Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Linux Agent communication errors when FIPS is enabled

            Modified on Thu, 7 Nov at 3:43 PM

            Error Messages:

            The Leostream Agent may log the following error messages when a Linux desktop is FIPS-enabled.


            WRN: Unable to register with Connection Broker(xx.xx.xx.xx); next attempt in 40 sec

            ERR: Server.Register failed, broker(xx.xx.xx.xx). Unable to connect to url(https://xx.xx.xx.xx:443/RPC2), message: Failed to read server's response: certificate_unknown(46)


            Summary:

            FIPS requires a signed certificate for communication with the Connection Broker.   Sites running Linux desktops with FIPS enabled must provide a signed certificate to resolve the issue.


            Resolution: 

            Follow the instructions below to allow the Leostream Linux Agent to contact the Connection Broker when FIPS is enabled 


            1. On the desktop, disable FIPS 

                        fips-mode-setup  --disable


            2. On the desktop, install the Leostream Agent


            3. On the desktop, verify the Leostream Agent can contact the Connection Broker in the /var/log/leostreamagent.log file

                        Registered with broker(xx.xx.xx.xx), cluster(yyyyyyyyyyyyyyyyyyyyyy), version 202x.x.x


            4. On the Connection Broker, verify the Connection Broker can communicate with the Leostream Agent on the desktop from the Connection Broker's Resources > Desktops page, using the 'Status' link


            5. On the desktop,  stop the Leostream Agent service

                       systemctl stop leostreamagentd.service


            6. On the desktop, optionally create signed Connection Broker CA Cert.  Skip this step if you have a site provided signed certificate  

            •  openssl s_client -connect {broker_ip}:443 2>/dev/null > broker.txt
            •  sudo keytool -importcert -file broker.txt -trustcacerts -alias broker -keystore /opt/leostreamagent/certs/cacerts

                        Enter keystore password (any value)

                        Trust this certificate = Yes   


            7. On the desktop, optionally create Desktop Certificate. Skip this step if you have a site provided signed certificate  

            • openssl genrsa -out server.key 2048
            • openssl rsa -in server.key -out server.key
            • openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=localhost/O=Leostream Corporation'
            • openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
            • cat server.crt server.key > cert.pem


            8. On the desktop,  create the 'tpc' folder in the agent_installation_folder and copy the certificate to it.   By default, the installation folder is /opt/leostreamagent

            • mkdir /opt/leostreamagent/tpc
            • cp cert.pem /opt/leostreamagent/tpc


            9. On the desktop,  enable FIPS 

                        fips-mode-setup  --enable


                ** You must reboot the desktop to enable FIPS.   The Leostream Agent will restart on reboot


            10. On the desktop, verify the Leostream Agent can contact the Connection Broker in the /var/log/leostreamagent.log file

                        Registered with broker(xx.xx.xx.xx), cluster(yyyyyyyyyyyyyyyyyyyyyy), version 202x.x.x


            11. On the Connection Broker, verify the Connection Broker can communicate with the Leostream Agent on the desktop from the Connection Broker's Resources > Desktops page, using the 'Status' link

             

            Preview
            0 of 0