matt_graves
Midshipman

FAM - Error after upgrade to 8.2

Has anyone run into an issue with the ACM service after upgrading to 8.2?

Below is the error message received from the log:

Error,Microsoft.AspNetCore.Server.Kestrel.Core.Internal.HttpConnection.SelectProtocol - HTTP/2 over TLS was not negotiated on an HTTP/2-only endpoint.

 

10 Replies
ranjith_koppu
SailPoint Employee
SailPoint Employee

You need to have the .net core bundle installed on all the FAM servers.

matt_graves
Midshipman

The core bundle has been installed on all the servers.

PiotrP
Wayfarer

Hi Mat

I have the same problem.

Did you changed self signed certificate ?
Did you verified the certificate used by service?
Try browse https://serverFQDN:servicePort
eg. https://fam1.dom.com:8001 for Agent Configuration Manager service

In my case Agent Configuration Manager service uses Crowd Analyser certificate, what causes HTTP/2 / TLS errors.


In my opinion tool FAMCertificateManager.exe (used for certificate changes) is broken or bad documented.
It assigns wrong certificate and causes problem.

 

barbara_hodgkin
SailPoint Employee
SailPoint Employee

Hi @matt_graves

  Were you able to resolve the errors?  With the release of 8.2 we transitioned from .NET Framework platform to .NET Core, thus requiring new prerequisites for FAM services to communicate properly.  If you have followed the 8.2 Installation Guide please submit a Support ticket for us to look into this further.  This may indicate http2 is not enabled on a communicating server or there is a middleware component downgrading the traffic.

 

Hi @PiotrP

   Thank you for expressing your concern.  We are taking a look into the FAM Certificate Manager tool and will post results accordingly.

  

barbara_hodgkin
SailPoint Employee
SailPoint Employee

Hi @PiotrP,

   Please see new post: 8.2 FAM Certificate Manager Tool Information

Thank you!

PiotrP
Wayfarer

Hi @barbara_hodgkin ,
Thank you for your response.
I have downloaded the FAMCertificateManager zip archive and the entire server installer, but it seems to me that it is the same file all the time.
It also behaves the same.

Cmd RunAs Admin
FAMCertificateManager.exe 1 -existingCertificate

Output:

Generating a new certificate for service: File Access Manager Agent Configuration Manager
Successfully generated a new certificate
Saving the new certificate to the database
Successfully saved the certificate to the database
Successfully updated the 'clientCertificateThumbprint' setting in the C:\Program Files\SailPoint\FileAccessManager\Agents\AgentConfigurationManager\AgentConfigurationManagerServiceHost.dll.config file

But aside from removing the old certificate from the Windows Cert Store, nothing happens.

barbara_hodgkin
SailPoint Employee
SailPoint Employee

Hi @PiotrP,

   I apologize, I am not understanding where the issue is (sincere, not sarcastic).  Based on the output, it seems everything was successful.  Will you help me understand what you are seeing to indicate it was not? 

You would not 'see' anything other than the successful output as listed above and deletion of the self-signed certificate(s) when selecting to use a CA Signed Certificate.  The changes the FAM Certificate Manager tool is making is all 'behind the scenes' - its updating the certificate in the database for the corresponding service(s) which will ensure FAM is utilizing the desired (selected/created) certificate for means of communication as well as updating the Agent Configuration Manager configuration file.

With that said, we realize there is still confusion around this tool, and we are looking to put out a more detailed guide in the near future.

PiotrP
Wayfarer

Hi @barbara_hodgkin 

Yes, Based on the output, it seems everything was successful.

But...

  • Old certificate is deleted
  • Service certificate is unchanged.
  • Certificate in database is also unchanged (based on field catificate_wbx_file_id in table whiteops.installed_service)
  • No config files is modified

My Agent Configuration Manager service still uses Activity Analysis service certificate.

barbara_hodgkin
SailPoint Employee
SailPoint Employee

Hi @PiotrP,

    Thank you for the additional information!  It sounds like you are already aware of how to validate; but just to verify, Ill send these steps - and if you do confirm this is the case, I would recommend opening a support ticket for us to look into further.

NOTE: We always recommend working with your DBA and backing up your database before performing any actions.  Also, we do not recommend directly performing actions on your database unless explicit directed to by SailPoint.

On the database run:

SELECT ins.Id, ins.[name], inds.certificate_wbx_file_id FROM whiteops.installed_service inds
JOIN whiteops.install_service ins ON ins.id = inds.id

This will provide you the list of services and associated certificates.

Then please utilize the 'ExtractFileFromDB' tool - located in the same directory as the FAMCertMgr tool (...Sailpoint\FileAccessManager\Server Installer\Tools\ExtractFileFromDB)

To run this tool:

  1. Open the command prompt and navigate to where the executable is located
    1.   eg.   cd C:\ProgramFiles\SailPoint\FileAccessManager\ServerInstaller\Tools\ExtractFileFromDB
  2. Enter ExtractFileFromDB.exe {certificate_wbx_file_id} of the service you would like to verify
    1. eg.  ExtractFileFromDB.exe 5
  3. The output will be a copy of the certificate directly to the ExtractFileFromDB folder

It may also be helpful to understand exactly what you ran when using the FAMCertificateManager.

We are continuing to look into and improve this tool.  We are also looking to provide more detailed steps around this process soon.