BMC Helix SaaS Operations team will perform SSL Certificate Update activity to the BMC Helix SaaS Operations *.onbmc.com domain to ensure the highest level of stability, uptime, and performance in production and non-production environments.
Q1. What exactly happens during the certificate update activity?
The root certificate which will enable secure, encrypted communication between the PATROL Agent and other BMC components will be updated as a part of this activity
Q2. When this SSL Certificate Update activity is scheduled?
SSL Certificate Update is scheduled to start February 07 2025 for Non-Production environments.
For production environments it is scheduled to start February 21 2025.
Q3. What happens to connected PATROL Agents?
All the PATROL Agents currently connected to BMC Helix Operations management console will be automatically updated with the new certificate. However, if there is a proxy is being used where custom certificates configured, you will need to update the certificate to utilize the root certificate.
Q4. What happens to disconnected PATROL Agents?
Once server side Load Balancer (LB) is updated with new certificates then disconnected PATROL Agents will not be able to connect to BMC Helix Operations Management console with old certificates.
Q5. Is this SSL Certificate Update activity for SaaS as well as On-Prem environments?
This update is specifically for SaaS environments and not applicable to On-Prem environments.
Q6. Can disconnected PATROL Agents connect back to BMC Helix Operations Management console with old SSL Certificate?
No, disconnected PATROL Agents will not connect to BMC Helix Operations Management console If PATROL Agent has old certificate and Load Balancer has updated certificate.
Q7. How to update certificates on PATROL Agents that were disconnected when the SSL Certificate Update schedule was active?
Create a deployable package to update the certificate, This link has all the steps to manually deploy the certificates.
Q8. How to identify certificate deployment failure ?
Check the PATROL Agent error log files located under %PATROL_HOME%\log folder or $PATROL_HOME/log directory
If PATROL Agent error log shows the line "failed to deliver '<MESSAGE TYPE>' message. HTTP Error: SSL peer certificate or SSH remote key was not OK" that most likely indicates the problem related to certificate mismatch, Create a deployable package to update the correct certificate.
If there is a problem related to certificate mismatch, PATROL Agent debug log shows below lines
25-03 12:54:29.423 |HTTP | curl_easy_perform() failed: SSL peer certificate or SSH remote key was not OK for ID =PA-1-1-1742892869-1, TYPE=AGENT_HANDSHAKE
25-03 12:54:29.423 |HTTP | Enqueuing message ID =PA-1-1-1742892869-1, TYPE=AGENT_HANDSHAKE in response queue
25-03 12:54:29.659 |RUNQ | ExecuteProcesses: current time is 1742892869
Solution 1: From working server, locate the path /opt/bmc/Patrol3/security/certificates and copy the mca_ca.cer file and paste it under /opt/bmc/Patrol3/security/certificates of non-working server.
Solution 2: Create a deployable package to update the certificate, This link has all the steps to manually deploy the certificates.
Q9. What scenarios can cause SSL certificate update failure?
Several factors can contribute to a failure in the server-side job, preventing the successful update of certificates on PATROL Agents.
Below are some common scenarios where this issue may occur:
Disconnected agents: If a PATROL Agent is not connected to BMC Helix Operations Management at the time of the update, it will not receive the new certificate.
Permission issues: If the folder where the certificate is deployed has restrictive permissions, the update process may be blocked.
Ensure that the PATROL Agent default account has both read and write access to the file located at $PATROL_HOME/../security/certificates/mca_ca.cer.
Network or accessibility issues: If the agent is unreachable due to firewall restrictions, network outages, or other connectivity problems, it cannot receive the updated certificate.
Q10. Are customers aware of this certificate schedule activity?
Yes, the schedule has been communicated to customers in advance
For any further question or clarifications, reach out to Support Central > Case Management to create a New Case to address any concerns.