Forum Discussion

SYM-AJ's avatar
SYM-AJ
Level 5
5 years ago
Solved

Upgrade of Client from 8.0 to 8.2 - status 26 - Client Server handshaking failed

I have upgraded the Ops Center, Master Server and a number of clients in a fairly small NBU environment from 8.0 to 8.2 - all is well.

I am attempting to upgrade the remaining clients (DMZ based) but am having an issue when attempting the upgrade to 8.2.  As these are at 8.0 there are currently no certs installed - obviously 8.2 requires certs.  The clients are currently functioning perfectly with the 8.2 master.

I have confirmed that ports 1556, 13782 and 13724 are open in the firewall between master and client, and also HTTPS traffic is allowed.

When I start the client install/upgrade I am selectig CUSTOM, checking all the values and after system names screen I get an error "Could Not Determine Master Server Certificate Mode".  This details command status 26, The external CA usage information could not be retrieved.  Exit status 26:  client/server handshaking failed.

Is there something else I am missing here in terms of firewall requirements ?

Security level on Master is set to MEDIUM.

Any NBCERTCMD options I try from the client fail - thinking this must be firewall......

BPTESTBPCD is good, BPCLNTCMD is good.

Thoughts ??

AJ.

 

 

  • OK - I got confirmation from the network team as to what they did to get this working.....

    The correct ports were allowed, as was https - but comms could ONLY be initiated by the Master Server.  They changed the rule to allow bi-directional initiation of comms on these ports and all upgrades went perfectly.

    So it looks like during the upgrade process, when it is requesting certs, the client is initiating comms (not sure on which port(s)) - and therefore the firewall must allow both the master and the client to initiate communications.

    The ports we have allowed are 1556, 13782, 13724 and https (443).

    If someone wants to mark this as the soluton I would appreciate it - as I was 'shot' last time I marked one of my own answers as the solution......

    Thanks for all the input.

    AJ

  • From what you are saying, you have all the required ports open (1556 & 443). Trying a nbcertcmd on a lab system I have indicates it uses port 1556 for the connection (I actually thought iit used https

    Is any NAT involved - this could be causing problems.

    Can you enable firewall logging to if the packets are received or blocked?

    Other thing to check would be the install logs - there should be one called ExternalCertificateOp.<timestamp> on the client.

    Agreed the problem appears to be firewall related.

     

    • davidmoline's avatar
      davidmoline
      Level 6

      Another thought - does the CA certificate for the master use a short name? And are you specifying a FQDN from the client - this might cause problems also (you may need to add a host mapping to the master server or use the short name on the client) - see example output below

      The target server master.lab.ad could not be authenticated.
      The server name does not match any of the host names listed in the server's certificate.
      Names listed in the server's certificate are:
      DNS:MASTER
      The external CA usage information could not be retrieved.
      EXIT STATUS 8509: The specified server name was not found in the web service certificate