Traps on the Endpoint Security Manager Loses sslcert Binding

Traps on the Endpoint Security Manager Loses sslcert Binding

24871
Created On 09/25/18 18:19 PM - Last Updated 12/16/19 18:56 PM


Symptom
Traps Agents are unable to connect to the Endpoint Security Manager (ESM) through SSL after working previously.

The following error in the Traps Agent Service.log file appears:
Error calling server! System.ServiceModel.CommunicationException: An error occurred while making the HTTP request to https://cyveraserver:2125/CyveraServer/ This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send.


Resolution
  1. On the ESM, open a command prompt and enter "netsh http show sslcert". An output like the following will appear:
netsh output.PNG

 

SSL Certificate bindings:
-------------------------

IP:port                : 0.0.0.0:2125
Certificate Hash        : 4d4aa7933cd002449ad76dd3bca2a05f375a700d
Application ID          : {935e55e3-8b9d-4b95-954c-423626f887f9}
Certificate Store Name  : (null)
Verify Client Certificate Revocation    : Enabled
Verify Revocation Using Cached Client Certificate Only    : Disabled
Usage Check    : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout  : 0
Ctl Identifier          : (null)
Ctl Store Name          : (null)
DS Mapper Usage    : Disabled
Negotiate Client Certificate    : Enabled

 

  1. Save a copy of the IP:port and Certificate Hash information.
  2. In the CMD window, enter:
    netsh http delete sslcert ipport=0.0.0.0:2125
  3. Open the Server Manager and navigate to Roles > Web Server (IIS) > Internet Information Services (IIS) Manager
  4. Choose the server and open Server Certificates
  5. Remove the certificate matching the hash from step 1.
  6. Right click on Import and select the certificate.
Import Certificate.PNG
  1. Go back to the CMD window and enter:
netsh http add sslcert ipport=0.0.0.0:2125 certhash=CERTIFICATE_HASH_HERE appid={935e55e3-8b9d-4b95-954c-423626f887f9} clientcertnegotiation=enable

netsh re-add cert.PNG
  1. Test connectivity between Traps Agents and ESM.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClPWCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language