Some Players may reject Remote Software Update to Release 6 or newer

Symptom

Some Players, especially those running Windows Embedded, may fail when you update them to Release 6 or newer using a Remote Software Update maintenance job. The error message in Player's IC.log file says An internal certificate chaining error has occurred.

(This problem would also affect any future Release 5.1 Player updates that may come after Release 5.1.36).

Short Explanation of the Cause

The Remote Software Update is signed with Scala's digital certificate, which is only recognized by Windows PCs that have a recent "Root Certificate Update". Windows Embedded PCs do not participate in automatic Windows Updates, so they may be missing this update, hence the update is rejected. Certain Windows XP or Windows 7 PCs may have Windows Update disabled, or set to "Critical updates only" (which does not necessarily include Root Certificate updates) leading to the same issue.

Detailed Explanation of the Cause

These days, most installers are digitally signed by their creators, so you know the installers are genuine and not tampered with. Our Remote Software Update (and our other updaters) are digitally signed by Scala in this way.

A Windows PC comes preinstalled with "root certificates" from various "Certificate Authorities", which are companies that issue and vouch for digital certificates. From time to time, Microsoft updates the list of root certificates via Windows Update as new Authorities get added, and to refresh the certificates of existing Authorities.

A Windows PC knows to trust a digital signature like ours, because our certificate has been countersigned by one of the trusted Authorities whose certificate has been pre-installed on the computer. Our current digital certificate is countersigned by Verisign (one of the major Certificate Authorities), but Verisign is now using a new certificate to countersign. The PC only knows that our signature is valid if it has the Root Certificate update that Microsoft published in March 2011.

Affected Systems

Windows Embedded Systems

May Scala Players are built on the embedded version of Windows (which has gone by various names, such as "Windows XP Embedded", "Windows Embedded Standard 2009", and "Windows Embedded 7").

The embedded version of Windows does not support Windows Update, so these systems would normally not have the necessary Root Certificate update.

Windows XP / Windows 7 Systems

Many Windows XP or Windows 7 systems would have Windows Update enabled for critical and optional updates, and therefore should have all Root Certificate updates, and not have any problems.

Some systems may have Windows Update enabled for critical updates only. Root Certificate updates are generally listed as "Optional", and may not have been automatically downloaded and installed.

In a well-secured closed network, it can sometimes be appropriate to run with Windows Update disabled, in which case such systems might be missing the necessary Root Certificate update.

How to Resolve This

The issue can be resolved by applying the Root Certificate update, which can be done at the Player (if you have a modest number of Players, and local access to them), or remotely via Content Manager remote maintenance tools.

Download the March 2011 Windows Root Certificate Update

1. Go to http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6149
2. Click CONTINUE.
3. Perform the Genuine Windows Validation process:
   • Under Internet Explorer, this should be automatic via an OCX.
   • Under other browsers, the website will direct you to download an run the Windows Validation tool, which generates a code you copy and paste into the web form, then click VALIDATE.
4. Download the file rootsupd.exe.

Install the Update

The instructions are simple if you have local access to the Players, and you can manage to do this separately for each Player. If instead you need to use Content Manager maintenance jobs, the instructions are provided too.

Install the Root Certificate Update Locally

(Use these instructions if you have local access to the Players, and the number of Players is manageable.)

1. Run rootsupd.exe

Install the Root Certificate Update Remotely

(Use these instructions to update many Players at once, or if you do not have convenient local access to the Players.)

Note: On systems with EWF ("Enhanced Write Filter") enabled, you must take additional steps to disable EWF, reboot, perform the below sequence, enable EWF, and reboot again.

1. In Content Manager, go to Network > Maintenance Jobs, click Upload Files, and upload the rootsupd.exe file.
2. Under Network > Maintenance Jobs, click New.
3. (If your network also has IAdea devices) Select a Maintenance Job Type of Scala Player maintenance job, and click Next.
4. Name the maintenance job. For example, Windows Cert Update, and click Next.
5. Make one task by going to Task command: and selecting Install file. Choose rootsupd.exe from the list that appears to the right. For Install path:, select a folder on the Player that can be written to. Click Add Task.
6. Make a second task by going to Task command: and selecting Run command. For the Command path:, specify C:\rootsupd.exe /Q
7. Check the Wait for completion checkbox, and click Add Task.
8. Click the Scheduling tab, select a Schedule Type: of ASAP, and click Add Schedule.
9. Click the Players tab, and select the Players to receive the maintenance job.
10. Click Save.
11. Synchronize your Players.

Run the Remote Software Update

Now that the root certificates are updated, you can run the Install software update maintenance job.

Comments

We updated the command-line arguments of rootsupd.exe. It should be just:

rootsupd.exe /Q

Peter

Posted by: Peter Cherna | 10/22/2012 at 02:26 PM

System development life cycle analysis comprising concepts, design, implementation, installation, integration, maintenance, and requirements

Posted by: barsha jena | 04/05/2013 at 06:10 AM