After upgrading Endpoint Protection Manager to 14.3 RU8 replication fails.
search cancel

After upgrading Endpoint Protection Manager to 14.3 RU8 replication fails.

book

Article ID: 276087

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

After upgrading Symantec Endpoint Protection Managers (SEPM) that use 3rd Party Certificates to 14.3 RU8, replication fails with the following error in the Scm-server-0.log:

2023-11-02 13:48:08.526 THREAD 23 SEVERE:

javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address ##.###.##.## found

            at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

            at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)

            at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)

            at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298)

            at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)

            at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)

            at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)

Environment

14.3 RU8 SEPM
3rd party public certificates that are only valid for the FQDN address.

Cause

When you add a replication partner to SEPM, you specify the connection info for the remote site in the UI, but it also generates connection info of the site you're doing it from, to be sent to the remote site for its use.  This local site's connection info is auto-generated to be the local IP, and there's no existing way to configure that.  This can cause replication to fail in one direction, since the IP address that was automatically generated does not match the certificate. 

Resolution

A tool has been created and attached to the KB to resolve the issue.

Instructions:

1. Ensure you have a database backup for both databases.  
2. Login to both SEPMs and delete the replication partner.  
3. Login to the Site A SEPM, go to admin > servers and add an existing replication partner. For the hostname of the remote partner, type in an address that is valid for the certificate of the remote SEPM.  
4. Stop the SEPM services on all Site B SEPMs.  
5. Login to the Site B SEPM server used for replication.  Download EditPartnerAddress.zip.  
6. Extract the EditPartner.jar and EditPartnerAddress.bat to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools. 
7. Open a command prompt with Administrator, change directory to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools
8. Run the following command: 
   
EditPartnerAddress.bat <Site A SEPM IP address> <Site A SEPM hostname>
   
   For example: 
   EditPartnerAddress.bat 192.0.2.1 sepm.example.com
   
9. After the tool runs, start the SEPM services for Site B and login to the SEPM used for replication on Site B. 
10. Under Admin > Server > Replication Partners > Site A, verify the Replication Management Server List shows the hostname for Site A and not the IP address.  
11. Run Replicate Now and verify replication works.


Additional Information

CRE-16130

Attachments

EditPartnerAddress.zip get_app