Community
User Guides
Support
Community
Help Forums
English Forum
General
About our Community
General Discussion
News and Feedback
Products
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Beta programs
Feature Requests
Finnish Forum (Tukifoorumi)
Tuotteet Kotiin
F-Secure SAFE
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Muut tietoturvatuotteet
Support Articles
Language
English
Suomi
Deutsch
Français
日本語
Svenska
Dansk
Italiano
Nederlands
Norsk
Polski
中文 (繁體)
Products & Services
F-Secure TOTAL
F-Secure SAFE / Internet Security / Anti-Virus
F-Secure FREEDOME
F-Secure KEY
F-Secure SENSE Router
F-Secure ID PROTECTION
Other products
Common topics
User Guides
Support
Login
|
Register
Resolving connectivity issues between Client Security for Mac and Policy Manager - F-Secure Community
<main> <article class="userContent"> <p> </p>Resolving connectivity issues between Client Security for Mac and Policy Manager <p>If you experience issues with the connectivity between Client Security for Mac and Policy Manager where the host is not being registered, try using Safari to open the Policy Manager Server welcome page using exactly the same Policy Manager address that was used to export the mpkg package with the HTTPS protocol. If you get the certificate warning before loading the welcome page content, follow the steps given here to establish a proper trust relationship. </p> <div>Starting with macOS 11.0 Big Sur, Client Security for Mac can no longer modify the system certificate trust settings, but it is still required to establish a trust relationship for secure communication with Policy Manager instances that are addressed by a DNS name. If you don't have the root CA certificate that is used by Policy Manager set as trusted in the macOS System keychain, Safari shows an error message in the certificate details when you open your Policy Manager address:<br><img src="https://us.v-cdn.net/6032052/uploads/5J2GSTVO9F6K/cs-mac-pm-connectivity-issue-1.png" alt="image" class="embedImage-img importedEmbed-img"></img><br></div> <p>So starting with macOS 11.0, the Policy Manager root CA certificate has to be explicitly trusted in the system keychain (macOS accepts certificates with <code class="code codeInline" spellcheck="false" tabindex="0">.cer</code> or <code class="code codeInline" spellcheck="false" tabindex="0">.pem</code> extensions). If you do not have an intermediate CA trusted for use as the Policy Manager CA within your company, you can continue using an automatically generated one on Mac hosts within your company. </p> <ol><li> To export a CA certificate, run this command on the computer where Policy Manager Server is installed: <ul><li>For Windows: <pre class="code codeBlock" spellcheck="false" tabindex="0">"c:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -keystore "c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms-ca.jks" -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected</pre> </li> <li>For Linux: <pre class="code codeBlock" spellcheck="false" tabindex="0">/opt/f-secure/fspms/jre/bin/keytool -keystore /var/opt/f-secure/fspms/data/fspms-ca.jks -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected</pre> </li> </ul></li> <li> Transfer <code class="code codeInline" spellcheck="false" tabindex="0">fspms-ca.cer</code> to the Mac host and run the following command to trust it on the system level (you will be prompted to enter a password for admin credentials): <pre class="code codeBlock" spellcheck="false" tabindex="0">sudo security add-trusted-cert -d -r trustRoot -p ssl -k "/Library/Keychains/System.keychain" "path/to/certificate/file/fspms-ca.cer"</pre> <p><strong>Note:</strong> You can also use MDM solutions to deploy the CA certificate to all Mac hosts within the company. </p> Once all steps are complete, the newly added certificate should appear in "Keychain Access.app" like this:<br><img src="https://us.v-cdn.net/6032052/uploads/5HBZPJWC70K5/cs-mac-pm-connectivity-issue-2.png" alt="image" class="embedImage-img importedEmbed-img"></img><br> The Policy Manager Server welcome page should now open in Safari, showing the site certificate as trusted. <br><img src="https://us.v-cdn.net/6032052/uploads/WOZUJDFDCWYT/cs-mac-pm-connectivity-issue-3.png" alt="image" class="embedImage-img importedEmbed-img"></img><br></li> </ol><div>To connect to Policy Manager Server or Policy Manager Proxy, Client Security for Mac also requires that they have properly created server certificates. The certificate is issued to the IP address or fully qualified DNS name that the managed client uses as the Policy Manager Server or Policy Manager Proxy connection address. If the name used by the client and the name provided by Policy Manager in the certificate do not match, Safari shows an error message in the certificate details when you open the Policy Manager address:<br><img src="https://us.v-cdn.net/6032052/uploads/M5JPCB2KRMU3/cs-mac-pm-connectivity-issue-4.png" alt="image" class="embedImage-img importedEmbed-img"></img><br></div> <div>If Policy Manager Server or Policy Manager Proxy are not able to properly resolve their own DNS address automatically (i.e. external DNS records differ from hostnames), use the following <code class="code codeInline" spellcheck="false" tabindex="0">additional_java_args</code> to explicitly set custom certificate properties: <ul><li><pre class="code codeBlock" spellcheck="false" tabindex="0">certAdditionalDns</pre> to specify a comma-separated list of additional DNS values for the subject's alternative names </li> <li><pre class="code codeBlock" spellcheck="false" tabindex="0">certAdditionalIp</pre> to specify a comma-separated list of additional IP addresses for the subject's alternative names </li> <li><pre class="code codeBlock" spellcheck="false" tabindex="0">certForceSubject</pre> to override the TLS certificate, <code class="code codeInline" spellcheck="false" tabindex="0">subject</code> must contain a comma-separated list of all values required to generate the subject </li> </ul></div> <p><strong>Note:</strong> See the following article for more details on <code class="code codeInline" spellcheck="false" tabindex="0">additional_java_args</code>: <a rel="nofollow" href="https://community.f-secure.com/business-suite-en/kb/articles/5631-policy-manager-advanced-configuration-settings">https://community.f-secure.com/business-suite-en/kb/articles/5631-policy-manager-advanced-configuration-settings</a>. </p> <div>To force the certificate renewal: <ul><li>For Policy Manager Server: <ol><li>Stop the Policy Manager service. </li> <li>Remove <code class="code codeInline" spellcheck="false" tabindex="0">c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks</code> or <code class="code codeInline" spellcheck="false" tabindex="0">/var/opt/f-secure/fspms/data/fspms.jks</code> (depending on the operating system). </li> <li>Start the Policy Manager service. The certificate is created on service startup. </li> </ol></li> <li>For Policy Manager Proxy: <ol><li>Stop the Policy Manager Proxy service. </li> <li>Run the <code class="code codeInline" spellcheck="false" tabindex="0">fspmp-enroll-tls-certificate</code> tool located at <code class="code codeInline" spellcheck="false" tabindex="0">c:\Program Files (x86)\F-Secure\Management Server 5\bin\</code> or <code class="code codeInline" spellcheck="false" tabindex="0">/opt/f-secure/fspms/bin</code> (depending on the operating system) to request the new certificate from Policy Manager Server. </li> <li>Start the Policy Manager Proxy service. </li> </ol></li> </ul></div> <br> </article> </main>