Unable to change Management Server Address for Client Security or Server Security hosts (Keyreplacer)

Issue:

Unable to change Management Server Address on Client Security or Server Security hosts because the public and private admin keys do not match.
Need to migrate hosts between two Policy Manager Servers without having to do a re-installation of the software client side.
How can the management key file (admin.pub) on WithSecure clients be replaced in case the original Policy Manager server is no longer available?
How can the Policy Manager Server management address on WithSecure clients be changed when the original Policy Manager server is no longer available?
After upgrading or installing WithSecure Client Security/Server Security 14.x or newer, you encounter issues with communication. Symptoms include:

the host is unable to connect to WithSecure Policy Manager Server
the host is not visible on the "Import host" list in WithSecure Policy Manager Console.

Resolution:

As starter, please make sure that the WithSecure Policy Manager Server address is correct and that the host communication ports (default: TCP 80 and 443) are listening.

Test the connectivity between the clients and Policy Manager:

Try to connect to the WithSecure Policy Manager Server's address via a web browser from one of the hosts (http://pms-server.local:80 and https://pm-server.local:443). If the connection is set up correctly, you will receive a web page from the WithSecure Policy Manager Server indicating so. If there is no page loaded, check that the host communication ports to the Policy Manager Server are allowed in your firewall.
Make sure that you have configured the WithSecure Policy Manager Server IP address and/or hostname correctly and that the ports configured for host modules are correct.

Below is an example of a failed connection:


I: Connecting to wait.pmp-selector.local
I: Update check failed, error=210 (unable to resolve host)
I: Connection failed
W: ServerFinder::Ping: Ping to {host: 10.10.10.10, http: 82, https: 443} aborted. There are no valid certificates
I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 10.10.10.10
E: UpdatablePmCertVerifier::RenewCertificates: Failed to download certificate bodies. AsyncSendRequest failed: 12002
W: CosmosUpdater::Run: No servers responded. Policy Manager unavailable.

Error 12002 means ERROR_WINHTTP_TIMEOUT > Client Security/Server Security cannot connect to Policy Manager to fetch this list.
A complete list of Microsoft Windows HTTP Services errors is available here.

Below is an example of a working connection:


I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 10.11.10.10
I: UpdatablePmCertVerifier::RenewCertificates: 2 certificate(s) renewed successfully; expire in 86170 seconds

If you have confirmed the communication to work between the client computer and the Policy Manager Server, and you have made sure that the Policy Manager address and ports are configured correctly, make sure that the date and time are configured correctly on the client device.

If the date and time are incorrectly set, the certificate download from the Policy Manager Server will fail. The date and time can be easily incorrectly set in an offline environment, since the Network Time Protocol (NTP) can't be used to set the date and time.

Check the PmpSelectorPlugin.log again for the following:


W: ServerFinder::Ping: Ping aborted: there are no valid certificates
I: UpdatablePmCertVerifier::RenewCertificates: Renewing certificates from 192.168.1.100:443 with HTTP proxy ''
W: UpdatablePmCertVerifier::StoreCertificates: Certificates renewal yielded no fresh certificates

In the above example the client tries to download the certificate from the Policy Manager Server, but since the client's date and time are in the future compared to the Policy Manager Server, the client thinks no fresh certificate is available.

If the issue still persists after performed all the above steps, you can look at the following log on the host with WithSecure Client Security/Server Security. It shows the connection status with the WithSecure Policy Manager Server. You can use the Keyreplacer to solve the connection issues.

C:\ProgramData\F-Secure\Log\BusinessSuite\PmpSelectorPlugin.log.

From PmpSelectorPlugin.log, this may indicate that the admin.pub on the problematic client, does not match with the admin.prv on the Policy Manager Server:

2022-03-28 18:20:20.977 [18e8.2b48] *E: UpdatablePmCertVerifier::ParseCertificates: Certificate bodies signature invalid. Error is 1

If your Policy Manager ONLY manages clients running Client Security 14.00 or newer, you can create a Keyreplacer yourself with a tool that can be provided to you by support. The tool comes with instructions on how to create the keyreplacer-file.

Supported products

Client Security 14 and newer
Server Security 14 and newer
Email and Server Security 14 and newer

Some common uses cases for using this tool are listed below

The Policy Manager Server is not accessible and a new Policy Manager management key admin.pub file and the address to the new Policy Manager server needs to be provided to the WithSecure client.
The Policy Manager Server is not accessible and a new, changed address to the a Policy Manager server needs to be provided to the WithSecure client.
The Policy Manager Server accessible but the Policy Manager management key admin.pub file has changed and needs to be provided to the WithSecure client.

Step-1: Creating the keyreplacer package:

To create the package, you need some prerequisite information-

1. The new Policy Manager hostname or IP-address. Simply use the IP-address and or the hostname or FQDN (fully qualified domain name). Examples:

policy-manager-server.acme.com
192.168.0.10
hostname.local

2. The host module HTTP and HTTPS ports the Policy Manager server listens to. The default ports for Policy Manager are port 80 for HTTP and 443 for HTTPS. If you are not sure which ports are used by the Policy Manager Server, launch the application "Status monitor" available in the "F-Secure Policy Manager" program group.

(On Linux systems the port information can be found in the following log:
/var/opt/f-secure/fspms/logs/fspms-stderrout.log )

3. Export the admin.pub file:

Log on to your F-Secure Policy Manager Console.
From the top menu panel, select Tools > Server Configuration
Select the Keys tab. Under "Export signing keys", select the button Export
Enter the private key passphrase

Step-2 Creating the keyreplacer JAR-file

Contact the WithSecure Support for the keyreplacer_2021.zip file
Once you have the Keyreplacer_2021.zip. you can now extract the ZIP-file that containing the keyreplacer files.
Copy the admin.pub file exported from Policy Manager Console in the same folder.
Run the following command to create the JAR-file keyreplacer.jar.

iuupd.exe --create-keyreplacer-package -o keyreplacer.jar --pm-host "10.132.4.214" --pm-port-http 80 --pm-port-https 443 -i admin.pub

Note: the commands should be provided as one, single command. In the example, Policy manager Server IP-address is 10.132.4.214 and the HTTP and HTTPS ports are 80 and 443, respectively. Adjust these values to reflect your own configuration.

Step-3: Instruction to deploy the Key Replacer fix

To install the keyreplacer.jar package created earlier, two installation options are available.

a) policy based or push installation using Policy Manager
b) local installation using MSI-file exported from Policy Manager Console.

Note: policy-based installation will only work, if the management key admin.pub has not been changed and therefore can only be used to change the Policy Manager Server address.

a) Installing the keyreplacer package - policy based installation

On the Policy Manager Server, import the registry-file Allow_unsigned_jars_on_PM.reg file included inside the keyreplacer_2021.zip file. To import the file, right-click the file and select option "Merge". This imports the registry changed and enables importing of unsigned packages to Policy Manager Server
To activate previous setting, restart the Policy Manager Server using a command prompt:
- net stop fsms
- net start fsms
Import the file keyreplacer.jar to the Policy Manager Console using Tools > Installation packages. When prompted, select "Yes" to the "not signed by F-Secure" warning message.
Perform a push or policy based installation to a target machine.
Alternatively, you can also export the previously imported keyreplacer.jar to an MSI-file using Tools > Installation packages. This option is recommended for a local installation of the package.

The same works for Linux, but you need to use config file /etc/opt/f-secure/fspms/fspms.conf instead of the registry. Create a new line with parameter additional_java_args and specify Java system properties in its value in quotes in the following format: -DpropertyName=value. Multiple properties can be specified using space as a delimiter. Property names and values are case sensitive.

Example: additional_java_args=-DallowUnsignedWithRiwsAndMibs=true -Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100

Start the Policy Manager Server service and open the Policy Manager Console
Go to the Installation-tab and click Installation packages
Click Import to import "KeyReplacer_unsigned.jar" file to the Policy Manager Console as an Installation package
Deploy the KeyReplacer file to all clients, for example using a policy-based installation

After the deployment is finished import the hosts in the Policy Manager Console by going to the Installation tab and clicking "Import new hosts".

b) Installing the keyreplacer package - local installation

You can export the previously imported keyreplacer.jar to an MSI-file using Tools > Installation packages in your Policy Manager and launch the MSI-package exported using Policy Manager Console. This was created in the previous section "Installing the keyreplacer package - policy based installation". This option is recommended for a local installation of the package.

Article no: 000003212