Log monitoring agent not communicating with server after enabling SSL
Error trace in agent logs:
2016/09/20 00:22:49:235 InternetGetRequestEx : The request is updated with the internet option security flags.
2016/09/20 00:22:49:251 InternetGetRequestEx : Error in WinHttpSendRequest -> -2146892963
2016/09/20 00:22:49:251 Error code : -2146892963, Error Message : One or more of the parameters passed to the function was invalid.
Root cause:
The issue appeared because of recent Cumulative Security Update for Internet Explorer and Windows.
Due this update, the IE couldn't process the WinHttpSendRequest API call from the agent for registering the agent server.
Solution:
In OpManager server:
- Stop OpManager service
- Open \\OpManager\tomcat\conf\backup\ssl_server.xml and set below ciphers under Connector tag and save the file. (If there are ciphers already, append below ciphers together.)
ciphers="TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
For Example:
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="WEBNMS_ROOT_DIR/conf/OPMTrans.key" keystorePass="opmanager" maxThreads="150" minSpareThreads="3" noCompressionUserAgents="gozilla, traviata" port="WEBSERVER_PORT" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS"ciphers="TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"/>
In Agent machine:
- Stop OpManager Agent and Agent Helper services.
- Delete the logs under \\OpManagerAgent\monitoring\logs folder.
- In Agent machine, navigate to Internet Explorer -> Settings -> Advanced tab and enable 'Use TLS 1.0, TLS 1.1 and TLS 1.2'. Do the same in all problematic agent devices.
- Start OpManager Agent and Agent Helper services.
- Check if the OpManager webclient is getting connected from the IE browser.
- Check if the 'Agent not communicating' alarm got cleared after agent communication. Make sure that the agent is mapped properly to the discovered device in OpManager for data collection to resume.
reference regarding security update:
New to ADSelfService Plus?