ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Data Loss Prevention Enforce console not loading, error "Exception accessing Enforce KeyStore at location: ../keystore/enforce_keystore.jks" in the localhost logs

book

Article ID: 164927

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

When trying to access the DLP Enforce console through the web browser, the console is not loading properly and is stuck in a loop with NOT_FOUND displayed in the address bar. The SymantecDLPDetectionServerController service (formerly known as the Monitor Controller) is also not able to start.

The Tomcat logs contain the following error message:

SEVERE [com.vontu.config.enforce.EnforceSpringConfiguration] Exception accessing Enforce KeyStore at location: ../keystore/enforce_keystore.jks
Cause: 
com.vontu.security.KeyStorehouseException: Unable to ingnite cryptographic keys. 
java.io.IOException: Keystore was tampered with, or password was incorrect 
java.security.UnrecoverableKeyException: Password verification failed 
com.vontu.security.KeyStorehouseException: Unable to ingnite cryptographic keys. 
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect 
Caused by: java.security.UnrecoverableKeyException: Password verification failed

Resolution

The error points to a problem with accessing the enforce_keystore.jks keystore file used by Enforce. This can prevent SymantecDLPDetectionServerController from starting, which in turn will not allow the Enforce console to load. 

The keystore is recreated automatically if the DLP services are restarted and Enforce is not able to find the keystore file in the default location.

FYI: the workaround below should only be taken by customers who do not also have the DLP Cloud Detection Service (Email, CloudSOC, or WSS Detectors added to Enforce):

The issue can be fixed then by deleting or renaming the existing enforce_keystore.jks file and then restarting DLP services - this will recreate the keystore and should allow SymantecDLPDetectionServerController to start correctly. The console should also work fine. 

Customers who DO have Cloud Detectors added to the Enforce console should contact Technical Support before taking that step - if the enforce_keystore.jks file is re-created as above, any previously stored certificates will be removed, and Enforce will require a new enrollment bundle in order to connect to the Cloud Service Gateway.