Solved: IPS update from CSM 4.3

emmanuel.shoroma · ‎01-17-2013

Hi,

I am trying to download IPS updates from cisco.com using CSM (version 4.3) but it is not working. It was working fine all along until it stopped two days ago. I checked the server can connect to internet without any problems. I can use the same cisco credentials for manual updates and also works perfect.

confirmed the setti settings on CSM, all still intact. reconfigured the details and still the same issue. I am getting the following error

"unable to communicate with locator service to retrive available files"

Note i just just same crendentials on my LAB IPS and did setup auto update and it worked fine.

any idea what the problem might be?

Regards,

mronayne · ‎01-25-2013

There is a new workaround for CSCue16970, based on adding the required certificate to the CSM server.

1.) Manually download Cybertrust's CA certificate from https://www.cybertrust.ne.jp/SureServer/file/root_ca/BCTRoot.txt .

2.) Save this file as 'trusted.998.crt' in text format and ensure that no extra characters or new lines are added to the original content. Keep in mind that certain Web browsers may add HTML codes when saving text files, so be sure to edit them out.

3.) Exit/close any/all instances of CSM client applications (Configuration Manager, Event Viewer, Health and Performance Monitor, Report Manager, etc.)

4.) On the CSM server, stop the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net stop CRMDmgtd'.

5.) On the CSM server, copy the 'trusted.998.crt' file to the 'CSCOpx\MDC\Apache\conf\ssl' directory.

6.) On the CSM server, start the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net start CRMDmgtd'.

View solution in original post

sdata · ‎01-21-2013

Have the same problem

mronayne · ‎01-22-2013

This might be CSCue16970 CSM: IPS Updates from Cisco.com Fail Due to Lack of Cybertrust Root Cert

You could check if your Apache Tomcat log file at

CSCOpx\MDC\tomcat\logs\stdout.log contains entries similar to the following:

"AutoDownloadJob:: get available files.....
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
     at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificateChain(Unknown Source)"


If so, you could try the workaround associated with the defect

1.) Manually download the desired IPS signature update package file(s) from:
http://software.cisco.com/portal/pub/download/portal/select.html?&mdfid=280033778&softwareid=282773979

2.) Save or copy the file(s) into the CSCOpx\MDC\ips\updates directory. Default installation drive letters and paths are:
32-bit Operating Systems:
C:\Program Files\CSCOpx\MDC\ips\updates
64-bit Operating Systems:
C:\Program Files (x86)\CSCOpx\MDC\ips\updates

3.) From the CSM Configuration Manager (client application) > Tools menu > Security Manager Administration... > IPS Updates section, click the Refresh button.
4.) Deploy the package as desired (per normal).

sdata · ‎01-22-2013

Thanks! The workaround works just fine.

The description of CSCue16970 at this moment is not available: it is under review.

mronayne · ‎01-25-2013

There is a new workaround for CSCue16970, based on adding the required certificate to the CSM server.

1.) Manually download Cybertrust's CA certificate from https://www.cybertrust.ne.jp/SureServer/file/root_ca/BCTRoot.txt .

2.) Save this file as 'trusted.998.crt' in text format and ensure that no extra characters or new lines are added to the original content. Keep in mind that certain Web browsers may add HTML codes when saving text files, so be sure to edit them out.

3.) Exit/close any/all instances of CSM client applications (Configuration Manager, Event Viewer, Health and Performance Monitor, Report Manager, etc.)

4.) On the CSM server, stop the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net stop CRMDmgtd'.

5.) On the CSM server, copy the 'trusted.998.crt' file to the 'CSCOpx\MDC\Apache\conf\ssl' directory.

6.) On the CSM server, start the 'Cisco Security Manager Daemon Manager' service by issuing the following command: 'net start CRMDmgtd'.

Ross Phillips · ‎01-23-2013

HI there, I had the same problem.

This is due to CSM going to www.cisco.com for its updates where everything else goes to cisco.com

If your server is going direct for updates then add the following into the host file

72.163.4.161 www.cisco.com

If using a proxy and your able then add that entry onto the proxys host file.

Im back online now with no problems.

emmanuel.shoroma · ‎01-25-2013

Hi, I tried updating the hostfile but no luck. However, I did follow the workaround as on the link below, now the certificare error seem to be sorted as I don't see that anymore but I am getting the following error

(Fatal, Description: Handshake Failure) when tracing with wireshack.

https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&page=bstBugDetail&BugID=CSCue16970