Blue Coat Unified Agent (Failure Mode) macOS Mojave

woodsb
Contributor

Hello,

My company currently uses Blue Coat Unified Agent as a cloud proxy solution. My Fleet currently runs Mojave 10.14.6 and everything worked just fine until 12/26/2019. Apparently Symantec did maintenance on the agent and now it automatically goes into failure mode on MacOS Mojave. Symantec says that the "solution" is to delete and reinstall the Entrust.net Certification Authority (2048) which is not possible without disabling SIP. That is NOT a solution. Oddly enough the agent still works on 10.13.6 and 10.15.2. I've installed a fresh version of 10.14.6 (no other software installed) and the agent still crashes. Has anyone else run into this?

1 ACCEPTED SOLUTION

VladCabrera
New Contributor III

We were able to fix this by making sure that the computers are on the latest version of MacOS which distributes the new Entrust.net certificate and then install Symantec WSS 6.1.1 which is what's replacing Blue coat.

View solution in original post

11 REPLIES 11

tomt
Valued Contributor

Hi,

What version number is the updated agent? I'm currently testing 4.10.6.230466 on my machine in preparation for a full rollout later in January.

woodsb
Contributor

@tomt My fleet is currently running on version 4.10.2.21004, but I've also tested 4.10.6.230466 with Symantec and the problem persists.

VladCabrera
New Contributor III

We were able to fix this by making sure that the computers are on the latest version of MacOS which distributes the new Entrust.net certificate and then install Symantec WSS 6.1.1 which is what's replacing Blue coat.

woodsb
Contributor

@VladCabrera you're right. WSS 6.1.1 seems to be the only solution at the moment. I'm going to remove BC from my fleet and install WSS in its place.

rqomsiya
Contributor III

Symantec has stated this is a problem only on Mojave clients:

In Mojave the deprecated cert is listed first and so BCUA uses that. Easiest fix is to upgrade to WSS 6.1.1 like above posts have stated. Or upgrade to Catalina which is a bit aggressive.

RichM
New Contributor

Add another one to the list of companies impacted by this. We had to change our failure mode to fail open. It caused a major outage on the day after Christmas. Really unhappy about Symantec's support on this unforced error.

Thanks to all the suggestions on this tread.

swolosin
New Contributor III

I'm having the same issue. Below is what Symantec asked us to do for all our Macs. This is making no sense since the Entrust Cert is NOT expired, however, doing this process does seem to fix the issue.

  1. Restart system in Recovery mode to disable SIP (csrutil disable)
  2. Restart system for SIP change to take effect
  3. Remove expired Entrust cert based on hash sudo security delete-certificate -Z 801D62D07B449D5C5C035C98EA61FA443C2A58FE /System/Library/Keychains/SystemRootCertificates.keychain
  4. Restart system in Recovery mode to enable SIP (csrutil enable)
  5. Restart system for SIP change to take effect

Here's the error I'm getting:

"Server's certificate failed validation at depth: 2, CN = Entrust.net Certification Authority (2048), error = certificate has expired"

Here's the article they keep throwing at me:
https://support.symantec.com/us/en/article.tech242793.html
That article speaks to level "failed validation at depth: 1" we have "depth: 2". Symantec won't tell me what that means.

I can verify that this has affected our fleet as well and I'm posting to help others understand the severity. No real support is coming from Symantec so I think I'm stuck doing what VladCabrera suggested.

Some further digging has brought this article to light:
https://portal.threatpulse.com/docs/am/connectivity/endpoint/agent/conn-about-wssa.htm

The tip on that page was very insightful:

Tip: This and related topics refer to the agent as the WSS Agent, which is the recommended agent. However, until further notice, Symantec will continue to support Unified Agent on Windows 7/8 and macOS Sierra Operating Systems only until those operating systems reach end-of-life by their respective vendors.

I guess updating the agent the day after Christmas and breaking it is one way to move people to a new agent.

Some helpful hints where given on Slack MacAdmins #symantec

rqomsiya
Contributor III

Hi @swolosin:

What is the output when you run the following command in terminal:

security find-certificate -a -Z -c "Entrust.net Certification Authority (2048)" "/System/Library/Keychains/SystemRootCertificates.keychain" | grep -e 'SHA-1 hash:' | cut -c 13-54

woodsb
Contributor

@swolosin This issue is that the OS features two Entrust.net Certification Authority (2048) certificates. The agent is referencing the one that expired on 12/24/2019. To view the expired certificate: KeyChain Access>View>Show Invisible Items. The expired Entrust.net Certification Authority (2048) certificate will now appear. For some reason macOS Mojave seems to give the expired cert priority over the valid cert. High Sierra and Catalina don't exhibit the same behavior. be350f0a4d7f4f11a6402300767cd10c

swolosin
New Contributor III

Ah ha. Thank you @woodsb. @rqomsiya Unfortunately I'm nowhere near a Mojave machine right now but here's the output on my Catalina machine.

503006091D97D4F5AE39F7CBE7927D7D652D3431
801D62D07B449D5C5C035C98EA61FA443C2A58FE

rqomsiya
Contributor III

Yep, thats why it works in Catalina. The non-expired cert is listed first.

I was able to successfully delete the old via the commands from cert and validated it via the above command, however, way easier to upgrade to WSS 6.1.1.