Unable to connect via CEM mode after migrating to a new SMP Server when same server hostname/fqdn was kept
Article ID: 275066
Updated On:
Products
Issue/Introduction
The customer migrated to a new SMP Server. He kept the same server name and IP address.
After he was done with the migration process, the client machines were able to communicate just fine to the SMP Server while in the internal network or VPN. However, when trying to connect in CEM mode, the following errors happened and no connection via CEM was established:
Operation 'CEM: Connect' failed.
Protocol: HTTPS
Original host: <SMPserver>.<yourdomain>.net:443
Real host: <externalgatewayname>.<yourdomain>.com:443
Path: /
Connection id: 429.4576
Communication profile id: {xxxxxxxx-7A71-4222-98D8-6F97D5B9B96B}
Throttling: 0 0 0
Error type: Connection error
Error code: A socket operation was attempted to an unreachable host (10065)
Error note: Unable to connect via secure gateway
Gateway HTTPS connection info:
Server certificate:
Serial number: xx xx xx xx 54 56 d7 3b 34 46 5b d2 ac 58 bc f6 74 c5 51
Thumbprint: xx xx xx xx 19 78 dc 81 e1 5c ba 2a 72 c4 31 7b 6d 09 08 8d
Cryptographic protocol: TLS 1.2
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm:
Hash length: 0
Key exchange algorithm: ECDH
Key length: 255
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 12:01:15 AM, Tick Count: 64754234 (17:59:14.2340000), Size: 1.09 KB
Process: AeXNSAgent.exe (4576), Thread ID: 21372, Module: AeXNetComms.dll
Priority: 1, Source: NetworkOperation
The certificate chain was issued by an authority that is not trusted
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 12:01:20 AM, Tick Count: 64758281 (17:59:18.2810000), Size: 302 B
Process: AeXNSAgent.exe (4576), Thread ID: 18972, Module: InventoryRuleAgent.dll
Priority: 1, Source: HttpClient
getNewRulesFromWeb() error - The certificate chain was issued by an authority that is not trusted
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 12:01:20 AM, Tick Count: 64758296 (17:59:18.2960000), Size: 339 B
Process: AeXNSAgent.exe (4576), Thread ID: 18972, Module: InventoryRuleAgent.dll
Priority: 1, Source: InventoryRuleCache
While looking at the agent logs with verbosity logging turned on, we could see that the gateway was reachable:
Operation 'CEM: Connect' completed successfully.
Protocol: HTTPS
Original host: <SMPserver>.<yourdomain>.net:443
Real host: <externalgatewayname>.<yourdomain>.com:443
Path: /
Connection id: 430.4576
Communication profile id: {xxxxxxxx-7A71-4222-98D8-6F97D5B9B96B}
Throttling: 0 0 0
Gateway HTTPS connection info:
Server certificate:
Serial number: xx xx xx xx 43 54 56 d7 3b 34 46 5b d2 ac 58 bc f6 74 c5 51
Thumbprint: xx xx xx xx 19 78 dc 81 e1 5c ba 2a 72 c4 31 7b 6d 09 08 8d
Cryptographic protocol: TLS 1.2
Cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Cipher algorithm: AES
Cipher key length: 256
Hash algorithm:
Hash length: 0
Key exchange algorithm: ECDH
Key length: 255
-----------------------------------------------------------------------------------------------------
Date: 10/17/2023 12:01:19 AM, Tick Count: 64758046 (17:59:18.0460000), Size: 972 B
Process: AeXNSAgent.exe (4576), Thread ID: 18972, Module: AeXNetComms.dll
Priority: 8, Source: NetworkOperation
Environment
ITMS 8.x
Cause
The Server CA and Agent certificates from the original SMP Server were not migrated properly.
Resolution
In this particular instance, for the Symantec Management Agent and Gateway to be able to validate the certificates in use, it is necessary to use the same root certificates (which for ITMS are the Server Ca and Agent CA certificates).
The following needs to be done in order to ensure the proper Server CA and Agent CA certificates are placed on the new SMP server for proper communication:
- On the original SMP Server, make a backup of your Notification Server configuration.
Option 1:
To back up Notification Server configuration in the Symantec Installation Manager
1. In the Symantec Installation Manager, on the Installed Products page, click Repair installed products.
2. On the Repair Product page, click Back up or restore Notification Server configuration, and then click Next.
3. On the Backup or Restore Notification Server Configuration page, do the following:
o Select Back up NS configuration.
o Browse and select the location where you want the backup file to be stored. Broadcom recommends storing the backups on a different server.
o Provide a password for the backup file.
You need this password for decrypting the backup file during the restore process.
o Under Select data to back up or restore, select the items that you want to back up (in this case is better to back all the options but for this scenario you need at least the NS CA configuration option selected), and then click Next.
4. On the Review Backup Details page, review the data that you want to back up, and then click Back Up.
To restore Notification Server configuration:
1. Start the Symantec Installation Manager.2. On the Installed Products page, click Repair installed products.3. On the Repair Product page, click Back up or restore Notification Server configuration, and then click Next.4. On the Backup or Restore Notification Server Configuration page, do the following:
a) Browse and select the backup file.
b) Enter the password to decrypt the backup file, and then click OK.
c) Under Data available for backup or recovery, select the items that you want to restore, and then click Next.
d) On the Review Restore Details page, review the data that you want to restore ((in this case you need at least the NS CA configuration option selected), and then click Restore.
5. After restoring, on the Certificate Management page on the SMP Console, verify that the Server CA and Agent CA certificates (displayed as Site Server root certificate and NS root certificate respectively) are the same ones as that were used on your original SMP Server (by looking at the certificate thumbprints)
Note:
If the Server CA and Agent CA certificates are different, use the "Replace" option as described in:
Option 2
To back up Notification Server configuration in the Symantec Management Console:
1. In the Symantec Management Console, on the Settings menu, click All Settings.
2. In the left pane, under the Settings folder, expand Notification Server, and then click Notification Server Settings.
3. On the Notification Server Settings page, on the Critical Data Backup tab, configure the following settings:
o Repository Settings: This lets you configure the location of the backups and schedule for deleting the outdated backups.
Note: The schedule for deleting outdated backups does not delete the backups that you create in the Symantec Installation Manager.
o Notification Server Configuration Backup: This lets you create a backup manually or configure a schedule for creating backups at regular intervals.
Notification Server configuration backup contains its Web configuration, root certificate, core settings, registry, KMS encryption keys, and site server root certificate.
Note that you must turn on the backup schedule if you want it to run automatically. At the upper right of the backup section, click the colored circle, and then click
On.
o Software Library Backup: You can back up Software Library content such as software packages and software files data.
This option lets you back up Software Library content only if Software Library is set up on the Notification Server. You cannot back up the Software Library that is set up on a remote server.
4. Click Save Changes.
5. Export the thumbprint for the Agent CA certificate, stored in the following registry folder:
HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Agent. It proves to be valuable to have a copy of the whole
Altiris registry folder for reference, but you must never blindly restore the registry during recovery.
6. In the Certificates snap-in for the local computer account browse to Trusted Root Certification Authorities\Certificates
7. Open the details for the certificate, which contains Agent CA as part of the Friendly Name field, and check if the Thumbprint matches the value in the registry key.
8. Once you have found the certificate, that matches, export the private key using the Certificate Export Wizard with the Export all extended properties option.
It is very important to make sure the Delete the private key if the export is successful IS NOT checked.
Protect the file with a password, when prompted.
For more information on this, please refer to:
Performing the Backup
Backing Up and Restoring Notification Server Configuration
Option 3
You can use the Export Cloud-enabled configuration for CEM agents option of adding the necessary pieces for CEM functionality as described in the - After the proper Server CA and Agent CA certificates are in place, check the following:
- Check that the following "Thumbprint" regkey exists under [HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Agent]
- If it exists, check that it has the right thumbprint for the Agent CA certificate. If it has the wrong value, add the right one.
- If it doesn't exist, recreate the regkey and add the proper thumbprint reference for your Agent CA certificate.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Agent]
"Thumbprint"="E4C91063xxxxxxxxxxxxxxxxxxxxxxxAC2" - Do the same if needed for HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\eXpress\Notification Server\CA\Server
- After the proper Server CA and Agent CA certificates are in place, go to your Internet Gateway(s) and remove and read your SMP Server and Site Server(s) under the Servers tab.
- After that, when the client machines connect internally or via VPN, they will receive a new configuration with all these references and when they connect via CEM mode next time, they should connect successfully.
Feedback
