A.0 Troubleshooting

The following sections provide solutions to the problems you might encounter while using the SSL Management feature.

A Windows agent is not able to launch the CertificateActivator executable

Source: ZENworks; SSL Management.
Explanation: When you initiate a remint, a system update is assigned to all devices, and the future security files are created. At the time of activation, the agent launches the CertificateActivator.exe to activate the certificate. This executable file is not launching due to an issue with Windows.
Action: You need to apply a hot fix, and restart the device. During the next agent refresh the CertificateActivator executable will get launched.

When the Certificate Remint Tool is downloaded, the update packages are treated as malicious software

Source: ZENworks; SSL Management.
Explanation: When you download the Certificate Remint Tool, the update packages are treated as malicious software by the anti-virus software. Consequently, the update abruptly stops.
Action: Do the following on the managed device where you want to install the Certificate Remint Tool:

  1. Manually add System_drive:\windows\novell\zenworks to the exclusion list of the anti-virus software installed on the managed device.

  2. Download the Certificate Remint Tool.

Managed device that was re-imaged during remint is not communicating with the Primary Server

Source: ZENworks; SSL Management.
Explanation: After a remint system update is completed on a device, before the activation date, if the device is re-imaged and registered, it will not be able to communicate with the Primary Server, post activation. This is because the new server certificate is already activated on the Primary Server and the device does not have the new certificate because the system update is not sent to the device again.
Action: You need to unregister and re-register the device. If the system update is not yet baselined, you can use the certificate remint tool to run the system update again.

The activator for a failed certificate activation will only be triggered after an agent refresh

Source: ZENworks; SSL Management.
Explanation: When certificate activation fails due to any error, you have to wait till the next agent refresh to happen for the activator to get triggered.
Action: You can trigger the activator before the next refresh by running the zac refresh command. For more information, see the Status Commands in the ZENworks Command Line Utilities Reference.

The Certificate Remint Tool fails on a device when the Primary Server to which it is registered, has a certificate chain

Source: ZENworks; SSL Management.
Explanation: If the device is registered with a server whose certificate is signed by an intermedidate CA and you try to download the Certificate Remint Tool from a server which has a certificate with lesser number of chains than the registered server, you will receive the following error: CA certificate subject from the CA Certificate chain does not match server certificate issuer.
Action: You need to download the Certificate Remint Tool from the registered Primary Server or from a Primary Server that has the most number of chains.

The Certificate Remint Tool is not created on Primary Servers

Source: ZENworks; SSL Management.
Explanation: The Certificate Remint Tool might not be created on all Primary Servers if the content is not replicated on those servers.
Action: Based on the scenario, the CRT can be downloaded from the following locations:

  • During a CA Remint, the CRT will be available on the current CA server.

  • During a Change CA to Internal, the CRT will be available on the new CA server.

  • During a Change CA to external, the CRT will be available on the server on which the remint is initiated.

  • During a Server Remint, if the current CA is internal, the CRT will be available on the current CA server. If the current CA is external, it will be available on the server on which the remint is initiated.

After a Server Remint the managed device is not able to communicate with the server

Source: ZENworks; SSL Management.
Explanation: If we remint a Primary server certificate, the initial web service file on the managed devices that are registered to this Primary Server will not be updated with the new certificate. If the device is not communicating with the server, the agent will not be able to fall back to the initial web service file because the certificate is not updated.
Action: Run the following commands to un-register and register the device:

  • To Unregister the device: zac unr

  • To register the device: zac reg https://<server_IP>:<port>

Certificate Remint Tool fails on the CA Server

Source: ZENworks; SSL Management.
Explanation: If the CA certificate has expired and you perform the Remint operation, the CRT that is launched on the CA server might fail. If you then double-click the CRT, it will fail again.
Action: Perform the following steps:

  • On Windows: Launch ZENworks_home\install\downloads\system-update\certificate-update\ZENworks_Certificate_Update_Windows.exe and run the -p ZENworks_home\conf\securit\ca.cert command.

  • On Linux: Launch /opt/novell/zenworks/install/downloads/system-update/certificate-update/ZENworks_Certificate_Update_Linux.bin and run the -p /etc/opt/novell/zenworks/security/ca.cert command.

The Agent Version is not getting displayed in the ZENworks Server SSL Certificates panel

Source: ZENworks; SSL Management.
Explanation: The Version column in the ZENworks Server SSL Certificates panel might be empty as soon as the server is installed.
Action: None. Once the agent is registered successfully, the Version column will get populated.

After a remint, security policy versions are incremented

Source: ZENworks; SSL Management.
Explanation: Security policies (Endpoint Security Management and Full Disk Encryption) are encrypted. After a remint, all published policies are resigned and incremented. Sandbox policies are not incremented.
Action: No action required. The incremented policies are automatically applied to devices during the next device refresh.

A server certificate has expired

Explanation: A server certificate has expired due to which the devices are unable to establish an SSL connection with the server. Certificate remint of an expired server certificate cannot be performed in ZCC.
Action: You need to manually replace the expired server certificate with a new server certificate by performing the following steps:

Replacing an internal server certificate with a new internal server certificate

If the internal server certificate of your Windows or Linux Primary Server has expired you can choose to replace the certificate with a new internal server certificate.

  1. Before replacing an internal server certificate with a new internal server certificate, take a reliable backup of the following on all Primary Servers in the Management Zone:

    • Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.

      Ensure that the images directory located within the content-repo directory has been successfully backed up.

    • Certificate Authority: For detailed information on how to back up the certificate authority, see Backing Up the Certificate Authority.

    • Embedded Database: For detailed information on how to back up the embedded database, see Backing Up a ZENworks Server.

  2. Enforce the new certificates on the zone by running the following command on any Primary Server whose certificate has expired:

    novell-zenworks-configure -c SSL -Z

    Follow the prompts. Do not remint the Certificate authority, just the server certificate.

    NOTE:If both the Server Certificate and Certificate Authority (CA) have expired, then use the Remint CA option in the ZCC UI to remint the CA, which will remint the expired server certificate as well.

  3. Restart all the ZENworks services on all the Primary Servers in the zone by running the following command at the console prompt of each Primary Server in the zone:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  4. Refresh all the devices, including the Primary Servers, in the zone.

    If only one Primary Server certificate was changed, and if the CA certificate was not changed, and there is more than one Primary Server in the zone, refreshing the Server, Satellites, and managed devices will allow the agent to trust the new server certificate. Refreshes automatically on the next scheduled refresh.

    If there is only one Primary Server in the zone then the Primary Servers, Satellites, and managed devices need to run zac retr to reestablish the trust.

    If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:

    zac retr -u zone_administrator_username -p zone_administrator_password

  5. Configure the Authentication Satellites with the new certificates by entering the following command at the Satellite's prompt:

    On Windows: zac authentication server reconfigure (asr) -t all

    On Linux: zac remint-satellite-cert (rsc)

  6. Re-create all the default and custom deployment packages for all the Primary Servers:

    • Default Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks-configure -c CreateExtractorPacks -Z command:

      Custom Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks-configure -c RebuildCustomPacks -Z command

Replacing an external server certificate with a new external server certificate

If the external server certificate of your Windows or Linux Primary Server has expired you can choose to replace the certificate with a new external server certificate issued by your current zone CA.

  1. Before replacing an external server certificate with a new external server certificate, take a reliable backup of the following on all Primary Servers in the Management Zone:

    • Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.

      Ensure that the images directory located within the content-repo directory has been successfully backed up.

    • Embedded Database: For detailed information on how to back up the embedded database, see Backing Up the Embedded Sybase SQL Anywhere Database.

  2. Create a certificate signing request (CSR) by providing the hostname (FQDN) of the Primary Server as the subject. Using this CSR, get the new server certificate issued by the external CA.

    For more information on how to create a CSR, see Creating an External Certificate in the ZENworks Server Installation Guide.

  3. Delete the record of the server whose certificate is being renewed, from the zCertificate table in the database by using the query “delete from zCertificate where SubjectUID = <GUID of the Primary Server whose cert has to be renewed”.

  4. At the console prompt of a Primary Server, run the following command with the force ( -f, --force) option.

    zman sacert -f Path_of_the_Primary_Server_in_ZENworks_Control_Center Path_of_Primary_Server_Certificate

    For more information about zman, view the zman man page (man zman) on the device or see zman(1) in the ZENworks Command Line Utilities Reference.

    This adds the certificate of the Primary Server that you specified in the command to the ZENworks database and certificate store.

    NOTE:You must run the command for each server whose certificate you want to replace.

  5. Refresh all the devices, including the Primary Servers, in the zone.

    The Primary Server certificates that were imported in Step 4 are sent to the devices as configuration data.

  6. Enforce the new certificates on the zone by running the following command on any Primary Server whose certificate has expired:

    novell-zenworks-configure -c SSL -Z

    Follow the prompts.

  7. Restart all the ZENworks services on the current Primary Server in the zone by running the following command at the console prompt of the Primary Server:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  8. Refresh all the devices, including the Primary Servers, in the zone.

    If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:

    zac retr -u zone_administrator_username -p zone_administrator_password

  9. Configure the Satellites with the new external certificates by entering the following command at the Satellite's prompt:

    zac iac -pk private-key.der -c signed-server_certificate.der -ca signing-authority-public-certificate.der -ks keystore.jks -ksp keystore-pass-phrase -a signed-cert-alias -ks signed-cert-passphrase -u username -p password -rc

  10. Re-create all the default and custom deployment packages for all the Primary Servers:

    • Default Deployment Packages: At the console prompt of each Primary Server in the zone, enter the following command:

      novell-zenworks-configure -c CreateExtractorPacks -Z

    • Custom Deployment Packages: At the console prompt of each Primary Server in the zone, enter the following command:

      novell-zenworks-configure -c RebuildCustomPacks -Z