Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
michaelsimon
Explorer

fwm sic_reset on dedicated Endpoint Managment Server

Hey checkmates,

 

I had an issue with a dedicated Endpoint Management server the customer wanted to migrate to a new location and change the hostname. I know, this usually isn't a good idea but I did this with two SmartCenter servers (one managing a VSX cluster) without Endpoint Management during the last few months and it wasn't as scary as it sounds. 

But the dedicated Endpoint Management just doesn't want. After migrating the configuration of the old server (R80.40) to the new one (R81) everything was fine. When I did the fwm sic_reset and initialized the CA using cpconfig afterwards Gaia WebUI was not accessible anymore. Also SmartEndpoint couldn't connect to Endpoint Management. SmartConsole was ok, status of the management server object was all ok.

I was able to reanimate Gaia GUI because I found that in /web/conf/extra/httpd-ssl.conf all referers regarding key files and certificates pointed to /opt/CPuepm-R81/engine/conf/ssl/ where you find sic_cert.pem, sic_cert-key.pem, root_sic_cert.pem and some more! There was a comment before each of these entries: "The next line is added/changed automatically by UEPM installation" This seems to be related to R81 because on R80.40 server the referers point to /usr/local/apache2/conf/

When I changed the refers to cert files and keys located in /usr/local/apache2/conf/ I was able to access the Gaia WebUI again. Endpoint management was still not accessible.

Looking at the cert and key files in /opt/CPuepm-R81/engine/conf/ssl/ it looks like these files have not been changed after fwm sic_reset and ICA initialization.

I did the same test with a fresh VM and only enabled Endpoint Policy Management. I didn't migrate the old configuration, just enabled the blade, tested access using SmartEndpoint and did the fwm sic_reset afterwards and reinitialized the ICA. Same result. Gaia end Endpoint Management are not accessible anymore. Is there any way to get new SIC certificates for the Endpoint Management Server to replace the old ones in that directory?

I had a TAC case open but as the customer now decided to keep the old hostname they are not working on this anymore. Seems nobody reported this before. I thinks it's a bug.

0 Kudos
1 Reply
_Val_
Admin
Admin

TAC should be able to answer you about whether it is but or not. 

However, why would you reset your ICA in the first place? Migrating SMS to new IP does not require that. Also, hostname of the new server does not have to be identical to ICA name.

0 Kudos