Issue:
After upgrading to Policy Manager 15.x, Client Security or Server Security hosts show disconnected status or are missing in the Policy Manager Console.
AsyncSendRequest SSL fail: 12175 is logged in the pmpselectorplugin.log or nrb.log:
I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 192.168.98.247:9443 with HTTP proxy ''
*E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies (FsHttpRequest::Error_Certificate, AsyncSendRequest SSL fail: 12175 [0x80000000])
.W: PmpSelectorPlugin::Run: Policy Manager unavailable
Visible symptoms:
- The host is not able to receive policy updates from the Policy Manager Server
- Policy Manager Console Centralized management status page shows Policy counter on the host and on the server do not match (policy in use is not the latest)
- The host is shown in disconnected status in the Policy Manager Console domain tree
- AUA.log on the host shows it is able to connect to the Policy Manager Server using HTTP to download updates
Resolution:
F-Secure Policy Manager 15.x dropped the support for weak cipher suites (TLSv1 and TLSv1.1) for TLS protocol. This may result in connectivity issues with outdated Windows hosts that are missing e.g. KB3042058 updates from May 2015. Hosts with Windows 7, 8, 8.1, Server 2008 R2, Server 2012 or Server 2012 R2 are affected by this issue.
The download links and more information, including prerequisites for KB3042058 are available here. The update adds additional cipher suites to the default list on affected systems and improves cipher suite priority order.
The easiest way to verify if the host is able to use the Policy Manager Server SSL connector or not, is to load the Policy Manager Server page via HTTPS (port 443 in default config) with Microsoft Internet Explorer from the managed host.
- Open Microsoft Internet Explorer
- Go to address https://<YourPolicyManagerServerAddress>:443
Microsoft Internet Explorer browser is used because it is the only browser using the same secure channel library as the F-Secure clients under Windows to establish a secure connection with the Policy Manager Server. Other browsers might establish that secure connection with an integrated library to the Policy Manager even without KB3042058.
If the issue is spotted on a newer Windows operating system, you will need to verify whether the cipher suites supported on the Policy Manager Server, are supported on the host. You can do the following to find out:
To fetch list of cipher suites supported for Policy Manager Server, install Nmap and run the following on a host where Policy Manager Server is reachable:
- nmap --script ssl-enum-ciphers -p <HTTPS port for Host Module> <Policy Manager Server hostname or IP address>
- Get-TlsCipherSuite
If you are unable to install the cipher suites Windows update on the host or fix the SSL Cipher Suite Order Group Policy setting, a workaround would be to allow TLSv1 and TLSv1.1 for the Policy Manager Server by using these steps:
- Stop the F-Secure Policy Manager Server service using command prompt command: net stop fsms
- Open Regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Management Server 5\
- Open the additional_java_args string and add: -DenableVistaInteroperability=true
- Start the F-Secure Policy Manager Server service using command prompt command: net start fsms
Article no: 000025934