11.4.x System Update fails to apply

  • 7017257
  • 12-Feb-2016
  • 20-Oct-2016

Environment


Novell ZENworks Configuration Management 11.4 System Update

Microsoft Windows Server

Situation

An 11.4.x update fails to apply to a Windows Primary Server

From zeus-messages.log:

ERROR: 
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Exception doing custom validation of self-signed ZENworks CA.signature check failed] [] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [***************** Exception Dump ***********************] [] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [Unhandled IOException in ping method.] [] [] [] [ZeUSService]
-------
[] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [Message: Socket Closed] [] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [Exception Type: class java.net.SocketException] [] [] [] [ZeUSService]

The ConnectionManager marks the Servers as BAD during ping failure due below Cert Validation Error : 

[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Exception occured while checking server trusted] [] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] []
---------
[] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Message: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed] [] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Exception Type: class sun.security.validator.ValidatorException] [] [] [] [ZeUSService]
  [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [SSLHandshakeException while attempting handshake. Possibility of ca.cert being changed. Retrying the handshake after re-importing the ca.cert into truststore. ] [] [] [] [ZeUSService]
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed] [] [] [] [ZeUSService]

Resolution

This is fixed in version 11.4.3 - see KB 7017820 "ZENworks Configuration Management 11.4.3 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7017820

For 11.4.0-11.4.2:

1. Go to ZCC->Configuration->Certificates tab->Zone Certificate Authority->View Certificate. Take note of the details.

Note: For extra verification, open C:\Program Files (x86)\Novell\ZENworks\conf\security\ca.der on the server and take note of details regarding the CA here.

2. Run certmgr.msc

3. Navigate to Trusted Root Certificates->Certificates

4. You will find 2 or more ZENworks CA certificates here, delete the extra CA certificate(s) and do not delete the certificate whose details match the one found in ZCC 

Note: As a precaution, you can export any extra certificates before deleting them

5. Run the zac zeus-ref command on the primary server, if the update deployment has been cancelled already, reassign system update deployment in ZCC and run zac zeus-ref afterwards

Cause

ZEUS update behavior does not validate the correct CA certificate and ignore other extra CA certificates.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.