I had to reinstalled the console and it assigned itself a new certificate which was different to all the certificates on the existing clients. (I was unable to backup) when I reprotected the clients from the new console it does not automatically dish out a new certificate.
How do I distribute the new certificate?
Note: We have far too many computers to reinstall Sophos on. Plus many remote users :(
Cheers
Update: Please see the last thread in this post for the latest script as it has gone through a few revisions and it's hard to keep track. There is now a HTA that generates a script to make things easier. Also fixed a bug in the function that determins if the machine is 64 or 32. It got the hardware platform rather than the OS before.
===
Hello,
Are you able to run a script on them all easily, E.g.a start-up script? I wouldn't want to write a script that you couldn't run. That being said here are the steps that need to be performed on the clients without re-protecting. I would suggest running the steps manually on one "Client" machine first to check they work and the machine becomes managed again in SEC.
1. On the "guinea pig" client stop the services:
"Sophos Message Router"
"Sophos Management Agent"
2. If exists, delete from "\program files\sophos\remote management system\" the file mrinit.conf.orig.
3. copy from the CID/distribution point the new files: "cac.pem" and "mrinit.conf" and place them in:
\program files\sophos\remote management system\
on the client.
Note: The new mrinit.conf should be opened in Notepad to check that the parent address values are right and that the values:
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\RouterKey
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\ManagedAppKey
HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Certification Manager\CertAuthStore\DelegatedManagerKey
on the management server align with the values in the mrinit.conf to ensure the version of mrinit.conf in the CID and all over the server is the same.
4. Delete from the client the registry keys and values:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\cac
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\CertificationIdentityKeys\CertificationIdentityKey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkc
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\Router\Private\pkp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\CertificationIdentityKeys\ManagedApplication
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\
CertificationIdentityKey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkc
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\pkp
5. Run on the client (needs to be as an admin)
\program files\sophos\remote management system\clientmrinit.exe
6. Start the services:
"Sophos Message Router"
"Sophos Management Agent"
7. Wait for the clients to get new certificates, should only take a couple of minutes.
The pkc and pkp values for the agent and router will be a good marker for this taking place.
If you could check this fixes one of the clients, that would give you an approach that then needs to be automated in a script.
Hope it helps,
Jak
Hi,
When you ran ClientMrInit.exe on step 5, did it add into the registry the values from mrinit.conf and cac.pem, i.e. It should have re-created the following with the new values:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\cac
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Messaging System\CertificationIdentityKeys\CertificationIdentityKey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\CertificationIdentityKeys\ManagedApplication
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Sophos\Remote Management System\ManagementAgent\Private\
CertificationIdentityKey
ClientMRInit.exe creates a log file in the same directory as itself, it has the same file name with a time stamp. Maybe that will have an error.
If that stage all worked (the registry keys were stored correctly) the router log file will have an error message I would think as to why it didn't start. This would be in: "\Program data\sophos\remote management system\3\router\logs\". Feel free to paste the router log here.
Thanks,
Jak
Hi again,
I decided to go through the steps again on the guinea pig pc. This time it worked!!! (I did a little dance) The guinea pig pc is now showing up blue in the console. I think the "Sophos Message Router" service was confused. I could stop the service even though it wasn't started.
I now need to make a start up script. Though my scripting skills are laughable.
We have so many remote users that I will need to send the cac.pem and mrinit.conf files with the start up script. That way the users don't need to rely on the central repository being available.
Jak you mentioned you would be able to help me write the script, if you are still willing to that would be fantastic!
Thank you for your input which has resolved my issue :smileyvery-happy:
Cheers
Brad
HI,
Hi Jak,
Thanks, to help you understand our environment we do have a central distribution point on the server and the machines update via this however I have not republished this via http after the server crash. This is to be done but what we do have is Kaseya management tools so I can send the script out via that and then set it to run and know that it will complete even if the user disconnects from the network or is not on VPN. we have 90% Windows 7 both 64bit and 32bit and the rest are 32bit Windows XP. So yes we could finish the HTTP publishing and give them out that way however it does leave one variable. The advantage to the Kaseya scripting is that I can cache the script on all clients and then execute it on completion of download and pull back any status results.
Thanks again for your help.
HI,
Well I've put together a little vbscript. Well it started out as little but as you go on there seems to be more things to check.
It will exit if it detects the following to key to be anything other than 10:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\ConnectionCache.
This should ensure that it only takes action on "client" routers, So it will not re-init the server or message relays should it be run on them by mistake. I would advise against running on anything other than clients that are currently not working due to certificate issues.
It doesn't check that the client is already working so it will take the same steps regardless.
It will only run once on a client if ClientMRInit.exe returns success so as not to keep running on a machine if it's set as a start-up script for example. It does this by creating a marker key:
HKEY_LOCAL_MACHINE\SOFTWARE\[Wow6432Node]\Sophos\ReInit = 1
If this is a 1 when the script runs it will exit.
To configure you just need to set the variables:
This is the location of the new and correct cac.pem
The paths to the correct mrinit.conf and cac.pem can be local paths or UNC paths so the correct new files can be placed anywhere accessible to the script.
Please try it on a couple of machine, ideally some 32 and 64 bit. I've added a function in the script to adjust all registry and file paths to cope with that I hope. To to that It reads:
"HARDWARE\DESCRIPTION\System\CentralProcessor\0\identifier"
and just looks for 32 or 64 in that value, this function could be updated if it proves unreliable.
Other than that, the functions could be made a little more robust but I think it should be OK as is. Hopefully there aren't too many wrinkles. I've only run it once on a 64-bit Windows 7 machine (Note had to run as Administrator with UAC on)
Next post has the code as it's too big to add to this one!, just copy into Notepad and save as "RMSReinit.vbs" or some such name.
Regards,
Jak
UPDATE: I've updated the script to include the ability to add the config files mrinit.conf and cac.pem inline in the script by setting them as variables. To do this, set the variable:
blInline = true
Then update the varibles strCac and strMrinit with your cac.pem and mrinit.conf strings. I've left mine in as an example as adding them inline is a bit of a pain with all of the quote marks. Leaving them in should be a guide as to where you need to edit and paste your strings. Note, you will need to edit these variables if you set blInline, my examples will not work for you.
UPDATE: Added a -force switch to skip checks.
E.g.
RMSReinit.vbs -force
' RMS RE-INIT
' WILL ONLY RUN ONCE IF OK
' HKLM\SOFTWARE\[Wow6432Node]\Sophos\ReInit = 1 is set as check.
' Will not continue if "Server" router, based on:
' HKLM\SOFTWARE\[Wow6432Node]\Sophos\Messaging System\Router\ConnectionCache
' being 10.
' Run with -force to skip above checks.
' To configure:
' strLogPath 'Path to the log file
' strMRInitLog 'Where to write the log file for ClientMRInit.exe
' strFilePathMrInit 'Location of new mrinit.conf (local or UNC)
' strFilePathCac 'Location of new cac.pen (local or UNC)
' Note: The account running the script needs to be an admin on the client and be
' able to read from the path where mrinit.conf and cac.pem are shared.
option explicit
on error resume next
const HKEY_LOCAL_MACHINE = &H80000002
const ROUTER_SERVICE = "Sophos Message Router"
const AGENT_SERVICE = "Sophos Agent"
const REINIT_EXE_FILE = "ClientMRInit.exe"
const WOW_KEY = "Wow6432Node"
dim strLogPath, strMRInitLog, strFilePathCac, strFilePathMrInit, blInline, strCac
dim strMrinit, objArgs, strArg, intForceRun
intForceRun = 0
Set objArgs = WScript.Arguments
For Each strArg in objArgs
if lcase(strArg) = "-force" then
intForceRun = 1
end if
Next
'IMPORTANT VARIABLE
blInline = False
'True|False, If True the script will create cac.pem and mrinit.conf
'from the below variables, these will need to be edited for YOUR installation.
strCac ="-----BEGIN CERTIFICATE-----" &vbcrlf &_
"MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDFAZFTTJf" &vbcrlf &_
"Q0EwHhcNMTAxMDIyMTgxODQxWhcNMzAxMDE4MTgxODQxWjARMQ8wDQYDVQQDFAZF" &vbcrlf &_
"TTJfQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzQsT/e+jDXxLA" &vbcrlf &_
"9ERUjbS17N3po40NfZClh2DwpaObGuFXl0pqw9aaVp54Qyx1MCXvPm3ajwROBzVh" &vbcrlf &_
"U9ZFNQ3J92z5KS2yLuCgE6Fz024LlYU+BVkB1Mxa0awxCF6gFQdJEQvKXZnhaX1U" &vbcrlf &_
"qTy/46KulGpCmaqlZSDVevXpGiP7PIS06nV9QgzY6IBb2Tz4HMQh9RUff+D8SBak" &vbcrlf &_
"GXWdXHL1V6MZ9b6AMhbJz36hvuWLNm6hEon8g9HD+ntKCaw2CaneE+HNs3t6I6YG" &vbcrlf &_
"cf0sCu9foZn6fmEo3QyaHgsQz517BxoV/4Of0JLftfhkdEdyxbk1o/PQH9nd/zH6" &vbcrlf &_
"rmLTsjlnAgMBAAGjejB4MB0GA1UdDgQWBBRB4PRhtjU0a9z4Q7+oEUs+jgMPJDA5" &vbcrlf &_
"BgNVHSMEMjAwgBRB4PRhtjU0a9z4Q7+oEUs+jgMPJKEVpBMwETEPMA0GA1UEAxQG" &vbcrlf &_
"RU0yX0NBggEBMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3" &vbcrlf &_
"DQEBBAUAA4IBAQApa0X3qiiul2wVJbfDkY+fogDQRRbYbXQ+8zs/R8qcG2aeHmWf" &vbcrlf &_
"fyl7fgfEclK3jwGelMwAgNWfcyK50cYZyEqKWF+7ZqSw7yjNFHeaFLqE2DiKbBfR" &vbcrlf &_
"XsgLXZEjsQoIMUncv++N9pg8D7b3fKIVAsvqQYvu1oEOgDk18rImXYvoOy1/c/+z" &vbcrlf &_
"2kRPNTiS+dKhtwogeX7oo+dQkUggu5rvrpZYxVOGBEc9hsYoCCQzfRDQtv5/U0p1" &vbcrlf &_
"8wWdzETKXuMAEnT2PkL9yzwqSZ0tdg/NtA2untIW6Tiy7mXVSHTyvQiWU9BFrZXk" &vbcrlf &_
"SzJwt4KzsdVReTsmYhE3ATUJbUFnOPfCky/e" &vbcrlf &_
"-----END CERTIFICATE-----" &vbcrlf
strMrinit = "[Config]" &vbcrlf &_
"""NotifyRouterUpdate""=""EM""" &vbcrlf &_
"""ClientIIOPPort""=dword:00002001" &vbcrlf &_
"""ClientSSLPort""=dword:00002002" &vbcrlf &_
"""ClientIORPort""=dword:00002000" &vbcrlf &_
"""IORSenderPort""=dword:00002000" &vbcrlf &_
"""DelegatedManagerCertIdentityKey""=""s3IIjyQyBOiah2gMJ7lg15FmW2w=""" &vbcrlf &_
"""ManagedAppCertIdentityKey""=""+lDc0ELrrIRnU14Nm3HV9ZZ4u20=""" &vbcrlf &_
"""RouterCertIdentityKey""=""qRS2iIVb8f5Ql3Y1SwJgOpB5vU0=""" &vbcrlf &_
"""ServiceArgs""=""""" &vbcrlf &_
"""MRParentAddress""=""192.168.1.70,p4,p4""" &vbcrlf &_
"""ParentRouterAddress""=""192.168.1.70,p4,p4""" &vbcrlf
strLogPath = "C:\windows\temp\RMSReInit.log"
strMRInitLog = "C:\windows\temp" 'no trailing slash
strFilePathMrInit = "\\p4\SophosUpdate\CIDs\S000\SAVSCFXP\mrinit.conf"
strFilePathCac = "\\p4\SophosUpdate\CIDs\S000\SAVSCFXP\cac.pem"
'*************************************************************************
dim objFSO, objFile, strRMSPath, strWow6432Node,intPauseForServiceInSeconds
strWow6432Node = "\"
intPauseForServiceInSeconds = 10
set objFSO = CreateObject("Scripting.FileSystemObject")
set objFile = objFSO.CreateTextFile(strLogPath, true)
WriteToLog 0, "Starting Script"
if Is64() then
strWow6432Node = "\" & WOW_KEY & "\"
else
strWow6432Node = "\"
end if
if intForceRun = 0 then
if MarkerFound() then
WriteToLog 0, "End of script"
CloseLog()
wscript.quit(1)
end if
if ServerClassRouter() then
WriteToLog 0, "End of script"
CloseLog()
wscript.quit(1)
end if
else
WriteToLog 0, "Running in Force mode (-force)"
end if
strRMSPath = GetRMSPath()
If blInline then
WriteToLog 0, "Creating Cac.pem and Mrinit.conf from script."
CreateFile strCac, strRMSPath, "cac.pem"
CreateFile strMrinit, strRMSPath, "mrinit.conf"
else
WriteToLog 0, "Copying Cac.pem and Mrinit.conf from locations."
CopyFiles strFilePathCac, strRMSPath
CopyFiles strFilePathMrInit, strRMSPath
end if
DeleteOrig(strRMSPath)
StopService(AGENT_SERVICE)
StopService(ROUTER_SERVICE)
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Messaging System", "cac", "."
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Messaging System\CertificationIdentityKeys", "CertificationIdentityKey", "."
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Messaging System\Router\Private", "pkc", "."
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Messaging System\Router\Private", "pkp", "."
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Remote Management System\CertificationIdentityKeys", "ManagedApplication", "."
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Remote Management System\ManagementAgent\Private", "CertificationIdentityKey", "."
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Remote Management System\ManagementAgent\Private", "pkc", "."
DeleteKey HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos\Remote Management System\ManagementAgent\Private", "pkp", "."
'Only create marker if ClientMrinit.exe returned ok
if RunClientMRInit(strRMSPath) = 0 then
CreateMarker()
end if
StartService(ROUTER_SERVICE)
StartService(AGENT_SERVICE)
WriteToLog 0, "Ending Script"
CloseLog()
Set objFSO = nothing
'*************************************************************************
Function CreateFile (strContents, strLocation, strFileName)
WriteToLog 0, "--> CreateFile()"
dim objFileCreate
WriteToLog 0, "--> Creating file " & strFileName & " in " & strLocation
Set objFileCreate = objFSO.CreateTextFile(strLocation & "\" & strFileName, true, false)
objFileCreate.Write strContents
objFileCreate.close
Set objFileCreate = nothing
WriteToLog 0, "<-- CreateFile()"
End Function
'*************************************************************************
Function WriteToLog (strSev, strLogLine)
dim strToWrite
strToWrite = ""
select case strSev
case 0
strToWrite = "INFO: "
case 1
strToWrite = "ERROR: "
case else
strToWrite = "UNKNOWN: "
end select
objFile.WriteLine Date() & " " & Time() & " " & strToWrite & " " & strLogLine
End Function
'*************************************************************************
Function CloseLog()
WriteToLog 0, "--> CloseLog() - No Function Exit Logged"
objFile.Close
set objFile = nothing
End Function
'*************************************************************************
Function CreateMarker()
WriteToLog 0, "--> CreateMarker()"
on error resume next
dim oReg, intRetValue
err.clear
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description
CloseLog()
wscript.quit(1)
end if
intRetValue = oReg.SetStringValue (HKEY_LOCAL_MACHINE, "SOFTWARE" & strWow6432Node & "Sophos" ,"ReInit", "1")
if intRetValue = 0 then
WriteToLog 0, "Created marker key."
else
WriteToLog 1, "Failed to create marker. Error code " & intRetValue
end if
Set oReg = nothing
WriteToLog 0, "<-- CreateMarker()"
End Function
'*************************************************************************
Function ServerClassRouter()
WriteToLog 0, "--> ServerClassRouter()"
on error resume next
dim oReg, intValue
err.clear
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
if err.number <> 0 then
WriteToLog 1, "Error Number: " &_
err.number & " Error Description: " & err.description
CloseLog()
wscript.quit(1)
end if
oReg.GetDWORDValue HKEY_LOCAL_MACHINE,"SOFTWARE" &_
strWow6432Node & "Sophos\Messaging System\Router" ,"ConnectionCache", intValue
if intValue = 10 then
WriteToLog 0, "Router is a client, ok to run"
ServerClassRouter = false
else
WriteToLog 1, "Router is a server router, will exit "
ServerClassRouter = true
end if
Set oReg = nothing
WriteToLog 0, "<-- ServerClassRouter()"
End Function
'*************************************************************************
Function MarkerFound()
WriteToLog 0, "--> MarkerFound()"
on error resume next
dim oReg, strValue
err.clear
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
if err.number <> 0 then
WriteToLog 1, "Error Number: " &_
err.number & " Error Description: " & err.description
CloseLog()
wscript.quit(1)
end if
oReg.GetStringValue HKEY_LOCAL_MACHINE,"SOFTWARE" &_
strWow6432Node & "Sophos" ,"ReInit", strValue
if strValue = "1" then
WriteToLog 0, "Script already run, will exit."
MarkerFound = true
else
WriteToLog 0, "Script not already run."
MarkerFound = false
end if
Set oReg = nothing
WriteToLog 0, "<-- MarkerFound()"
End Function
'*************************************************************************
Function DeleteKey (strTopLevel, strKey, strName, strMachineName)
WriteToLog 0,"--> DeleteKey()"
on error resume next
dim oReg, intReturn
err.clear
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strMachineName & "\root\default:StdRegProv")
if err.number <> 0 then
WriteToLog 1, "Error Number: " &_
err.number & " Error Description: " & err.description
CloseLog()
wscript.quit(1)
end if
WriteToLog 0, "Attemping to delete key: " &_
strMachineName & "\" & strTopLevel & "\" & strKey & "\" & strName
intReturn = oReg.DeleteValue( HKEY_LOCAL_MACHINE, strKey, strName )
if intReturn <> 0 then
DeleteKey = intReturn
WriteToLog 1, "Failed to delete Key: " & intReturn
else
WriteToLog 0, "Deleted Key: " & intReturn
DeleteKey = intReturn
end if
Set oReg = nothing
WriteToLog 0, "<-- DeleteKey()"
End Function
'*************************************************************************
Function StopService(strServiceName)
WriteToLog 0, "--> StopService()"
on error resume next
dim objWMIService, colServices, objService, intReturn
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colServices = objWMIService.ExecQuery ("Select * from win32_Service where name='" & strServiceName & "'")
For each objService in colServices
intReturn = objService.StopService()
Next
wscript.sleep (intPauseForServiceInSeconds * 1000)
WriteToLog 0, "Return code for stopping service: " & strServiceName & " : " & intReturn
StopService = intReturn
Set objWMIService = nothing
Set colServices = nothing
WriteToLog 0, "<-- StopService()"
End function
'*************************************************************************
Function StartService(strServiceName)
WriteToLog 0, "--> StartService()"
on error resume next
dim objWMIService, objService, colServices, intReturn
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colServices = objWMIService.ExecQuery ("Select * from win32_Service where name='" & strServiceName & "'")
For each objService in colServices
intReturn = objService.StartService()
Next
WriteToLog 0, "Return code for starting service: " & strServiceName & " : " & intReturn
StartService = intReturn
Set objWMIService = nothing
Set colServices = nothing
WriteToLog 0, "<-- StartService()"
End function
'*************************************************************************
Function RunClientMRInit(strPathToExe)
WriteToLog 0, "--> RunClientMRInit()"
on error resume next
dim intReturn, oShell, strSwitches, strCommand
WriteToLog 0, "Running command: " & strPathToExe & REINIT_EXE_FILE
Set oShell = WScript.CreateObject("WScript.Shell")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description
CloseLog()
wscript.quit(1)
end if
strSwitches = " -logpath " & strMRInitLog
strSwitches = strSwitches & " -filepath" & " " & """" & strPathToExe & """"
strCommand = """" & strPathToExe & REINIT_EXE_FILE & """" & strSwitches
intReturn = oShell.Run(strCommand, 0, true)
if intReturn <> 0 then
WriteToLog 1, strPathToExe & REINIT_EXE_FILE &_
strSwitches & " Failed. Exit code " & intReturn
else
WriteToLog 0, strPathToExe & REINIT_EXE_FILE &_
strSwitches & " Completed OK. Exit code " & intReturn
end if
RunClientMRInit = intReturn
set oShell = nothing
WriteToLog 0, "--> RunClientMRInit()"
End Function
'*************************************************************************
Function GetRMSPath()
WriteToLog 0, "--> GetRMSPath()"
on error resume next
dim oReg, strValue, intReturn
err.clear
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description
CloseLog()
wscript.quit(1)
end if
intReturn = oReg.GetStringValue (HKEY_LOCAL_MACHINE, "SOFTWARE" &_
strWow6432Node & "Sophos\Messaging System\Router", "ServiceHomeDir", strValue)
If strValue <> "" then
WriteToLog 0, "RMS Path is " & strValue
GetRMSPath = strValue
else
WriteToLog 1, "Return code " & intReturn
CloseLog()
wscript.quit(1)
end if
set oReg = nothing
WriteToLog 0, "<-- GetRMSPath()"
End Function
'*************************************************************************
Function DeleteOrig(strFilePath)
WriteToLog 0, "--> DeleteOrig()"
on error resume next
err.clear
dim oFS, intReturn, strOrigPath
strOrigPath = strFilePath & "mrinit.conf.orig"
set oFS = CreateObject("Scripting.FileSystemObject")
If oFS.FileExists(strOrigPath) Then
WriteToLog 0, strOrigPath & " Exists"
intReturn = oFS.DeleteFile(strOrigPath, true)
if intReturn = 0 then
WriteToLog 0, strOrigPath & " deleted."
else
WriteToLog 1, strOrigPath & " Not deleted: Return code: " & intReturn
end if
else
WriteToLog 0, strOrigPath & " does not exist, carrying on."
End If
set oFS = nothing
WriteToLog 0, "<-- DeleteOrig()"
End Function
'*************************************************************************
'FUNCTION COPY FILE FROM SERVER
Function CopyFiles(strFilePath, strDestination)
WriteToLog 0, "--> CopyFiles()"
on error resume next
err.clear
dim oFS, intReturn
set oFS = CreateObject("Scripting.FileSystemObject")
If oFS.FileExists(strFilePath) Then
WriteToLog 0, strFilePath & " Exists"
intReturn = oFS.CopyFile(strFilePath, strDestination, true)
if intReturn = 0 then
WriteToLog 0, strFilePath & " Copied to " & strDestination
else
WriteToLog 1, strFilePath & " Not copied to " & strDestination & " Return code: " & intReturn
end if
else
WriteToLog 1, strFilePath & " does not exist"
CloseLog()
wscript.quit(1)
End If
set oFS = nothing
WriteToLog 0, "<-- CopyFiles()"
End Function
'*************************************************************************
'FUNCTION TO GET PLATFORM
Function Is64()
WriteToLog 0, "--> Is64()"
on error resume next
err.clear
dim objWMIService, objColSettings, strDesc, objProcessor
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set objColSettings = objWMIService.ExecQuery ("SELECT * FROM Win32_Processor")
if err.number <> 0 then
WriteToLog 1, "Error Number: " & err.number & " Error Description: " & err.description
CloseLog()
wscript.quit(1)
end if
For Each objProcessor In objColSettings
strDesc = objProcessor.AddressWidth
Next
if strDesc ="32" then
WriteToLog 0, "Platform is 32-Bit"
Is64 = false
end if
if strDesc="64" then
WriteToLog 0, "Platform is 64-Bit"
Is64 = true
end if
Set objWMIService = nothing
set objColSettings = nothing
WriteToLog 0, "<-- Is64()"
End Function
No problem, please let me know if it works out as I'm sure it could be useful for a few customers with a certification mismatch.
I thought about adding an additonal variable so it only ran on machines that had a mismatch. I.e. Have a variable at the top called for example: strCorrectRouterIdentityKey, e.g.
strCorrectRouterIdentityKey = "qRS2iIVb8f5Ql3Y1SwJgOpB5vU0="
The user would add their value as taken from the server key:
HKLM\Sophos\Certification Manager\CertAuthStore\RouterKey
That way when it is run on a client it would check the value the client had against that, if it was different it would carry on and do a re-init, this way it would only run on clients with essentially a mismatched identity keys. It's not the end of the workd if it does run on a working client, it just means they will request 2 new certificates and it shoudn't do this more than once as it sets a flag to say it completed ok and prevents subsequent runs (unless the -force switch is passed).
TBH the script is at the limit of the size of a message I can post, so close is it that I had to remove some of the comments so a new function would push it over the edge.
Well if you could try it on a couple of clients first to ensure it works, especially if you decide to add your cac.pem and mrinit.conf into the sctipt as variables as that's where it's most likely to go wrong that would be advisable.
Thanks,
Jak
Update:
The script below has the new variable:
strRouterCertIdentityKey
It should be set to contain the same string as found on the Sophos Managment server in the following key:
HKLM\Software\[WOW6432NODE]\Sophos\Certification Manager\CertAuthStore\RouterKey
I've left my value in the script to show what it should look like, again this will need to be updated, my string will not work for you :)
This script now has quite a few configuration options, it almost needs a HTA/Script to Auto Configure the script per install!