Enabling Apex One features is stuck at "Pending: Managed Server deploying" status

Product / Version includes:

Apex One2019 , Apex CentralAll

Last updated: 2024/06/04

Solution ID: KA-0010418

Category: Troubleshoot

Summary

Users may not be able to activate managed product licenses (Application Control, Endpoint Sensor, Vulnerability Protection), or may not be able to send the enhanced security policies to Security Agents across the network successfully when managing the Apex One server from the Apex Central web console.

The policy deployment from Apex Central is stuck on "Pending: Managed Server Deploying" status.

null

Root Cause Analysis

In Apex One Server ofcdebug.log located at..\Trend Micro\Apex One\PCCSRV\Log\, HTTP Error 403.16 appears when Apex One server fails to access https://:/officescan/osfwebapp/api/v1/SystemCall:

[][ofcservice.exe]BoostHTTPContext::prepareContext - prepare context scheme=[https], 
    host=[<FQDN or IP of Apex One Server>], port=[4343], target=[/officescan/osfwebapp/api/v1/SystemCall] - [libosfsvcclienthttpcontext.cpp(236)]
 
[][ofcservice.exe]BoostHTTPClient::receive - http response code=403 - [libosfsvcclienthttpclient.cpp(103)]
[CMDHO2][ofcservice.exe]SendOSFServiceCall - OSF Web Service Response status=[403], http version=[11] - [cmdho2_osf.cpp(2495)]
[CMDHO2][ofcservice.exe]SendOSFServiceCall - OSF Web Service Response bytes=[5171], body=[
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS 10.0 Detailed Error - 403.16 - Forbidden</title>

This issue occurs when the Apex One Server web certificate is not trusted by IIS. Therefore, Apex One server fails to access https://<FQDN or IP of Apex One Server>:<https port>/officescan/osfwebapp/api/v1/SystemCall due to invalid certificate.

Windows Server 2012 implements checks for a higher level of trust for certificate authentication. This issue occurs because a certificate that is not self-signed was installed in the Trusted Root Certification Authorities store. For example, customer uses a non-self-signed certificate (e.g. 3rd party signed certificate) as the Apex One Server web certificate.

EXPAND ALL

Step 1. Check the Apex One server website certificate

If Apex One server website uses a 3rd party certificate (e,g, a certificate signed by corporate Certificate Authority), please follow Step 6 described in this KB article: Configuring Apex One to use a certificate signed by corporate Certificate Authority.
1. Move any non–self-signed certificates out of the Trusted Root Certification Authorities certificate store and into the Intermediate Certification Authorities certificate store.
2. Turn on the Exclusive CA Trust mode on the OS:
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
  Name: ClientAuthTrustMode
  Type: REG_DWORD Value: 2
(Optional) If Apex One Server uses self-signed certificate and is already expired, please follow the steps below to renew Apex One Server web site certificate.
1. Renew Apex One Server web site certificate.
  1. On the OfficeScan server, open a command prompt.
  2. Go to the \Program Files\Trend Micro\OfficeScan\PCCSRV directory.
  3. Run the following command to add a new certificate to the IIS certificate store:
    svrsvcsetup –GenIISCert
2. Confirm the renewal of the certificate.
  1. Open the IIS Manager console (inetmgr.exe).
  2. In the IIS Manager, expand the Sites folder and highlight the OfficeScan virtual site.
  3. In the Actions pane, click Bindings... to open the Site Bindings window.
  4. In the Site Bindings window, select type="https" and click Edit.... The Edit Site Binding window will appear.
  5. From the SSL Certificate section, click the Select... button and verify that the certificate expiration date has been extended, or select the certificate with the latest expiration date.
  6. Click OK to close the window.
3. Remove old web site certificate.
  1. Open the Certificates MMC Snap-In.
  2. Navigate to the Local Computer/Personal store, and find the expired certificate.
  3. Right-click on the certificate, then select Delete.

Step 2. Check OfficeScan Service Framework certificates

Make sure the certificates exist and is valid:

Trusted Root Certificate Authorities > Certificates > OfcOSFWebRootCA
OfcOSF > Certificates > OfcOSFWebApp

Verification

To verify if the steps performed worked, run the command:
Test “OSFWebApp” > svrsvcsetup.exe -testOSFWebApp
Result should return HTTP 200 status if issue has been resolved.
Re-deploy policies again from Apex Central.

If the issue persists:

Collect CDT Log by following this KB article: https://success.trendmicro.com/solution/KA-0011430
- Apex Central Server CDT
- Apex One Server CDT
Submit support ticket to Trend Micro Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Enabling Apex One features is stuck at "Pending: Managed Server deploying" status

Step 1. Check the Apex One server website certificate

Step 2. Check OfficeScan Service Framework certificates

Verification

Enabling Apex One features is stuck at "Pending: Managed Server deploying" status

Product / Version includes:

Summary

Step 1. Check the Apex One server website certificate

Step 2. Check OfficeScan Service Framework certificates

Verification