OfficeScan Service Framework (OSF) is embedded inside Apex One to provide services for the integrated iProducts (iAC, iVP and iES).
It offers common features such as component update, license renewal, email notification, role-based access control, status/event log uploaded to CM, etc.
With OSF, iProducts do not need to implement these common features by themselves.
For security consideration, Apex One leverages 2-way SSL mutual authentication in server-side (OfficeScan server (OSF) <-> iProduct server) and 1-way SSL authentication in client > server connection (e.g. "OnLog Request").
The OSF certificates are generated during the installation. The following table lists the corresponding certificates with their usage.
| Certificate Name | Usage | Location |
|---|---|---|
| OfcOSFWebAppRootCA | The root certificate for signing "OfcOSFWebApp" |
|
| OfcOSFWebApp |
The certificate used for 2-way SSL mutual authentication which includes:
|
|
|
Policy deployment failure occurs when deploy policy from Apex Central to Apex One. For example, deploy policy to enable iProducts but failed.
The possible issue occurs on the OfficeScan Service Framework certificates could be the following.
- OfficeScan Service Framework certificates are deleted from the Apex One Server accidentally.
- The OfficeScan Service Framework certificates are incorrectly replaced by 3rd party certificates.
When Troubleshooting Assistant (TA) detects issues on the OSF certificates, check the existence and status of the two certificates. To do this:
-
On the Apex One Server, open MMC in Run and load certificates for the computer account.
-
Check the two OfficeScan Service Framework certificates: OfcOSFWebAppRootCA and OfcOSFWebApp
-
OfcOSFWebAppRootCA is located under Trusted Root Certification Authorities\Certificates\OfcOSFWebAppRootCA, and its intended purposes is set to "All".
-
OfcOSFWebApp is located under OfcOSF\Certificates\OfcOSFWebApp and Trusted People\Certificates\OfcOSFWebApp, and its intended purposes is set to "All".
-
- OfcOSFWebApp must be issued by OfcOSFWebAppRootCA. By default, the OSF certificates are imported to the OS's certificate store during the installation of Apex One server, and their expiration date are set to 1/1/2040.
- The OSF certificates are replaced by 3rd party certificates.
Utilize the tool svrsvcsetup.exe to verify whether the OSF certificates works as expected on the Apex One Server:
-
Type the command "svrsvcsetup.exe -testOSFWebApp" in CMD to send a request to OSF.
-
Check the IIS log and find the line contains "officescan/osfwebapp/api/v1/SystemCall".
By default the Apex One Server website IIS log is located under C:\inetpub\logs\LogFiles\W3SVC3.-
Normal response is HTTP 200
-
Abnormal response is HTTP 403.16
-
By default, Apex One Server uses web certificate “OfcOSFWebApp” from "OfcOSF" in certificate store as client certificate. If the root certificate “OfcOSFWebRootCA” is deleted from "Trusted Root Certificate Authorities" in certificate store, HTTP error 403.16 occurs when deploy policy from Apex Central to Apex One.
We need to ensure the OSF certificates are valid and all exist in the correct certificate stores.
Policy Deployment issue occurs due to OSF system call failure.
- Scenario: When enable iProduct, the policy status shows as Pending: Managed Server deploying
- Debug log: @ofcdebug.log, HTTP Error 403.16 appears due to Apex One server fail to access https://<Apex One server>:<ssl port>/officescan/osfwebapp/api/v1/SystemCall
2019 03/27 12:38:51 [27b8 : 2044] (00) (I) [CGI][cgiShowClientAdm.exe]CProcessSettings::Process - >> process policy: id: [a9fab493-2ddf-4b79-8cc1-b0a24d5470e7], type_id: [15.4], update_info: [2019-03-27 16:38:43], name: [Servers] - [cgi_consolecmpolicyprocessing.cpp(2073)] ... 2019 03/27 12:38:51 [14dc : 1b88] (00) (I) [][ofcservice.exe]BoostHTTPContext::prepareContext - prepare context scheme=[https], host=[FCHC-TApexone.fchcimg.local], port=[4343], target=[/officescan/osfwebapp/api/v1/SystemCall] - [libosfsvcclienthttpcontext.cpp(236)] ... 2019 03/27 12:38:55 [14dc : 1b88] (00) (E) [][ofcservice.exe]BoostHTTPClient::receive - http response code=403 - [libosfsvcclienthttpclient.cpp(103)] 2019 03/27 12:38:55 [14dc : 1b88] (00) (I) [CMDHO2][ofcservice.exe]SendOSFServiceCall - OSF Web Service Response status=[403], http version=[11] - [cmdho2_osf.cpp(2495)] 2019 03/27 12:38:55 [14dc : 1b88] (00) (I) [CMDHO2][ofcservice.exe]SendOSFServiceCall - OSF Web Service Response bytes=[5171], body=[!<DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 403.16 - Forbidden</title> ... <h3>HTTP Error 403.16 - Forbidden</h3> <h4>Your client certificate is either not trusted or is invalid.</h4>
Root Cause
This issue occurs when the Apex One Server web certificate is not trusted by IIS. Therefore, Apex One server fail to access https://<Apex One server>:<ssl port>/officescan/osfwebapp/api/v1/SystemCall due to invalid certificate.
Windows Server 2012 implements checks for a higher level of trust for certificate authentication. This issue occurs because a certificate that is not self-signed was installed in the Trusted Root Certification Authorities store. For example, customer uses a non-self-signed certificate (e.g. 3rd party signed certificate) as the Apex One Server web certificate.
Solution
- Option 1: Move any non–self-signed certificates out of the Trusted Root Certification Authorities certificate store and into the Intermediate Certification Authorities certificate store.
-
Option 2: Turn on the Exclusive CA Trust mode:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
Name: ClientAuthTrustMode
Type: REG_DWORD
Value: 2