The Secure Proxy's NGINX /usr/local/nginx/logs/controller.log file has "Failed to create SSL Connection" on the javax.net.ssl.SSLHandshakeException. This SSL handshake error is preventing the Secure Proxy server from registering to the Symantec Mobility Front End.
This same error may also prevent email sync and push functionality while communicating between the EAS/EWS front ends. See the note below regarding how to use these same steps to resolve other SSL Java related connectivity issues.
The SSL certificate installed on the network resource is not trusted by Java.
Note: Several things can cause an Secure Proxy server to not be able to register to a Mobility Suite Front End (FE) server or lose it's connectivity thereto. First verify that the server has direct outbound access over TCP 443 to the fully qualified domain name (FQDN) of the FE. Also confirm that a local administrative account is being used to register the Secure Proxy to the FE. Steps 5 and 6 may be repeated substituting the internal CAS/EAS/EWS server FQDN for the Mobility FQDN in the keytool command if having this connectivity issue while attempting to send/receive email or register the impersonation account.
Verify that Oracle JRE 1.8 or later is installed by entering the following, as root: java -version
If the output of the above command contains OpenJDK or an earlier JRE version, remove the OpenJRE package by entering the following, as root: sudo yum -y remove java
Once the RPM, from step 3, has been transferred to the Secure Proxy server, run the following command, as root from the location of the jre-8u45-linux-x64.rpm file, to install Oracle JRE: rpm -ivh jre-8u45-linux-x64.rpm
Once JRE is successfully installed transfer the SSL certificate, installed on the Mobility Suite FE to the Secure Proxy by entering a command like: openssl s_client -showcerts -connect <FQDNofMobilityFE>:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >mycertfile.pem Note: The SSL certificate of the Mobility Suite FE has been stored into a file named mycertfile.pem. If troubleshooting Email Proxy to EAS or CAS connectivity substitute their locations in place of the FQDN of the Mobility Suite FE.
Add the certificate file to the Java trust by entering the following, as root: keytool -import -noprompt -trustcacerts -file mycertfile.pem -keystore /usr/java/jre1.8.0_45/lib/security/cacerts Note: The default Java password is: changeit
Note:If adding additional certificates for the EAS and CAS servers use the -alias tag to give the certificate a specific name. For example: keytool -import -noprompt -trustcacerts -file cascert.pem -alias cascert -keystore /usr/java/jre1.8.0_45/lib/security/cacert
Ensure that the latest Secure Email ISO has been downloaded from the Mobility Suite FE by navigating to the Mobility Admin console > Downloads and click (Download secure email proxy). Tip: To get to the Mobility admin console navigate to https://<FQDNofMobility>/admin/login
Transfer the ISO to the Secure Proxy server. Tip: For step by step guide on how to transfer files between a Linux and Windows see HOWTO110248.
Create a new mount point for the ISO by entering the following, as root: mkdir /mnt/iso Tip: If the /mnt/iso directory already has an ISO mounted, close any sessions accessing this location and type, sudo umount /mnt/iso
Mount the transferred ISO to the /mnt/iso directory by entering the following, as root: sudo mount -o loop <PathToSecureProxyISO> /mnt/iso
Change the terminal's directory to /mnt/iso: cd /mnt/iso
Remove any previous installation by entering the following, as root: sudo ./setup.sh --uninstall
After the un-installation completes, re-install by entering the following, as root: sudo ./setup.sh --install
Complete the installation by following the Mobility Suite Administration Guide.
The following terms have been added for searching terms: JRE, java runtime environment, open jre, open jdk
Subscribing will provide email updates when this Article is updated. Login is required.