Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Ofcsslagent certificate issue detected by the Troubleshooting Assistant for Server tool

    • Updated:
    • 14 May 2020
    • Product/Version:
    • Apex One All
    • OfficeScan XG
    • Platform:
    • Windows Server 2008 R2
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019
Summary

One of the Tmlisten process functions is working as an HTTP server to receive the message from the server.

When the Tmlisten process works in HTTPS protocol, it uses ofcsslagent as its certificate.

The certificate file was “lssacfo2.dat”. This certificate file includes a private certificate and a public certificate.

Normally, this file size is about 2.5KB.

[C:\Program Files (x86)\Trend Micro\OfficeScan Client\]
2019/05/02 16:07 2591 lssacfo2.dat

Using the Troubleshooting Assistant for Server tool, it detected an issue.

In some cases, this file is incorrect, which size is less than 1 KB because the certificate does not have the private key.

You will find the following records in the system event logs on the agent side:

Troubleshooting Settings

The following error shows in apricot.log:

ERROR debug_log <> - [.\ths_TmHttpServerController.cpp:400][TM::HttpServer::CHttpController::SetHTTPSCertificate]HttpSetServiceConfiguration failed! , Ret = 1312

When the server sends the “Client Hello” to the agent, the agent would not respond “Server Hello” to the agent because there is no private key on the agent side causing the TLS negotiation to fail.

Details
Public

To resolve the ofcsslagent certificate negotiation failed issue:

  1. On the server, locate lssacfo2.dat in:

    [C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common\]

    • If the file lssacfo2.dat is mismatched on the agent and server (In this scenario, this certificate is correct on the server side):

      1. Unload the agent.
      2. Rename the lssacfo2.dat to lssacfo2.dat.bak
      3. Copy the lssacfo2.dat from the server to the agent.
      4. Reload the agent. When tmlisten.exe starts, it will load ofcsslagent certificate.
      5. Use the mmc.exe command to check the ofcsslagent on the agent. The thumbprint should be the same as on the server-side.
    • If the file lssacfo2.dat on the server was incorrect, please uses the command to re-create this file.

      1. Use the command to re-create the certificate file, refer to the KB: Renewing/Regenerating the OfficeScan Server NTSG and ofcsslagent certificates for OfficeScan and Apex One.
      2. After re-creating this certificate, restart the Server’s master service.
      3. Unload the agent.
      4. Rename the lssacfo2.dat to lssacfo2.dat.bak.
      5. Copy the lssacfo2.dat from the server to the agent.
      6. Reload the agent.
      7. Use the mmc.exe command to check the ofcsslagent on the agent. The thumbprint should be the same as on the server-side.
Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000250378
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.