Environment
Novell ZENworks Configuration Management 11.4 System Update
Microsoft Windows Server
Situation
An 11.4.x update fails to apply to a Windows Primary Server
From zeus-messages.log:
ERROR:
[DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Exception doing custom validation of self-signed ZENworks CA.signature check failed] [] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [***************** Exception Dump ***********************] [] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [Unhandled IOException in ping method.] [] [] [] [ZeUSService]
-------
[] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [Message: Socket Closed] [] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [ConnectionManager] [] [Exception Type: class java.net.SocketException] [] [] [] [ZeUSService] The ConnectionManager marks the Servers as BAD during ping failure due below Cert Validation Error : [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Exception occured while checking server trusted] [] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] []
---------
[] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Message: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed] [] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [Exception Type: class sun.security.validator.ValidatorException] [] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [SSLHandshakeException while attempting handshake. Possibility of ca.cert being changed. Retrying the handshake after re-importing the ca.cert into truststore. ] [] [] [] [ZeUSService] [DEBUG] [01/18/2016 13:59:47.938] [2692] [ZeUSAgent] [791] [] [TrustManager] [] [PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed] [] [] [] [ZeUSService]
Resolution
This is fixed in version 11.4.3 - see KB 7017820
"ZENworks Configuration Management 11.4.3 - update information and list of
fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7017820
For 11.4.0-11.4.2:
1. Go to ZCC->Configuration->Certificates tab->Zone Certificate Authority->View Certificate. Take note of the details.
For 11.4.0-11.4.2:
1. Go to ZCC->Configuration->Certificates tab->Zone Certificate Authority->View Certificate. Take note of the details.
Note: For extra verification, open C:\Program Files (x86)\Novell\ZENworks\conf\security\ca.der on the server and take note of details regarding the CA here.
2. Run certmgr.msc
3. Navigate to Trusted Root Certificates->Certificates
4. You will find 2 or more ZENworks CA certificates here, delete the extra CA certificate(s) and do not delete the certificate whose details match the one found in ZCC
Note: As a precaution, you can export any extra certificates before deleting them
5. Run the zac zeus-ref command on the primary server, if the update deployment has been cancelled already, reassign system update deployment in ZCC and run zac zeus-ref afterwards
Cause
ZEUS update behavior does not validate the correct CA certificate and ignore other extra CA certificates.