Description:

During migration of FortiClient EMS from a Windows server to a Linux server, the migration process fails during the copying of certificates with the following error:

scp.SCPException: scp: /opt/forticlientems/data/certs/FCTEMSXXXXXXX.1.key: Permission denied

Sample log excerpt:

Root Cause:

The migration utility tries to move the certificate key file to /opt/forticlientems/data/certs/.

However, the certs directory of the Linux EMS server lacks adequate write permissions for the migrating user or group.

In the observed case:

drwxr-x--- 2 forticlientems forticlientems 4096 Apr 10 07:29 certs

The owner (forticlientems) is the only one with write access. The group can run and read, but not write.

If the migration SSH user belongs to the group forticlientems (but not the owner), the write operation fails.

Solution:

• Change Linux EMS server permissions to grant owner and group write access.

• SSH into the Linux EMS server using root or a user with elevated privileges.

• Run the following commands:

sudo chmod 770 /opt/forticlientems/data/certs

• This changes the directory permission to:

drwxrwx--- forticlientems forticlientems

• The owner and group will each have read, write, and execute permissions.

Verification:

After permission change:

• Restart the EMS migration process.
• Check and verify that no 'Permission denied' errors are detected during the certificate copy process.
• If required, check directory permissions with:

ls -ld /opt/forticlientems/data/certs

• Expected output:

drwxrwx--- forticlientems forticlientems ...

Additional Notes:

• If the SSH migration user is different, adjust ownership accordingly:

sudo chown -R your_migration_user:your_migration_group /opt/forticlientems/data/certs