TLS Encryption Errors (TLSAcceptSecurityContext failed 80070649) or "The encryption component failed" error messages.

book

Article ID: 3974

calendar_today

Updated On:

Products

CA Automation Suite for Data Centers - Configuration Automation CA Client Automation - Asset Management CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Remote Control CA Client Automation - Asset Intelligence CA Client Automation - Desktop Migration Manager CA Client Automation - Patch Manager

Issue/Introduction

When running a software delivery job check or a "caf ping", you notice some errors are reported:

<Please see attached file for image>

Figure 1

<Please see attached file for image>

Figure 2

In the TRC_USD_SDAGENT*.log, you'll observe the following TLS encryption error:

<Please see attached file for image>

Figure 3

The error seen is, TLSAcceptSecurityContext failed 80070649.

 

Another symptom is quite simply a CAF PING fails:

<Please see attached file for image>

Figure 4

The error seen is, "The encryption component failed."

Cause

There are three common root causes:

1- The system time on one or both connecting endpoints is wrong.

2- The certificates being used are incompatible, e.g. your environment uses custom ITCM certificates, and one of the endpoints is using the out of the box ITCM certificates, rather than the custom ones.

3- Compatibility difference between CAPKI between the two endpoints.  This can typically happen if more than one CA product is installed on one of the endpoints, that may have a conflicting/incompatible version of CAPKI installed.

Environment

Client Automation (ITCM) -- any version.

Resolution

The solution will vary depending on the cause of the problem:

1- Ensure the system clock on the endpoint, including time zone, is set correctly and not off by more than 10 minutes.

2- Run a "cacertutil list" on both endpoints, and check for organization differences in the output, for example:

CN=DSM Root,O=Computer Associates,C=US
CN=DSM Root,O=Forward Inc,C=US

In this example, one endpoint is using out of the box ITCM certificates, and the other is using "Forward Inc" generated custom certificates.

3- Upgrade CAPKI to the latest version

The version of CAPKI can be checked in the registry:
HKLM\SOFTWARE\Wow6432Node\ComputerAssociates\Shared\CAPKI\Dependencies

<Please see attached file for image>

Figure 5

If an older version is found, you can locate the latest version from your ITCM install media:
<install media root>\WindowsProductFiles_x86\CAPKI\setup.exe

Run: setup install caller=CADSM

This will upgrade the CAPKI installation on the endpoint.

Attachments

1558694585684000003974_sktwi1f5rjvs16mov.gif get_app
1558694583424000003974_sktwi1f5rjvs16mou.gif get_app
1558694581719000003974_sktwi1f5rjvs16mot.gif get_app
1558694579754000003974_sktwi1f5rjvs16mos.gif get_app
1558694577652000003974_sktwi1f5rjvs16mor.gif get_app