Unable to change Management Server Address for Client Security or Server Security hosts (Keyreplacer

This discussion has a more recent version.
Customer_Care Posts: 548 F-Secure Employee


Unable to change Management Server Address on Client Security or Server Security hosts because the public and private admin keys do not match.
Need to migrate hosts between two Policy Manager Servers without having to do a re-installation of the software client side. 


If your Policy Manager ONLY manages clients running Client Security 14.00 or newer, you can create a Keyreplacer yourself with a tool that can be provided to you by support. 
The tool comes with instructions on how to create the keyreplacer-file. You will need to know the IP-address or hostname of the new Policy manager, the http- and https-ports that it uses, and depending on the situation, its admin.pub-file (see steps to download admin.pub below). To deploy the keyreplacer, see steps for "Instruction to deploy the Key Replacer fix" below.

In case you are also managing other installations, kindly provide us with the following information from the new Policy Manager for assistance to create Key Replacer fix.

  1. Admin.pub file
  2. The Policy Manager management address
  3. The http- and https-ports used by the Policy Manager
( On Linux systems the port information can be found in the following log:
/var/opt/f-secure/fspms/logs/fspms-stderrout.log )

To download admin.pub file, please follow these steps:
  1. Login to the PM console
  2. In the top menu, click Tools > Server Configuration > Keys
  3. Click Export to download admin.pub and admin.prv files
Attach the admin.pub file to your e-mail reply and we will create the Key Replacer hotfix file for you.

Instruction to deploy the Key Replacer fix

  1. Please close the Policy Manager Console and stop Policy Manager Server service in services.msc

You can also stop Policy Manager service by opening a command prompt with elevated mode and typing in the below command.

net stop fsms

  1. Configure the registry on the Policy Manager Server

Locate this registry key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\Management Server 5" for - 32bits OS

"HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node\Data Fellows\F-Secure\Management Server 5" for - 64bits OS

  1. Right-click on Management Server 5 Registry Key and add a new String Value with the following:

Name: additional_java_args
Data field: -DallowUnsignedWithRiwsAndMibs=true

Note: Please don't remove the -D on the beginning of the string or it will not work properly.

The same works for Linux, but you need to use config file /etc/opt/f-secure/fspms/fspms.conf instead of the registry. Create a new line with parameter additional_java_args and specify Java system properties in its value in quotes in the following format: -DpropertyName=value. Multiple properties can be specified using space as a delimiter. Property names and values are case sensitive.

Example: additional_java_args=-DallowUnsignedWithRiwsAndMibs=true -Dh2ConsoleEnabled=true -DmaxSynchronousPackageRetrievalRequests=100

  1. Start the Policy Manager Server service and open the Policy Manager Console
  2. Go to the Installation-tab and click Installation packages
  3. Click Import to import "KeyReplacer_unsigned.jar" file to the Policy Manager Console as an Installation package
  4. Deploy the KeyReplacer file to all clients, for example using a policy-based installation

After the deployment is finished import the hosts in the Policy Manager Console by going to the Installation tab and clicking "Import new hosts".

Article no: 000003212