When installing the Symantec Endpoint Protection Manager using the same hostname, the KeyStore file is not retrieved from the database

Article:TECH103158  |  Created: 2007-01-24  |  Updated: 2010-08-14  |  Article URL http://www.symantec.com/docs/TECH103158
Article Type
Technical Solution


Issue



After installing Symantec Endpoint Protection Manager (SEPM) to an existing site, logging on to the console generates a "Failed to connect to the server" error message.

Symptoms
The Symantec Endpoint Protection Manager service starts, a "Failed to connect to the server" error message is generated when logging on

  • The "<Install Dir>\Tomcat\Logs\catalina.out" log file displays the following error message: "java.io.FileNotFoundException: C:\Program Files\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks (The system cannot find the file specified)"


Note: The <Install Dir> directory depends on where Symantec Endpoint Protection Manager is installed. i.e. "C:\Program Files\Symantec\Symantec Endpoint Protection Manager"

Other Symptoms:
In the <Install Dir>\Tomcat\etc folder the keystore.jks file is missing.
Managed clients cannot connect to the Symantec Endpoint Protection Manager server and display the error message  "<ParseHTTPStatusCode:>503=>503 SERVICE NOT AVAILABLE" in the sylink.log file.


Cause



After installing, recovering, or reinstalling Symantec Endpoint Protection Manager on the same computer, or on a different computer, with the same host name as the previous computer name and you are using the same database.


Solution



A copy of the server certificate will be required to accomplish this work around.
If a copy of the server certificate is not available and this is a clean install on a system with the same host name as a previous system, copy the certificate files from the previous computer.

The two certificate files are:

  1. <Install Dir>\Tomcat\etc\keystroke.jks
  2. <Install Dir>\Tomcat\conf\server.xml

Note: The <Install Dir> directory depends on where Symantec Endpoint Protection Manager is installed. i.e. "C:\Program Files\Symantec\Symantec Endpoint Protection Manager"

Issue Resolution:

  1. Stop the Symantec Endpoint Protection Manager service.
  2. Copy the backup "keystore.jks" file into "<Install Dir>\Tomcat\etc" folder.
  3. Open the "<Install Dir>\Tomcat\conf" folder.
  4. Rename the "server.xml" file to "server.old.xml".
  5. Copy the backup "server.xml" file into this folder.
  6. Open the "server.old.xml" file.
  7. Copy the path in the "keystoreFile" value under the "Factory" tag.
    Example:  <FactoryclassName="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" keystoreFile="C:\Program Files\Symantec Endpoint Protection Manager\tomcat\etc\keystroke.jks" keystorePass="changeit" protocol="TLS"/>
  8. Copy "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks".
  9. Open the "server.xml" file.
  10. Paste the "KeystoreFile" path of the "server.old.xml" file into the "KeystoreFile" path of the current "server.xml" file.
  11. Save the "server.xml" file.
  12. Start the Symantec Endpoint Protection Manager service.
Optional: Delete the "server.old.xml" file

If a backup of the previous server certificate cannot be obtained, the SEPM install must be accomplished with a different host name. This will force Symantec Endpoint Protection Manager to generate a new server certificate, which will also cause communication between the server and the clients to break.

Issue Prevention:
To prevent this issue the future, accomplish the following steps before moving the Symantec Endpoint Protection Manager server. (This will require at least two servers in the site.)

Note: If the Embedded database is being used, there cannot be two servers in a site.
  1. Back up the server certificate.
  2. Uninstall the Symantec Endpoint Protection Manager to be moved.
  3. Using a running Symantec Endpoint Protection Manager server, log into Symantec Endpoint Protection Manager and delete the server entry of the server being moved from the "Admin > Servers" screen.
  4. Install the Symantec Endpoint Protection Manager (SEPM) server on the new computer.
  5. Use the "Add this server to an existing site" configuration option.
  6. Login to the SEPM console of the newly installed Symantec Endpoint Protection Manager server
  7. Restore the server certificate using the backup certificate (Admin > Server screen).





Supplemental Materials

Value1182241

Legacy ID



2007122510020648


Article URL http://www.symantec.com/docs/TECH103158


Terms of use for this information are found in Legal Notices