Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"Pending: Managed server deploying" status is displayed when deploying policies from Apex Central to Apex One features

    • Updated:
    • 9 Jul 2020
    • Product/Version:
    • Apex Central 2019
    • Apex One 2019
    • Platform:
Summary

The policy deployment from Apex Central to the Apex One features (e.g. Application Control, Vulnerability Protection, Endpoint Sensor, etc.) gets stuck in "Pending: Managed server deploying" status.

Root Cause Analysis

Errors can be seen in the the following logs:

  • "failed to get private key" error in Apex One ofcdebug.log located at..\Trend Micro\Apex One\PCCSRV\Log\:
    2020 05/05 11:50:12 [144c : 2438] (00) (D) [][ofcservice.exe]
        getPFXFromCertificateStore - find one certificat matches the subject name=[OfcOSFWebApp] - 
        [libosfsvcclientutility.cpp(289)]
    
    2020 05/05 11:50:12 [144c : 2438] (00) (E) [][ofcservice.exe]
        extractKeyPairFromPFX - failed to get private key, pkey is null - 
        [libosfsvcclientutility.cpp(442)]
    
  • "No client certificate, Authenticate failed" and "http response code=401" errors in Apex One ofcdebug.log located at..\Trend Micro\Apex One\PCCSRV\Log\:
    2020 05/05 11:50:12 [68f4 : 0089] (00) (E) [-iAC-][w3wp.exe][SendAsync]
        [Mutual Authenticate] No client certificate, Authenticate failed, 
        url:([Apex One FQDN]/officescan_iac/osf/ONQUERY) - 
        [SecMsgHandler.cs(26)]
    
    2020 05/05 11:50:12 [144c : 2438] (00) (E) [][ofcservice.exe]
        BoostHTTPClient::receive - http response code=401 - [libosfsvcclienthttpclient.cpp(101)]
    

Below are factors that can cause the policy deployment status to get stuck at "Pending: Managed server deploying" status:

  • The "failed to get private key" error in Apex One ofcdebug.log happens because OSF certificate private key cannot be exported in the environment. This can occur when the OSF certificates were replaced with 3rd-party certificates, but the "Mark this key as exportable" option was not enabled when the 3rd-party certificates were imported.

    Certificate Import Wizrd

  • The "No client certificate, Authenticate failed" and "http response code=401" errors in Apex One ofcdebug.log can happen because of a misconfiguration in the SSL Settings for the OSFWebapp Site. The mutual authentication requires SSL, but if the SSL setting is misconfigured for the OSFWebapp site, it will return the HTTP 401 error.
Details
Public

To fix the issue, perform the following steps:

If it is confirmed that the OSF certificate was replaced by a 3rd-party certificate, do the following:

  1. Remove the the certificate "OfcOSFWebApp" from "Trust People" store and "OfcOSF".
  2. Import the 3rd-party certificate again, and enable "Mark this key as exportable" option.
    For details on importing 3rd-party certificates, refer to this KB Article.

If the OSF certificate was not replaced, the existing cerficate should be removed, and a new set of certificate needs to be generated. Follow the steps below:

  1. Manually delete the certificates:
    • Delete "OfcOSFWebAppRootCA" certificate from "Trust Root".
    • Delete "OfcOSFWebApp" certificate from "Trust People" and "OfcOSF".
  2. Rebuild the certificate with the following command:
    OfcSvcConfig.exe -FuncId InstallOSFCertificate -server_pccsrv_dir_path "C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV" -osf_cert_password trend -apppoolname OfficeScanOSFAppPool -output_file "C:\Windows\OFCMAS1.LOG"
     
    This command will set the password to "trend". It is recommended to change the password value to your preferred password.
     
  1. Open the IIS Manager.
  2. Ensure the setting "Require SSL" is enabled on the following sites.
    • OfficeScan\osfwebapp\
    • OfficeScan\officescan_iac\osf

    OSF site

  3. Select Require SSL.
  4. Select Accept under Client certificates.

    SSL Settings

  5. Restart IIS service and deploy the policy again to verify the issue.
Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000256611
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.