Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 9542 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate Manager Service Stopped, fffffffd error

Jase

Notice the Sophos Certificate Manager service has stopped. When I attempt to start the service, after 1-2sec, the service stops by itself . Do I need to reinstall SEC?

Secondly I notice on the console, it is showing error: fffffffd. This happen when I reformat the server and reinstall SEC. All other client which was previously protect and managable are now showing this error. I suspect the certificate the server has is different from the client's. Is there a way to enable the server to use back the old certificates?

If you need any log file, please let me know.

:19151


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    This problem is all about matching up values on the server and the clients.  On the server-side the important values regarding certification are held here:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore

    cac

    DelegatedManagerKey

    ManagedAppKey

    RouterKey

    All these values need to be the same on the clients (stored in different registry locations).  

    They are essentially passed to the clients in the files cac.pem (the cac value) and mrinit.conf (the 3 indentity keys).  The clients download these files (setup.exe copies them over at install) from the distribution locations (CIDs), they are in the root of deployment share, e.g. \\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\ cac.pem and mrinit.conf.

    Note: All cac.pem files throughout the system should be the same and all mrinit.conf files in the system should have the same 3 identity keys.

    When the RMS package on the client is installed, an application called ClientMRInit.exe runs, reads in the above files from the local clients copy now in "\program files\sophos\remote management system\", and puts the same values in the registry on the client in the following localtions:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System \cac

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\CertificationIdentityKeys \CertificationIdentityKey

    This is the same as the "RouterKey ".

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\CertificationIdentityKeys \ManagedApplication

    This is the same as the "ManagedAppKey"

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private \CertificationIdentityKey

    This is the same as the "DelegatedManagerKey "

    If you are going to try and repair the system it's important to get all the values on the server working first and ensure all local server compoents can talk correctly, then ensure all the cac.pem and mrinit.conf files are correct in the server.  Only then is it worth re-preotecting the clients, either by re-protecting them or running the script I worte that Christain mentions.

    You might find it easier to reinstall but you shouldn't need to, it's whatever is quicker for you I guess.

    Regards,

    Jak

    :19229
Reply
  • 0

    Hi,

    This problem is all about matching up values on the server and the clients.  On the server-side the important values regarding certification are held here:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Certification Manager\CertAuthStore

    cac

    DelegatedManagerKey

    ManagedAppKey

    RouterKey

    All these values need to be the same on the clients (stored in different registry locations).  

    They are essentially passed to the clients in the files cac.pem (the cac value) and mrinit.conf (the 3 indentity keys).  The clients download these files (setup.exe copies them over at install) from the distribution locations (CIDs), they are in the root of deployment share, e.g. \\[server]\SophosUpdate\CIDs\S000\SAVSCFXP\ cac.pem and mrinit.conf.

    Note: All cac.pem files throughout the system should be the same and all mrinit.conf files in the system should have the same 3 identity keys.

    When the RMS package on the client is installed, an application called ClientMRInit.exe runs, reads in the above files from the local clients copy now in "\program files\sophos\remote management system\", and puts the same values in the registry on the client in the following localtions:

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System \cac

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\CertificationIdentityKeys \CertificationIdentityKey

    This is the same as the "RouterKey ".

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\CertificationIdentityKeys \ManagedApplication

    This is the same as the "ManagedAppKey"

    HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Remote Management System\ManagementAgent\Private \CertificationIdentityKey

    This is the same as the "DelegatedManagerKey "

    If you are going to try and repair the system it's important to get all the values on the server working first and ensure all local server compoents can talk correctly, then ensure all the cac.pem and mrinit.conf files are correct in the server.  Only then is it worth re-preotecting the clients, either by re-protecting them or running the script I worte that Christain mentions.

    You might find it easier to reinstall but you shouldn't need to, it's whatever is quicker for you I guess.

    Regards,

    Jak

    :19229
Children
No Data