Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Conflicting Apex One server DomainName and Certificate Name causes "Pending: Managed Server deploying" when deploying Apex One policy from Apex Central

    • Updated:
    • 21 May 2020
    • Product/Version:
    • Apex One 2019
    • Platform:
Summary

When deploying a policy to Apex One, the policy status just shows "Pending: Managed Server deploying".

Status: Pending Managed Server Deployment

Root Cause Analysis

The issue occurs if the Hostname doesn't match in OfcUninst.txt and Ofcscan.ini. This may happen if the customer changed the Server's Hostname after installing Apex One server.

  • Verify by comparing the value for Master_DomainName in the ofcscan.ini, and the InstallWorkstation in the ofUninst.ini.
     
    By default, the ofcscan.ini and ofUninst.ini files are located in the Apex One installation directory: ..\Trend Micro\OfficeScan\PCCSRV\Log\.
     

    File comparison

  • The website certificate is issued to the IP address, but not the hostname. The Apex One server website's certificate can be checked through the MMC, under Trusted People > Certificates.

    MMC Certificates

  • The following can be seen in the Apex One ofcdebug.log, located in ..\Trend Micro\OfficeScan\PCCSRV\Log\:
    2019 08/28 18:42:43 [0c04 : 1764] (00) (I) []ofcservice.exeOSFSvcClient::setOSFServiceInfo - http url=https://apexone45:4343/officescan/osfwebapp/api/v1/SystemCall - libosfsvcclient.cpp(226)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (D) []ofcservice.exegetPFXFromCertificateStore - >>> find certificates and export PFX from keystore=OfcOSF by subject=OfcOSFWebApp - libosfsvcclientutility.cpp(260)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (D) []ofcservice.exegetPFXFromCertificateStore - find one certificat matches the subject name=OfcOSFWebApp - libosfsvcclientutility.cpp(293)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (D) []ofcservice.exegetOfcServerCertificate - encrypted roleSvc= - libosfsvcclientutility.cpp(109)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (D) []ofcservice.exegetOfcServerCertificate - roleSvc=0 - libosfsvcclientutility.cpp(115)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (D) []ofcservice.exegetCertificateFromCertificateStore - >>> query all certificates from keystore=TrustedPeople by subject=apexone45 - libosfsvcclientutility.cpp(202)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (E) []ofcservice.exegetCertificateFromCertificateStore - failed to find certificate in store, store=TrustedPeople, subjectName=apexone45 - libosfsvcclientutility.cpp(245)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (I) []ofcservice.exegetCertificateFromCertificateStore - totally query 0 certificates - libosfsvcclientutility.cpp(253)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (I) []ofcservice.exeBoostHTTPContext::prepareContext - prepare context scheme=https, host=apexone45, port=4343, target=[/officescan/osfwebapp/api/v1/SystemCall] - libosfsvcclienthttpcontext.cpp(236)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (E) []ofcservice.exeBoostHTTPContext::prepareContext::::operator () - exception: no local certificate for peer verification - libosfsvcclienthttpcontext.cpp(189)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (E) []ofcservice.exeBoostHTTPContext::prepareContext::::operator () - verify_peer() all(0/0) failed for host=apexone45 - libosfsvcclienthttpcontext.cpp(195)
    2019 08/28 18:42:43 [0c04 : 1764] (00) (E) []ofcservice.exeBoostHTTPClient::sendHTTPRequest - failed to send http request err=[handshake: certificate verify failed] - libosfsvcclienthttpclient.cpp(35)
    
Details
Public

There are two options that can be used as action plan:

Option 1: Install Hotfix 1141

The issue is resolved in Apex One Hotfix 1441. Trend Micro recommends you apply the latest Apex One patch to address the issue.

Option 2: Issue new certificate

If the customer does not want to apply the latest Apex One critical patch / hot fix, they will need to issue a new certificate to match the new Hostname for the Apex One server website.

 
If a 3rd-party certificate for the Apex One server website was used, it is strongly recommended to apply the latest Apex One critical patch / hot fix. Otherwise, a new 3rd-party certificate needs to be issued to match the new Master_DomainName.
 

Follow these steps to issue a new certificate to match the new Master_DomainName for the Apex One server website:

  1. Open OfcUninst.txt, modify the value of "InstallWorkStation" to be the same as the Master_DomainName in ofcscan.ini.
  2. Run Command Prompt as Administrator, and change the directory to the Apex One Server installation directory: ...\Trend Micro\Apex One\PCCSRV\.
  3. Execute the following command to generate a new certificate:
    SVRSVCSETUP.exe -GenIISCert
  4. Open IIS Manager, and choose the new certificate for Apex One server website.
Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000250575
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.