Mac Management Group

Altiris 7.5 with SSL fully implemented. None of my Mac clients will authenticate to the package sources. I'm connecting to the NS and registering with task without issue. My brick wall is when I try to pull a package. I'm sure that it's a certificate issue, and I have two separate environments, one development environment with self signed certificates and one other environment with third-party certificates. Both examples are acting exactly the same. As far as I know, the only certificate being pushed to the Mac during agent install is the SSL certificate used by the notification server. Losing hair, PSG

 

Hello Powershell_Guru,

Is Pakage server present in your environment?

If yes, then you will have to pull the certificate for PS with utility "aex-getsscert".

It is present under below folder

/opt/altiris/notification/nsagent/bin

Usage:
aex-getsscert <URL of PS>

Regards,

Anil

Hi,

If NS and Package Server have common CA root, then there shouldn't be issues with certificates.

If all certificates are self signed(or have different CA root) then issue may come - as during installation agent has only NS certificate. In this case you should download needed certificate to the agent certificate storgae. This can be accomplished using agent tool  called 'aex-getsscert'. if you launch it in command line it will asks you for url from wihich agent should download certificate and place it into trusted list.

To automate this you can create Script task(Unix type) on NS server like:

echo "yes" | aex-getsscert https://PackageServerUrl

 

Thanks,

AndreiF
 

 

Thanks for the quick answers.  I actually tried aex-getsscert for my dev servers (that are using self signed ns certs) and the ns and package server both came back with "Certificate is not self signed.  Ignoring"

 

Please describe what type of certificate you are using on your SS/PS and how you created or obtained it. 

Did you use the AeXGenSiteServerCert.exe utility as explained in kb: http://www.symantec.com/docs/HOWTO93155? 

Doug,

 

I did send you an email this afternoon.  For the site servers, I did use the AeXGenSiteServerCert.exe servername.fqdn -o filename.pfx -p password. 

Andrei,

 

Thank you for the follow up.  Here is my findings after working with a great Sym Mac Engineer @dougj

 

1. I'm using a 3rd party ssl certificate and RootCA for my notification server. 

2. During installation, the Mac client will copy down whatever root signed that NS certificate.

3. Site servers are using the cert generated with the aexcertgen tool which is signed by a diff ca.

 

NEXT STEPS:::

 

I'm going to put private SSL certs on all of my site servers which are signed by the same 3rd party root.

 

I'll make sure to post my results..

 

Thanks!

PSG

Hi Guru,

This tool generate certificate signed by agent CA placed on NS.

Mac agent should have to know this CA in order to verify ssl connection, so you should import agent CA cert into mac caino.pem storage.

Agent CA certificate is located in trusted root certificates (you can use mmc -> add certificate snap in).

Then find certificate - it should be named like SMP 'hostname' Agent CA. Open this certificate and export it in base64 format without private keys.

Exported file will contain base64 string which should be placed into agent cert storage file (/opt/altiris/notification/nsagent/etc/cainfo.pem) - this can be accomplished using task - create unix script task like 'echo "base64 string of certificate" >> /opt/altiris/notification/nsagent/etc/cainfo.pem" and launch such task on your mac machines. After that mac agent should be able to verify certificate using CA cert you have placed.

Thanks,

AndreiF

 

Andrei's suggestion will likely work but we don't recommend modifying any of client agent pem files directly. Rather, we recommend following the instructions in this kb article: http://www.symantec.com/docs/HOWTO101458.