To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Update to 16.0 Policy manager. Unable to login

xalnoc
xalnoc W/ Member Posts: 3 Security Scout

Hello !!

I just installed the new version of policy manager, 16.0.

I'm unable to connect to the console.

Running the server status i obtain this :

Anyone has this issue previously ?

Kind regards,

Nicolas,

Support IT PASTEUR

Comments

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 197 Moderator
    edited November 2023

    Hi @xalnoc

    Thank you for reaching out WithSecure Community,

    Without examining the wsdiag logs, it's challenging to pinpoint the exact issue. However, we have encountered similar problems in the past and can offer some troubleshooting steps that may help resolve the issue.

    From the release of WithSecure Policy Manager 15.x, we discontinued support for weak cipher suites (TLSv1 and TLSv1.1) within the TLS protocol. This change may lead to connectivity problems with older Windows hosts that lack important updates, such as KB3042058 from May 2015. This issue affects hosts running Windows 7, 8, 8.1, Server 2008 R2, Server 2012, or Server 2012 R2.

    To address this, you can take the following steps:

    • Download the Necessary Updates: Visit the following link here for download links and additional information, including prerequisites for KB3042058. This update enhances cipher suite support on affected systems and optimizes their priority order.
    • Check Host Compatibility: To verify whether the host can utilize the Policy Manager Server SSL connector, you can load the Policy Manager Server page via HTTPS on port 443. We recommend using the Microsoft Edge browser from the managed host for this purpose. Simply follow these steps:
      • Open Microsoft Edge.
      • Enter the address https://<YourPolicyManagerServerAddress>:443.
      • If the connection succeeds, you should see a message confirming that the Policy Manager Server is installed and functioning correctly. Microsoft Internet Edge browser is preferred because it shares the same secure channel library as WithSecure clients under Windows for secure connections with the Policy Manager Server. Other browsers might establish a secure connection without the need for KB3042058.
    • If the issue is spotted on a newer Windows operating system, you will need to verify whether the cipher suites supported on the Policy Manager Server, are supported on the host. You can do the following to find out:
      • To fetch list of cipher suites supported for Policy Manager Server, install Nmap and run the following on a host where Policy Manager Server is reachable: nmap --script ssl-enum-ciphers -p <HTTPS port for Host Module> <PMS hostname or IP address>
      • To fetch a list of cipher suites supported on the host, run the following in Windows PowerShell on Server 2016 and newer: Get-TlsCipherSuite
    • Workaround for Incompatible Hosts: If you are unable to install the cipher suites Windows update on the host or modify the SSL Cipher Suite Order Group Policy setting, you can implement a workaround by allowing TLSv1 and TLSv1.1 for the Policy Manager Server using these steps:
      • Stop the WithSecure Policy Manager Server service with the following command in the command prompt: net stop wspms
      • Open Regedit and navigate to \HKEY_LOCAL_MACHINE\SOFTWARE\WithSecure\Policy Manager\Policy Manager Server.
      • Open the "additional_java_args" string and add the following: -DenableVistaInteroperability=true
      • Start the WithSecure Policy Manager Server service with the command: net start wspms

    Now, hosts using TLSv1 and TLSv1.1 should be able to connect to the Policy Manager Server and download policies as needed.

    These steps should help you troubleshoot and address the connectivity issue you're facing. If you encounter any further difficulties or require additional assistance, please don't hesitate to reach out. We're here to support you in resolving this matter.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home