You are no longer able to log into the management console after updating the Symantec Endpoint Protection Manager (SEPM) certificate.
2016-09-20 15:31:23.367 THREAD 120 SEVERE: in: com.sygate.scm.server.task.SecurityAlertNotifyTask
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)...
This problem happens after importing a SEPM certificate with a keypair larger than 2048 bits. The SEPM Java/Web console both attempt to connect to the SEPM Apache server over HTTPS, and fail to do so because the Apache server is using Diffie-Hellman keys that are equivalent in key length to the SEPM certificate. The Java 8.0 implementation used by the SEPM Tomcat server isn't able to use DH keys larger than 2048-bit.
As a workaround, configure the SEPM Apache server to use a custom Diffie-Hellman parameters file that contains only 2048-bit DH keys.
Open a command-prompt as Administrator
Change directories to the SEPM Apache binaries folder (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin by default)
Generate a dhparams file using the following command-line:
openssl dhparam -out dhparam.pem 2048
Open the dhparam.pem file, generated in the previous step, in a text editor and copy the entire contents.
Open the the SEPM Apache server certificate (server.crt) in a text editor (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl and paste the contents from the dhparam.pem file to the end of the file and save the changes.
Note: Ensure no extra line breaks or whitespace are added.
Restart the Symantec Endpoint Protection Manager and Symantec Endpoint Protection Manager Webserver services.
This workaround process will need to be repeated for each SEP Manager.
Subscribing will provide email updates when this Article is updated. Login is required.