IT Management Suite

 View Only
  • 1.  Unable to import certificate for https agent connection

    Posted Feb 11, 2024 10:08 PM
    Performed a migration from an old to a new server with the following scenario.
    - from Windows Server 2012 R2 to Windows Server 2019
    - same hostname and IP
    - from 8.5 RU2 to 8.7.1
    - agents are migrated through DNS change
    - Data on an existing server was not migrated
    - Agent with https communication has not been restored 
     
    Have been trying to import the old server certificate into the new server/console but the old certificate does not seem to be imported. The old server certificate did not appear in the certificate list.
     
    If the new console is now up and running, can I still go back to SIM and apply step 9 of this document to restore the previous certificate?
    https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/it-management-suite/ITMS/Getting-Started/migration-scenarios-and-troubleshooting/migrating-to-a-new-smp-server-while-keeping-the-same-hostname-and-ip-address.html#concept.dita_120a6264-5b13-4823-8fbd-f34eccf03677_Step_9
     
    If not, is there a way to restore the communication https agent communication to the new server, with the same hostname and IP?
     
    Regards,
    Ain Abdullah


  • 2.  RE: Unable to import certificate for https agent connection

    Posted Feb 12, 2024 02:03 AM

    Hi Ain! 

    I guess you should be able to import the certificate on the server with mmc/certificate manager and bind it to port 443 on default website in IIS.

    Regards, 
    Tommy Edstrand




  • 3.  RE: Unable to import certificate for https agent connection

    Broadcom Employee
    Posted Feb 12, 2024 11:48 AM

    Hello Ain,

    Yes, you should be able to go into SIM on the new server and apply the previous NS server configuration (NS certificates, KMS keys, etc.) onto the new NS.  But that is step 10.  Step 9 would still need to happen as well if you have CEM Agents as this step lets you reuse the CEM web site certificate that you had previously.   

    Are you using Cloud Enabled Management (CEM)?

    If so, do CEM Agents have connectivity back to the SMP through VPN, or is connectivity only through CEM?  If only through CEM we need to be extremely careful with any certificate changes, or it may be necessary to reinstall the CEM Agent package again on all CEM systems.

    You could check IIS Bindings for port 4726 on the new server.  Do you have this port bound?  Is the correct certificate being used?  Does it match the CEM Web site certificate listed in Certificate Management?  Port 443 binding should be the NS web site certificate.  Customer's sometimes make these the same 3rd party certificate, but we don't recommend that as it's less secure.  By default, Port 4726 and 443 on the SMP have a different certificate, which is seen in IIS Bindings and also the Certificate Management page. (The SMP makes changes to IIS Bindings as certificates change in Certificate Management.  It's not necessary or recommended to change IIS Bindings directly in IIS.)

    If you'd rather have someone walk though this with you on a WebEx, please create a support case and we'd be happy to make sure everything is working and correct.

    Best Regards, Roy