Environment
UNIX Agents:
-
NetIQ UNIX Agent 7.1
-
NetIQ Security Agent for UNIX 5.6
-
NetIQ Security Agent for UNIX 5.5
-
NetIQ Secure Configuration Manager
-
NetIQ Security Manager
Not effected:
The following NetIQ products which support UNIX monitoring are not effected
- NetIQ AppManager
Situation
After Aug 19 16:39:10 2012 GMT you will begin seeing communication failure messages such as:
Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: comm_SSLAccept() failed
Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: verify error:num=10:certificate has expired
Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: depth=1 /C=US/ST=Texas/L=Houston/O=PentaSafe Security Technologies...
Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: notAfter=Aug 19 16:39:10 2012 GMT
Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: SSL_connect failed, errcode = 1
Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: 21430:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:843:
Resolution
NetIQ UNIX Agent
To minimize pain during this certificate upgrade process, we have developed several resolution paths for this issue...
Resolution paths (official, extensively tested, fully supported):
- Apply Hotfix 73302 to your NetIQ 7.1 UNIX Agents (manually or remotely via the UNIX Agent Manager)
-
Shell script / Remotely over SSH (5.6 UNIX Agent, 7.1 UNIX Agent)
Utilize the sslupdate-73302.sh script attached to this Knowledge Base article. This script will detect the agent install location, verify the certificate state, and apply the certificate update if needed.
If you have SSH access to the UNIX systems in question, you can utilize this fix remotely. Running the following will execute the script remotely over ssh and update the certificate:
ssh <user>@unix.system.local < sslupdate-73302.sh -
Manually (5.6 UNIX Agent, 7.1 UNIX Agent)
Utilize the attached vssca-73302.crt certificate and replace the existing certificate on the UNIX system at <vsau>/bin/vssca.crt
NetIQ Secure Configuration Manager Core Services
NetIQ Security Manager
The NetIQ Security Manager (SM) Central Computer (CC) system does require a hotfix (Hotfix 73370) to resolve this issue. (There is no Windows SM agent, The iSeries Agent needs PTF 1C04044)
Cause
The SSL certificate will need to be upgraded before the environment local time reaches Aug 19 16:39:10 2012 GMT. When this validity period is exceeded, NetIQ UNIX (and Windows) Agent communications to Secuirty Manager and Secure Configuration Manager will begin to fail.
Additional Information
Files