The following sections provide solutions to the problems you might encounter while using the SSL Management feature.
After upgrading to ZENworks 23.4, Remote Management and Imaging will not work
The Activation Time of the Reminted Certificate is incorrectly displayed as January 1, 1970
Satellite Server Certificate Displays the Old Certificate Even After Changing the CA
After a server remint the security policy data could not be decrypted at the agent side
The lost device does not sync with new CA certificate when device is re-enrolled
Certificate update fails on ZENworks 11 SP2 and earlier versions of the agent
A Windows agent is not able to launch the CertificateActivator executable
Managed device that was re-imaged during remint is not communicating with the Primary Server
The activator for a failed certificate activation will only be triggered after an agent refresh
The Certificate Remint Tool is not created on Primary Servers
After a Server Remint the managed device is not able to communicate with the server
The Agent Version is not getting displayed in the ZENworks Server SSL Certificates panel
Certificate activation fails when the required port is not available
Certificate activation fails on a Windows agent after running the Certificate Remint tool
Certificate activation fails on an internal CA zone post remint CA
The new Satellite promotion fails if a zone contains a reverse proxy
After upgrading to ZENworks 23.4, Remote Management and Imaging will not work
To verify the version of SHA certificate on the Primary Server, perform the following steps:
On Windows Primary Server:
On the Primary Server, navigate to the following path:
C:\Program Files (x86)\Micro Focus\ZENworks\conf\security
Open the ca.der file.
Check the Signature algorithm or Signature hashing algorithm. It should NOT be SHA1.
On Linux Primary Server:
On the Primary Server, navigate to the following path:
/etc/opt/microfocus/zenworks/security
Run the following command:
openssl x509 -in ca.cert -text -noout
Check the Signature algorithm. It should NOT be SHA1.
The Activation Time of the Reminted Certificate is incorrectly displayed as January 1, 1970
The certificate will be activated on January 01, 1970…
Satellite Server Certificate Displays the Old Certificate Even After Changing the CA
While signing the certificate the CA server updates the database (zCertificate) that the certificate is issued to the server. In this case, the certificate is updated, but, while updating the database, it updates that these new certificates are future certificates in the database (authenticatedDeviceId). Since the Primary Server redirected the request, the database will be updated with the old certificate for the Satellite Server.
After a server remint the security policy data could not be decrypted at the agent side
Security Settings Decryption Failed n StackTrace : at Novell.Zenworks.ZESMCoreSetttings.ZESMCoreSetttingsModule.ApplySecuritySettings(String encrSecuritySettings)
The lost device does not sync with new CA certificate when device is re-enrolled
Get the zone CA certificate from the 'Enrollment using Provisioning Package' page and install the certificate on the device manually.
Get the remint system update GUID from ZCC. Go to System Updates > Available System Updates. Click the update name 'ZENworks update for certificate remint' and get the Update GUID.
Use this update GUID to run the following query to set the system update status for the device so that device will renew the device certificate after device sync.
PostgreSQL: update zSystemUpdateDeviceInfo set mdmupdatestatus = 'PENDING_CERTIFICATE_ACTIVATION', mdmstatusmessagekey = 'PENDING_CERTIFICATE_ACTIVATION' where deviceuid in (select zuid from zdevice where hostname='DESKTOP-CTKGTIF') and updateuid=decode('<GUID>', 'hex')
Oracle: update zSystemUpdateDeviceInfo set mdmupdatestatus = 'PENDING_CERTIFICATE_ACTIVATION', mdmstatusmessagekey = 'PENDING_CERTIFICATE_ACTIVATION' where deviceuid in (select zuid from zdevice where hostname='DESKTOP-CTKGTIF') and updateuid=HEXTORAW('<GUID>')
MSSQL: update zSystemUpdateDeviceInfo set mdmupdatestatus = 'PENDING_CERTIFICATE_ACTIVATION', mdmstatusmessagekey = 'PENDING_CERTIFICATE_ACTIVATION' where deviceuid in (select zuid from zdevice where hostname='DESKTOP-CTKGTIF') and updateuid='<GUID>'
Device will now start syncing successfully and will renew the device certificate. This can be confirmed using the system update status in the Finished status.
Certificate update fails on ZENworks 11 SP2 and earlier versions of the agent
Unexpected error occurred during system update Type: System.ArgumentException Message: Requested value '(INFO) (10/01/2018 01:37:59.781) (1168) (ZENUpdater) () (SYSTEM) (SystemUpdate) (FINISHED) (FINISHED) () () () (ZENworks)' was not found. Stack Trace: at System.Enum.Parse(Type enumType, String value, Boolean ignoreCase) at Novell.Zenworks.SystemUpdate.UpdateStatusReader.parseStatusMessage(String statusString, UpdateStatus& status, StatusMessage& message, String& messageDetails) at Novell.Zenworks.SystemUpdate.UpdateStatusReader.readLastStatus(FileInfo updateStatusFile, String updateID, UpdateStatus& status, StatusMessage& message, String& details) at Novell.Zenworks.SystemUpdate.SystemUpdateModule.ApplyUpdate(AssignedSystemUpdatesResponseAssignedSystemUpdate update)
NOTE:Depending on the database, you can use any of the following query to list agents on which the system update has failed and then verify the system update logs on these devices for the exception mentioned above:
On Sybase select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x<update_guid> and s.deviceuid = d.zuid
Where <update_guid> is the system update GUID.
Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x5017040000fc50000000002018111501 and s.deviceuid = d.zuid
On PostgreSQL select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '\x<update_guid>' and s.deviceuid = d.zuid
Where <update_guid> is the system update GUID.
Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '\x5017040000fc50000000002018111501' and s.deviceuid = d.zuid
On Microsoft SQL select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x<update_guid> and s.deviceuid = d.zuid
Where <update_guid> is the system update GUID.
Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x5017040000FC50000000002018111501 and s.deviceuid = d.zuid
On Oracle select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '<update_guid>' and s.deviceuid = d.zuid
Where <update_guid> is the system update GUID.
Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '5017040000FC50000000002018111501' and s.deviceuid = d.zuid
A Windows agent is not able to launch the CertificateActivator executable
When the Certificate Remint Tool is downloaded, the update packages are treated as malicious software
Manually add System_drive:\windows\novell\zenworks to the exclusion list of the anti-virus software installed on the managed device.
Download the Certificate Remint Tool.
Managed device that was re-imaged during remint is not communicating with the Primary Server
The activator for a failed certificate activation will only be triggered after an agent refresh
The Certificate Remint Tool fails on a device when the Primary Server to which it is registered, has a certificate chain
The Certificate Remint Tool is not created on Primary Servers
During a CA Remint, the CRT will be available on the current CA server.
During a Change CA to Internal, the CRT will be available on the new CA server.
During a Change CA to external, the CRT will be available on the server on which the remint is initiated.
During a Server Remint, if the current CA is internal, the CRT will be available on the current CA server. If the current CA is external, it will be available on the server on which the remint is initiated.
After a Server Remint the managed device is not able to communicate with the server
To Unregister the device: zac unr
To register the device: zac reg https://<server_IP>:<port>
Certificate Remint Tool fails on the CA Server
On Windows: Launch ZENSERVER_home\install\downloads\system-update\certificate-update\ZENworks_Certificate_Update_Windows.exe with -p ZENSERVER_home\conf\security\ca.cert
On Linux: Launch /opt/microfocus/zenworks/install/downloads/system-update/certificate-update/ZENworks_Certificate_Update_Linux.bin with -p /etc/opt/microfocus/zenworks/security/ca.cert
The Agent Version is not getting displayed in the ZENworks Server SSL Certificates panel
After a remint, security policy versions are incremented
A server certificate has expired
From ZENworks 2020 Update 3 onwards, when a Server Certificate is expired, remint can initiated immediately from ZCC, after switching back to legacy login.
Certificate activation fails when the required port is not available
Reconfiguration of the Satellite Server fails after the server is promoted to the Authentication role
A Content Satellite Server is promoted to an Authentication or Collection role, over SSL.
A Content over non-SSL role Satellite Sever is promoted to the Authentication role.
A Content or Collection over non-SSL, Imaging or Join Proxy role Satellite Server is promoted to the Authentication role.
On Windows: zac isc (for more information on this command, see zac for Windows(1) in the ZENworks Command Line Utilities Reference.)
On Linux: zac isc (for more information on this command, see zac for Linux(1) in the ZENworks Command Line Utilities Reference.)
Certificate activation fails on a Windows agent after running the Certificate Remint tool
If this issue occurs, when the certificate has already been activated on the server, rerun the Certificate Remint tool on the agent.
Certificate activation fails on an internal CA zone post remint CA
The new Satellite promotion fails if a zone contains a reverse proxy
Satellite servers using SSL must have external certificates if the zone uses external certificates.
NOTE:When importing the external CA, ensure that the CA contains the proper certificate chain (the private key, signed server certificate, and the root certificate chain).