Troubleshooting
Problem
Unable to register host agent during registration process with the error message: "server name sent by agent does not match the name of the security server". This issue arises as a mismatch between the name provided in the Certificate Signing Request ("CSR") and the name presented by the Certificate Authority ("CA").
Symptom
Installation of the agent fails.
Registration of the agent fails during certificate signing as follows:
| Welcome to the Vormetric Encryption Expert File System Agent Registration Program. ..... Generating certificate signing request for the kernel component...done. Signing certificate...unsuccessful. The server returned an error: --> 400 Security server name sent by agent, "gde-dsm" does not match the name of the security server, "gde-dsm.ibm.com" The server returned an error - 400 Security server name sent by agent, "gde-dsm" does not match the name of the security server, "gde-dsm.ibm.com" Certificate signing was unsuccessful. Agent registration was unsuccessful. |
Cause
The Guardium Data Encryption Expert ("GDEE", "GDE", "DEE") Data Security Manager ("DSM") generates a self-signed security Certificate Authority ("CA") which it uses to sign all other certificates used within the system. During registration, the agent generates several certificates and submits a Certificate Signing Request ("CSR") to the DSM CA for each one. In order for the certificate signing requestor to trust the CA, the name specified in the CSR and the name presented by the CA must match. In the case of this particular error, the names do not match.
Diagnosing The Problem
If a new agent installation has failed, view the latest install logs in /var/log/vormetric/install.fs.log.<date stamp>. The last few lines of the install log will match the message shown in the above section, "Symptoms".
The end user controls the name presented in the CSR and can thus validate the information in the CSR.
The information presented by the Certificate Authority cannot be directly viewed however, a certificate for the Management Console interface is signed by the CA. To view the DSM certificate, run the following command from a linux/Unix environment or a CYGWIN terminal in Windows. Note that in the example command and output below, the server name "gde-dsm.ibm.com" should be replaced with the name of the hostname of the DSM.
| $ echo | openssl s_client -connect gde-dsm:8445 2>/dev/null | openssl x509 -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 08:13:dd:9b:1b:91 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=CG CA (S) on gde-dsm.ibm.com, OU=dm-support, O=IBM, L=san jose, ST=ca, C=US Validity Not Before: Nov 6 03:25:06 2014 GMT Not After : Nov 6 03:25:06 2024 GMT Subject: CN=gde-dsm.ibm.com, OU=dm-support, O=IBM, L=san jose, ST=ca, C=US ... output truncated ... |
Resolving The Problem
There are two different ways to resolve this problem, depending upon the situation.
If the name presented by the CA is not the correct name (a short name or an alias, for example), regenerate the Certificate Authority as shown below.
| Regenerating the Certificate Authority will invalidate ALL existing certificates and this step cannot be undone. All existing hosts and High Availability ("HA") failover servers will cease communication with the security server and must be re-registered. |
| $ ssh gde-dsm.ibm.com -l cliadmin
0000: vormetric$ |
If the default hostname is not the desired hostname, this indicates an underlying problem with name resolution and will cause different problems with the security server software. Complete the program, fix the network name issues and re-run this command.
| 0000: vormetric$ system
0001: system$ security genca WARNING: All Agents and Peer node certificates will need to be re-signed after CA and server certificate regenerated, and the security server software will be restarted automatically! Continue? (yes|no)[no]:yes This computer may have multiple IP addresses. All the agents will have to connect to Security Server using same IP. Enter the host name of this computer. This will be used by Agents to talk to this Security Server. This Security Server host name[gde-dsm.ibm.com]: Please enter the following information for key and certificate generation. What is the name of your organizational unit? []:dm-support What is the name of your organization? []:IBM What is the name of your City or Locality? []:san jose What is the name of your State or Province? []:ca What is your two-letter country code? [US]: Regenerating the CA and server certificates now... SUCCESS: The CA and security certificates are re-generated and the Security Server software is restarted. Regenerating CA will make certificates at failover servers and agents invalid. You may need to: - Re-sign certificates at each failover server - Cleanup and re-register each agent |
- On the DSM, navigate to the host by logging in to the Management Console and navigating to the "hosts" page, and then by clicking on the hostname.
- Clear the existing registration by unchecking the "Registration Allowed" checkbox.
- Dismiss the Javascript pop-up and click on "Apply".
- Check the "Registration Allowed" checkbox and click on "Apply".
- Check the "Communication Enabled" checkbox if appropriate to your security posture.
- On each host, run the registration cleanup command followed by the registration command as root:
| # /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host clean
... output truncated ... # /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host ... output truncated ... |
If the name presented by the CA is the correct name, retry the agent registration with the following command on linux/Unix:
| # /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host |
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21694500