KSC Web Console shows an error after upgrade - incorrect user or password [KSC for Windows]

[Egor Erastov]

The problem is in the certificate - it has a 1024 bit long key. While Web Console now works only with 2048 bit long keys. 
The customer needs to reissue KSC server certificate to 2048 key length.

What to do - 

1. Generate reserve KSC certificate - for example by using command - 

klsetsrvcert -t CR -g "dns_name" -o "RsaKeyLen:2048"

where DNS name is DNS name of KSC

2. Wait several days - hosts will connect to KSC and receive reserve cert. 

The customer could check on client hosts that cert if received by the command - 

klscflag -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_CERTDATA -n KLNAG_SSL_SERVER_CERT_RESERVE -ss "|ss_type = \"SS_LOCAL_MACHINE\";"

In results - if reserve cert is installed - there will be smthg like - 

+--- (PARAMS_T)

    +---KLNAG_SSL_SERVER_CERT_RESERVE = BINARY_T (size = 2944): 2D2D2D2D2D424547494E2043455254494649434154452D2D2D2D2D0A4D494945627A4343413165674177494241674955616E63416F503772716145594E44376265534D4D47396941716951774451594A4B6F5A496876634E4151454C0A42514177567A455A4D42634741315545417777516347786C61326868626D39324C6D46...

If there is no reserve cert - there will be a message - 

FAILED - 1125 ('Parameter with name "KLNAG_SECTION_CERTDATA" not exist.') 

3. Specify the date and time of next cert change by the command - 

klsetsrvcert -f "DD-MM-YYYY hh:mm"

If you are sure that reserve cert if received already - you can specify the past date in this command - cert will be replaced right after that. Don't forget that if agent didn't receive reserve cert and cert is replaced already - agent will lost connection to KSC server. 

4. Run WebConsole installer and specify new klserver cert there. 

Check the connection in WebConsole.