Failed to Connect to Server error when logging into management console
search cancel

Failed to Connect to Server error when logging into management console

book

Article ID: 164295

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You are no longer able to log into the management console after updating the Symantec Endpoint Protection Manager (SEPM) certificate.

scm-server0/1.log shows:

2016-09-20 15:31:23.367 THREAD 120 SEVERE: in: com.sygate.scm.server.task.SecurityAlertNotifyTask
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
...
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)...

 

Cause

This problem happens after importing a SEPM certificate with a keypair larger than 2048 bits. The SEPM Java/Web console both attempt to connect to the SEPM Apache server over HTTPS, and fail to do so because the Apache server is using Diffie-Hellman keys that are equivalent in key length to the SEPM certificate. The Java 8.0 implementation used by the SEPM Tomcat server isn't able to use DH keys larger than 2048-bit.

Resolution

This issue is resolved in Symantec Endpoint Protection (SEP) 14 RU1 For more information on upgrading, please see Upgrade or migrate to Endpoint Protection 14.

As a workaround, configure the SEPM Apache server to use a custom Diffie-Hellman parameters file that contains only 2048-bit DH keys.

  1. Open a command-prompt as Administrator
  2. Change directories to the SEPM Apache binaries folder (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin by default)
  3. Generate a dhparams file using the following command-line:

    openssl dhparam -out dhparam.pem 2048
     
  4. Open the dhparam.pem file, generated in the previous step, in a text editor and copy the entire contents.
  5. Open the the SEPM Apache server certificate (server.crt) in a text editor (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl and paste the contents from the dhparam.pem file to the end of the file and save the changes.
    • Note: Ensure no extra line breaks or whitespace are added.
  6. Restart the Symantec Endpoint Protection Manager, Symantec Endpoint Protection Manager Webserver and Symantec Endpoint Protection Manager API services.

This workaround process will need to be repeated for each SEP Manager.

Powered by Wolken Software