Upgrade Wizard fails with Warning: Failed to create audit log event for this Server
search cancel

Upgrade Wizard fails with Warning: Failed to create audit log event for this Server

book

Article ID: 205321

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Upgrade Wizard fails with Warning: Failed to create audit log event for this Server when upgrading Symantec Endpoint Protection Manager (SEPM) to 14.3 RU1 and above.

A review of Upgrade-0.log or Stdout.log reveals the following error.

com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Failed to validate the server name in a certificate during Secure Sockets Layer (SSL) initialization.". ClientConnectionId:20c9829b-cad0-490b-afc6-c06e076f71c0

This is followed by a communication error in the Upgrade-0.log: 

2021-08-31 20:49:58.821 THREAD 30 SEVERE: auditUpgradeEvent failed to log upgrade
2021-08-31 20:49:58.821 THREAD 30 WARNING: java.sql.SQLException: SEM: Connect to database failed
 at com.sygate.scm.server.db.util.DatabaseUtilities.getDefaultDatabaseConnection(DatabaseUtilities.java:527)
 at com.sygate.scm.server.db.util.DatabaseUtilities.getDefaultDatabaseConnection(DatabaseUtilities.java:443)
 at com.sygate.scm.server.db.util.DatabaseUtilities.getDefaultDatabaseConnection(DatabaseUtilities.java:412)
 at com.sygate.scm.server.db.util.DatabaseUtilities.getDefaultDatabaseConnection(DatabaseUtilities.java:400)
 at com.sygate.scm.server.upgrade.Upgrade.auditUpgradeEvent(Upgrade.java:2624)
 at com.sygate.scm.server.upgrade.Upgrade.doUpgrade(Upgrade.java:1890)
 at com.sygate.scm.server.upgrade.ui.UpgradeTask.go(UpgradeTask.java:147)
 at com.sygate.scm.server.upgrade.ui.UpgradeProgressPanel$2.construct(UpgradeProgressPanel.java:248)
 at com.sygate.scm.util.SwingWorker$2.run(SwingWorker.java:151)
 at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or in an application resource file: java.naming.factory.initial
 at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:691)
 at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
 at java.naming/javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:342)
 at java.naming/javax.naming.InitialContext.lookup(InitialContext.java:409)
 at com.sygate.scm.server.db.util.DBConnectionProxy.getDataSource(DBConnectionProxy.java:235)
 at com.sygate.scm.server.db.util.DBConnectionProxy.getConnectionBasedOnDataSource(DBConnectionProxy.java:248)
 at com.sygate.scm.server.db.util.DBConnectionProxy.getConnectionFromDataSource(DBConnectionProxy.java:332)
 at com.sygate.scm.server.db.util.DatabaseUtilities.getDefaultDatabaseConnection(DatabaseUtilities.java:465)

Environment

SEPM 14.3 RU1 and above.

Cause

This error occurs when the "Subject Alternative Name" of the certificate differs from the name of the server, or the certificate does not contain the NetBIOS hostname. For example, you renamed your server, though did not generate a new certificate, or you installed a CA-signed certificate with only the FQDN in the Subject and SAN.  During the upgrade to 14.3 RU1 and beyond, the SEPM utilizes TLS 1.2 to connect to the database with the NetBIOS hostname and validates the server certificate.

Steps to reproduce:

  1. Install/configure 14.3 MP1 or earlier SEPM.
  2. Perform one of the following.
    • Change OS server name and reboot.  Do not create new SEPM certificate
      OR
    • Update the server certificate with a CA-signed certificate that only has the FQDN.
  3. Upgrade to 14.3 RU1
  4. When upgrade.bat runs you will receive an error
  5. When viewing Update-0.log or stdout.log you will see the error stated above.

Resolution

  1. Perform a Disaster Recovery to the previous version or revert to a pre-upgrade snapshot if available. 
  2. Disable SSL communication on clients. 
    1. On the console, click Policies > Policy Components > Management Server Lists.
    2. Under Tasks, click Copy the List, and then click Paste List.
    3. Double-click the copy of the list to edit it, and then make the following changes:
      1. Click Use HTTP protocol.
      2. For each server address under Management Servers, click Edit, and then click Customize HTTP port.
        Leave it at the default of 8014. If you use a custom port, use it here.
    4. Click OK, and then click OK again.
    5. Right-click the copy of the list, and then click Assign.
    6. On the console, click Clients > Policies > General Settings.
    7. On the Security Settings tab, uncheck Enable secure communications between the management server and clients by using digital certificates for authentication, and then click OK.
    8. Wait at least three heartbeat cycles after making this change on all groups.
      Note: Make sure that you also configure this setting for the groups that do not inherit from a parent group.
  3. Generate a new Server Certificate.
  4. Perform the intended upgrade to 14.3 RU1 MP1 (14.3.3580) or higher.
  5. Re-enable SSL communication

This will resolve the issue. If you must use the previously generated certificate, perform the following additional steps before completing step 5:

  1. Update the server certificate with the CA-signed certificate that was previously installed, to restore client communications.
  2. Run the MSCW (Management Server Configuration Wizard) -- this update SQL Express with the same certificate.