Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Policy deployment status stuck on "Pending: Managed server deploying" on Apex Central

    • Updated:
    • 24 Jun 2020
    • Product/Version:
    • Apex Central 2019
    • Apex One 2019
    • Platform:
Summary

Policy deployment status stuck on "Pending: Managed server deploying" on Apex Central after the policy has been deployed to the agents.

In the Apex One debug log located at ...\Trend Micro\Apex One\PCCSRV\Log\ofcdebug.log it shows that there are different fingerprints for certificates.

2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - server certificate issuer=[/DC=com/DC=macausjm-glp/CN=Macau SJM GLP Enterprise CA1] subject=[/C=MO/ST=MO/L=MO/O=GLP/OU=MO/CN=hostname.domain.com] fingerprint=[aa 54 ad ce 5f 0d d5 c9 75 20 a7 cb 4c 03 cc fa 50 c9 39 67 ] for peer verification - [libosfsvcclienthttpcontext.cpp(107)]
2020 04/29 16:26:33 [3540 : 1e40] (00) (I) [][ofcservice.exe]OSFSvcClient::setOSFServiceInfo - http url=[https://hostname.domain.com:4343/officescan/osfwebapp/api/v1/SystemCall] - [libosfsvcclient.cpp(246)]
2020 04/29 16:26:33 [3540 : 1e40] (00) (D) [][ofcservice.exe]getPFXFromCertificateStore - >>> find certificates and export PFX from keystore=[OfcOSF] by subject=[OfcOSFWebApp] - [libosfsvcclientutility.cpp(233)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (1/5) local certificate issuer=[/CN=s-apo-app] subject=[/CN=s-apo-app] fingerprint=[b4 b2 f7 6e a7 89 fe 54 76 9a a5 ce ff c6 7c 38 2e ec 64 58 ] for peer verification - [libosfsvcclienthttpcontext.cpp(146)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (1/5) local certificate is not matched for peer verification, error=fingerprint doesn't match - [libosfsvcclienthttpcontext.cpp(164)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (2/5) local certificate issuer=[/CN=hostname.domain.com] subject=[/CN=hostname.domain.com] fingerprint=[a2 cc 76 96 55 9a 81 39 a0 23 1b e3 1c 7e 8e c3 e4 b0 fe 14 ] for peer verification - [libosfsvcclienthttpcontext.cpp(146)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (2/5) local certificate is not matched for peer verification, error=fingerprint doesn't match - [libosfsvcclienthttpcontext.cpp(164)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (3/5) local certificate issuer=[/CN=OfcOSFWebAppRootCA] subject=[/CN=OfcOSFWebApp] fingerprint=[8e 4f 55 f4 6c 55 55 ea ea 75 02 8f f1 d3 2e d8 35 56 c6 32 ] for peer verification - [libosfsvcclienthttpcontext.cpp(146)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (3/5) local certificate is not matched for peer verification, error=fingerprint doesn't match - [libosfsvcclienthttpcontext.cpp(164)]
2020 04/29 16:26:33 [3540 : 1e40] (00) (D) [][ofcservice.exe]getPFXFromCertificateStore - find one certificat matches the subject name=[OfcOSFWebApp] - [libosfsvcclientutility.cpp(266)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (4/5) local certificate issuer=[/CN=adminjohn] subject=[/CN=adminjohn] fingerprint=[5e 51 55 fa 85 83 22 7e 20 9e 65 f2 ce 5b a5 1a 85 bc e9 39 ] for peer verification - [libosfsvcclienthttpcontext.cpp(146)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (4/5) local certificate is not matched for peer verification, error=fingerprint doesn't match - [libosfsvcclienthttpcontext.cpp(164)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (5/5) local certificate issuer=[/CN=hostname.domain.com] subject=[/CN=hostname.domain.com] fingerprint=[3a b4 c1 9b 28 bc c2 e9 2d a0 f3 89 27 0b e4 03 5a e3 2e e3 ] for peer verification - [libosfsvcclienthttpcontext.cpp(146)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (D) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - (5/5) local certificate is not matched for peer verification, error=fingerprint doesn't match - [libosfsvcclienthttpcontext.cpp(164)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (E) [][ofcservice.exe]BoostHTTPContext::prepareContext::::operator () - verify_peer() all(5/5) failed for host=[hostname.domain.com] - [libosfsvcclienthttpcontext.cpp(187)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (E) [][ofcservice.exe]BoostHTTPClient::sendHTTPRequest - failed to send http request err=[handshake: certificate verify failed] - [libosfsvcclienthttpclient.cpp(33)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (E) [][ofcservice.exe]SendAndRecvOSFServiceCallU8 - err: failed to send http request - [libosfsvcclientapi.cpp(243)]
2020 04/29 16:26:33 [3540 : 37e8] (00) (I) [CMDHO2][ofcservice.exe]SendAndRecvOSFServiceCall - Failed to SendAndRecvOSFServiceCallW. Error=-97 - [cmdho2_osf.cpp(2846)]

Root Cause Analysis

The certificate OfcOSFWebApp is missing in Apex One certificate store. This causes a failure to query and return the policy status to Apex Central causing the error "pending managed server deploying".

Details
Public

To resolve this, generate new set of OfcOSF certificates

  1. Remove the current OSF certificates and generate a new set of certificates.
    1. Manually delete the following certificates:

      Trusted Root Certification Authorities > Certificates > OfcOSFWebAppRootCA

      Trusted People > Certificates > OfcOSFWebApp

      OfcOSF > Certificates > OfcOSFWebApp

    2. Rebuild the certificate by running the command:

      OfcSvcConfig.exe -FuncId InstallOSFCertificate -server_pccsrv_dir_path "C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV" -osf_cert_password trend -apppoolname OfficeScanOSFAppPool -output_file "C:\Windows\OFCMAS1.LOG"

     
    Open the Ccmmand protmpt as administrator and navigate to ...\Trend Micro\Apex One\PCCSRV\. The password is "trend".
     
  2. Check the IIS setting for osfwebapp site.
    1. Open IIS Manager.
    2. Ensure the setting "Require SSL" is enabled on the following sites.

      OfficeScan\osfwebapp\
      OfficeScan\officescan_iac\osf
      OfficeScan\officescan_iesconsole\osf

    3. Select Require SSL .
    4. Select Accept under Client certificates.

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000255970
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.