logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: API Unable to Connect Due to Insecure Certificate

App Control: API Unable to Connect Due to Insecure Certificate

Environment

  • App Control Server (formerly CB Protection): All Supported Versions

Symptoms

  • API access shows "API is Not Reachable" under Administration (Gear) > System  Configuration
  • Able to access https://servername/api/bit9platform page
  • API error log found in C:\Program Files (x86\Bit9\Parity Console\WebUI\Logs shows repeated API Authentication error 0
  • Console Certificate Signature Algorithm is SHA1

Cause

  • While most Self Signed certificates will work, certain security issues will cause this certificate to fail
  • Typically this falls into an issue with the Subject name (default server name) not being listed in the Subject Alternate Name field
  • This causes SSL connections to fail saying the SSL traffic is not secure
  • API also requires SHA256 algorithm

Resolution

Generate a new certificate which will allow the connection
  1. Create a new folder that's in an easy location to get to, such as C:\Certificate\
  2. Copy the contents of the folder C:\Program Files (x86)\Bit9\Parity Server\Cert\ into the folder created
  3. Create a text file in the new folder called OpenSSLConfig.txt and Copy in the contents below
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = MA
L = Waltham
O = Bit9, Inc.
OU = Support
CN = **ENTER THE FULL FQDN OF THE SERVER**
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = **ENTER THE FULL FQDN OF THE SERVER**
DNS.2 = **ENTER THE ANY OTHER FQDN's OF THE SERVER**
DNS.3 = **ENTER IN THE IP OF THE SERVER**
IP.1 = **ENTER IN THE IP OF THE SERVER**
  1. Open an administrative command prompt and navigate to the folder created
  2. Run the following commands making sure to enter the respective details
openssl.exe req -x509 -nodes -days 730 -newkey rsa:2048 -keyout C:\FOLDERYOUCREATED\cert.pem -out C:\FOLDERYOUCREATED\cert.pem -config
C:\PathToConfigFileAbove\OpenSSLConfig.txt
  1. Once that completes run the following command
openssl.exe pkcs12 -export -out C:\FOLDERYOUCREATED\cert.pfx -in C:\FOLDERYOUCREATED\cert.pem -name "CERTIFICATENAME" -passout
pass:ENTERPASSWORD
  1. Import the certificate in IIS by navigating to the server name on the left. Then selecting Certificates
  2. Once Imported select the Carbon Black Protection site on the left > Then select the Bindings options on the right
  3. Double click the HTTPS binding, and select the new certificate

Related Content


Labels (1)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎10-09-2020
Views:
1026
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.