Critical: SSL Certificate expiration causes communication failure between UNIX Agents and SM / SCM

  • 7773302
  • 27-Apr-2012
  • 14-Aug-2012

Environment

UNIX Agents:

  • NetIQ UNIX Agent 7.1
  • NetIQ Security Agent for UNIX 5.6
  • NetIQ Security Agent for UNIX 5.5
Communicating to:
  • NetIQ Secure Configuration Manager
  • NetIQ Security Manager

Not effected:
The following NetIQ products which support UNIX monitoring are not effected

  • NetIQ AppManager

Situation

After Aug 19 16:39:10 2012 GMT you will begin seeing communication failure messages such as:

  Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: comm_SSLAccept() failed
  Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: verify error:num=10:certificate has expired
  Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: depth=1 /C=US/ST=Texas/L=Houston/O=PentaSafe Security Technologies...
  Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: notAfter=Aug 19 16:39:10 2012 GMT
  Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: SSL_connect failed, errcode = 1
  Aug 20 00:06:03 htsaix01 local4:err|error ./alert_agent[21430]: 21430:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:843:

Resolution

NetIQ UNIX Agent

The resolution for this issue involves updating the existing SSL public certificate with a newer version signed by NetIQ. The new certificate has validity period of Nov 18 17:45:03 2011 GMT through Nov 13 17:45:03 2031 GMT meaning you can apply it now and utilize it long into the future without interruption.

To minimize pain during this certificate upgrade process, we have developed several resolution paths for this issue...

Resolution paths (official, extensively tested, fully supported):

  1. Apply Hotfix 73302 to your NetIQ 7.1 UNIX Agents (manually or remotely via the UNIX Agent Manager)
Resolution paths (unoffical, limited testing, best effort support):
  1. Shell script / Remotely over SSH (5.6 UNIX Agent, 7.1 UNIX Agent)
    Utilize the sslupdate-73302.sh script attached to this Knowledge Base article. This script will detect the agent install location, verify the certificate state, and apply the certificate update if needed.

    If you have SSH access to the UNIX systems in question, you can utilize this fix remotely. Running the following will execute the script remotely over ssh and update the certificate:

    ssh <user>@unix.system.local < sslupdate-73302.sh
  2. Manually (5.6 UNIX Agent, 7.1 UNIX Agent)
    Utilize the attached vssca-73302.crt certificate and replace the existing certificate on the UNIX system at <vsau>/bin/vssca.crt

NetIQ Secure Configuration Manager Core Services

The NetIQ Secure Configuration Manager (SCM) core services (CS) system does not require a hotfix.  (The SCM Windows Security agents do however need a hotfix, Hotfix 73282)

NetIQ Security Manager

The NetIQ Security Manager (SM) Central Computer (CC) system does require a hotfix (Hotfix 73370) to resolve this issue. (There is no Windows SM agent, The iSeries Agent needs PTF 1C04044)

Cause

 The SSL certificate built into the UNIX (and Windows) Agents has a validity period of Aug 22 16:39:10 2002 GMT through Aug 19 16:39:10 2012 GMT.

The SSL certificate will need to be upgraded before the environment local time reaches Aug 19 16:39:10 2012 GMT. When this validity period is exceeded, NetIQ UNIX (and Windows) Agent communications to Secuirty Manager and Secure Configuration Manager will begin to fail.

Additional Information

Formally known as NETIQKB73302
 
If you have any questions during this SSL certificate upgrade process, please contact NetIQ Technical Support.
Please keep in mind all newly deployed UNIX Agent installations will need to have this updated security certificate applied.
 
This issue will be resolved in the next major version of the NetIQ UNIX Agent (7.2)
 

Files