A.0 Troubleshooting

The following sections provide solutions to the problems you might encounter while using the SSL Management feature.

After upgrading to ZENworks 23.4, Remote Management and Imaging will not work

Explanation: The SHA-1 certificate is NOT supported from ZENworks 23.3 onwards and will break Remote Management and Imaging.
Action: From ZENworks 23.3 onwards, Remote Management and Imaging require the CA as well as the Primary Server certificates to be SHA-2 certificates, so it is advised to migrate them to SHA-2 certificates. For more information, see Reminting the Certificate Authority and Reminting Server Certificates.

To verify the version of SHA certificate on the Primary Server, perform the following steps:

On Windows Primary Server:

  1. On the Primary Server, navigate to the following path:

    C:\Program Files (x86)\Micro Focus\ZENworks\conf\security

  2. Open the ca.der file.

  3. Check the Signature algorithm or Signature hashing algorithm. It should NOT be SHA1.

On Linux Primary Server:

  1. On the Primary Server, navigate to the following path:

    /etc/opt/microfocus/zenworks/security

  2. Run the following command:

    openssl x509 -in ca.cert -text -noout

  3. Check the Signature algorithm. It should NOT be SHA1.

The Activation Time of the Reminted Certificate is incorrectly displayed as January 1, 1970

Explanation: In the ZENworks Server SSL Certificates page, when you remint the certificate, the following message is displayed.

The certificate will be activated on January 01, 1970…

Action: Ignore the displayed message.

Satellite Server Certificate Displays the Old Certificate Even After Changing the CA

Explanation: In ZENworks Control Center, the Satellite Server Certificate displays the old certificate even after changing the CA.
Possible Cause: During remint, when the Satellite requests for certificates, the CA server will be at the top of the list followed by the config servers. If the CA server fails to provide the certificate, the Satellite Server contacts the closest config server for the certificate, and the Primary Server redirects the call to the CA server.

While signing the certificate the CA server updates the database (zCertificate) that the certificate is issued to the server. In this case, the certificate is updated, but, while updating the database, it updates that these new certificates are future certificates in the database (authenticatedDeviceId). Since the Primary Server redirected the request, the database will be updated with the old certificate for the Satellite Server.

Action: Remint the Satellite Server certificate after the package rebuilding is completed on the CA Server.

After a server remint the security policy data could not be decrypted at the agent side

Explanation: After a server certificate remint, the security policy data could not be decrypted at the agent side as the security policy data is signed with the Primary Server certificate when it was created, and post remint the signature verification fails at the agent, and the following exception is logged:

Security Settings Decryption Failed n StackTrace : at Novell.Zenworks.ZESMCoreSetttings.ZESMCoreSetttingsModule.ApplySecuritySettings(String encrSecuritySettings)

Action: When only the Primary server certificate is reminted, run microfocus-zenworks-configure -c SignEncryptedDataConfigureAction -Z to re-encrypt the policy data with the new server certificate.

The lost device does not sync with new CA certificate when device is re-enrolled

Explanation: When a device is lost and you try to re-enroll the device after the zone has a new CA certificate, the device fails to sync with the new certificate.
Action: Perform the following steps:
  1. Get the zone CA certificate from the 'Enrollment using Provisioning Package' page and install the certificate on the device manually.

  2. Get the remint system update GUID from ZCC. Go to System Updates > Available System Updates. Click the update name 'ZENworks update for certificate remint' and get the Update GUID.

  3. Use this update GUID to run the following query to set the system update status for the device so that device will renew the device certificate after device sync.

    • PostgreSQL: update zSystemUpdateDeviceInfo set mdmupdatestatus = 'PENDING_CERTIFICATE_ACTIVATION', mdmstatusmessagekey = 'PENDING_CERTIFICATE_ACTIVATION' where deviceuid in (select zuid from zdevice where hostname='DESKTOP-CTKGTIF') and updateuid=decode('<GUID>', 'hex')

    • Oracle: update zSystemUpdateDeviceInfo set mdmupdatestatus = 'PENDING_CERTIFICATE_ACTIVATION', mdmstatusmessagekey = 'PENDING_CERTIFICATE_ACTIVATION' where deviceuid in (select zuid from zdevice where hostname='DESKTOP-CTKGTIF') and updateuid=HEXTORAW('<GUID>')

    • MSSQL: update zSystemUpdateDeviceInfo set mdmupdatestatus = 'PENDING_CERTIFICATE_ACTIVATION', mdmstatusmessagekey = 'PENDING_CERTIFICATE_ACTIVATION' where deviceuid in (select zuid from zdevice where hostname='DESKTOP-CTKGTIF') and updateuid='<GUID>'

  4. Device will now start syncing successfully and will renew the device certificate. This can be confirmed using the system update status in the Finished status.

Certificate update fails on ZENworks 11 SP2 and earlier versions of the agent

Explanation: When you deploy certificate remint updates to ZENworks 11 SP2 and earlier version of the agent, the System Update status is displayed as Error on the agents and in ZENworks Control Center, even after the update is applied successfully.
Symptom: An exception similar to the example displayed below is logged in the system update logs on the agent:
Unexpected error occurred during system update
Type: System.ArgumentException
Message: Requested value '(INFO) (10/01/2018 01:37:59.781) (1168) (ZENUpdater) () (SYSTEM) (SystemUpdate) (FINISHED) (FINISHED) () () () (ZENworks)' was not found.
Stack Trace:
at System.Enum.Parse(Type enumType, String value, Boolean ignoreCase)
at Novell.Zenworks.SystemUpdate.UpdateStatusReader.parseStatusMessage(String statusString, UpdateStatus& status, StatusMessage& message, String& messageDetails)
at Novell.Zenworks.SystemUpdate.UpdateStatusReader.readLastStatus(FileInfo updateStatusFile, String updateID, UpdateStatus& status, StatusMessage& message, String& details)
at Novell.Zenworks.SystemUpdate.SystemUpdateModule.ApplyUpdate(AssignedSystemUpdatesResponseAssignedSystemUpdate update)

NOTE:Depending on the database, you can use any of the following query to list agents on which the system update has failed and then verify the system update logs on these devices for the exception mentioned above:

  • On Sybase select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x<update_guid> and s.deviceuid = d.zuid

    Where <update_guid> is the system update GUID.

    Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x5017040000fc50000000002018111501 and s.deviceuid = d.zuid

  • On PostgreSQL select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '\x<update_guid>' and s.deviceuid = d.zuid

    Where <update_guid> is the system update GUID.

    Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '\x5017040000fc50000000002018111501' and s.deviceuid = d.zuid

  • On Microsoft SQL select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x<update_guid> and s.deviceuid = d.zuid

    Where <update_guid> is the system update GUID.

    Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = 0x5017040000FC50000000002018111501 and s.deviceuid = d.zuid

  • On Oracle select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '<update_guid>' and s.deviceuid = d.zuid

    Where <update_guid> is the system update GUID.

    Example: select d.hostname, d.zuid, d.agentversion, s.updatestatus from zsystemupdatedeviceinfo s, zdevice d where s.updatestatus = 'ERROR' and s.updateuid = '5017040000FC50000000002018111501' and s.deviceuid = d.zuid

Action: Ignore the update on agents, on which the update has failed, and wait for the new certificate to get activated on the agents (activation date). After the certificate is activated, verify the agent-server communication. If the agent and server are able to communicate with each other, then ignore the displayed Certificate Update status.

A Windows agent is not able to launch the CertificateActivator executable

Source: ZENworks; SSL Management.
Explanation: When you initiate a remint, a system update is assigned to all devices, and the future security files are created. At the time of activation, the agent launches the CertificateActivator.exe to activate the certificate. This executable file is not launching due to an issue with Windows.
Action: You need to apply a hot fix, and restart the device. During the next agent refresh the CertificateActivator executable will get launched.

When the Certificate Remint Tool is downloaded, the update packages are treated as malicious software

Source: ZENworks; SSL Management.
Explanation: When you download the Certificate Remint Tool, the update packages are treated as malicious software by the anti-virus software. Consequently, the update abruptly stops.
Action: Do the following on the managed device where you want to install the Certificate Remint Tool:
  1. Manually add System_drive:\windows\novell\zenworks to the exclusion list of the anti-virus software installed on the managed device.

  2. Download the Certificate Remint Tool.

Managed device that was re-imaged during remint is not communicating with the Primary Server

Source: ZENworks; SSL Management.
Explanation: After a remint system update is completed on a device, before the activation date, if the device is re-imaged and registered, it will not be able to communicate with the Primary Server, post activation. This is because the new server certificate is already activated on the Primary Server and the device does not have the new certificate because the system update is not sent to the device again.
Action: You need to unregister and re-register the device. If the system update is not yet baselined, you can use the certificate remint tool to run the system update again.

The activator for a failed certificate activation will only be triggered after an agent refresh

Source: ZENworks; SSL Management.
Explanation: When certificate activation fails due to any error, you have to wait till the next agent refresh to happen for the activator to get triggered.
Action: You can trigger the activator before the next refresh by running the zac refresh command. For more information, see the Status Commands in the ZENworks Command Line Utilities Reference.

The Certificate Remint Tool fails on a device when the Primary Server to which it is registered, has a certificate chain

Source: ZENworks; SSL Management.
Explanation: If the device is registered with a server whose certificate is signed by an intermedidate CA and you try to download the Certificate Remint Tool from a server which has a certificate with lesser number of chains than the registered server, you will receive the following error: CA certificate subject from the CA Certificate chain does not match server certificate issuer.
Action: You need to download the Certificate Remint Tool from the registered Primary Server or from a Primary Server that has the most number of chains.

The Certificate Remint Tool is not created on Primary Servers

Source: ZENworks; SSL Management.
Explanation: The Certificate Remint Tool might not be created on all Primary Servers if the content is not replicated on those servers.
Action: Based on the scenario, the CRT can be downloaded from the following locations:
  • During a CA Remint, the CRT will be available on the current CA server.

  • During a Change CA to Internal, the CRT will be available on the new CA server.

  • During a Change CA to external, the CRT will be available on the server on which the remint is initiated.

  • During a Server Remint, if the current CA is internal, the CRT will be available on the current CA server. If the current CA is external, it will be available on the server on which the remint is initiated.

After a Server Remint the managed device is not able to communicate with the server

Source: ZENworks; SSL Management.
Explanation: If we remint a Primary server certificate, the initial web service file on the managed devices that are registered to this Primary Server will not be updated with the new certificate. If the device is not communicating with the server, the agent will not be able to fall back to the initial web service file because the certificate is not updated.
Action: Run the following commands to un-register and register the device:
  • To Unregister the device: zac unr

  • To register the device: zac reg https://<server_IP>:<port>

Certificate Remint Tool fails on the CA Server

Source: ZENworks; SSL Management.
Explanation: If the CA certificate has expired and you perform the Remint operation, the CRT that is launched on the CA server might fail. If you then double-click the CRT, it will fail again.
Action: Perform the following steps:
  • On Windows: Launch ZENSERVER_home\install\downloads\system-update\certificate-update\ZENworks_Certificate_Update_Windows.exe with -p ZENSERVER_home\conf\security\ca.cert

  • On Linux: Launch /opt/microfocus/zenworks/install/downloads/system-update/certificate-update/ZENworks_Certificate_Update_Linux.bin with -p /etc/opt/microfocus/zenworks/security/ca.cert

The Agent Version is not getting displayed in the ZENworks Server SSL Certificates panel

Source: ZENworks; SSL Management.
Explanation: The Version column in the ZENworks Server SSL Certificates panel might be empty as soon as the server is installed.
Action: None. Once the agent is registered successfully, the Version column will get populated.

After a remint, security policy versions are incremented

Source: ZENworks; SSL Management.
Explanation: Security policies (Endpoint Security Management and Full Disk Encryption) are encrypted. After a remint, all published policies are resigned and incremented. Sandbox policies are not incremented.
Action: No action required. The incremented policies are automatically applied to devices during the next device refresh.

A server certificate has expired

Explanation: A server certificate has expired due to which the devices are unable to establish an SSL connection with the server.
Action: Switch back to the legacy ZCC login by Disabling OSP Login in ZCC and then remint the server certificate (Section 1.3, Managing the Server Certificates).

From ZENworks 2020 Update 3 onwards, when a Server Certificate is expired, remint can initiated immediately from ZCC, after switching back to legacy login.

Certificate activation fails when the required port is not available

Source: ZENworks
Explanation: Certificate activation fails on Primary Servers when port 6001 is used by another process.
Action: Ensure that port 6001 is not used by any other process.

Reconfiguration of the Satellite Server fails after the server is promoted to the Authentication role

Source: ZENworks
Explanation: In an external CA zone, reconfiguration of the Satellite Server fails with the Authentication servers must have external certificates if zone uses external certificate error. This error occurs due to the Satellite Server certificate getting deleted after the Satellite Server is promoted to the Authentication role in the following scenarios:
  • A Content Satellite Server is promoted to an Authentication or Collection role, over SSL.

  • A Content over non-SSL role Satellite Sever is promoted to the Authentication role.

  • A Content or Collection over non-SSL, Imaging or Join Proxy role Satellite Server is promoted to the Authentication role.

Action: Re-import the server certificate by executing the following command on the Satellite Server:
  • On Windows: zac isc (for more information on this command, see zac for Windows(1) in the ZENworks Command Line Utilities Reference.)

  • On Linux: zac isc (for more information on this command, see zac for Linux(1) in the ZENworks Command Line Utilities Reference.)

Certificate activation fails on a Windows agent after running the Certificate Remint tool

Source: ZENworks
Explanation: When trying to remint a CA certificate by running the Certificate Remint Tool on a Windows agent, the Windows agent was unable to establish an SSL connection to the server; hence, the server certificate activation failed.
Action: Before initiating the CA remint, you need to ensure that the server is reachable.

If this issue occurs, when the certificate has already been activated on the server, rerun the Certificate Remint tool on the agent.

Certificate activation fails on an internal CA zone post remint CA

Source: ZENworks
Explanation: Certificate activation fails on an internal CA zone because the certificate remint tool was not able to establish an SSL connection to the server.
Action: Run the certificate remint tool and refresh ZENworks System Update Service (ZeUS) to activate the certificate.

The new Satellite promotion fails if a zone contains a reverse proxy

Explanation: When trying to promote an agent as a satellite, the following error message was displayed:

Satellite servers using SSL must have external certificates if the zone uses external certificates.

Action: Ensure that the Primary Server, Satellite Server, and Reverse Proxy certificates are issued by the same certificate authority.

NOTE:When importing the external CA, ensure that the CA contains the proper certificate chain (the private key, signed server certificate, and the root certificate chain).