VIP Certificate on the VIP Enterprise Gateway must be replaced before it expires (more information here)
  • If .P12 path errors are encountered in the Hyperdrive cloud logs, copy the .P12 file to VIP Plugin installation folder as the VIP plugin, then change the path value in the registry to point to the new path. Restart the Epic service.
Powered by Wolken Software