Cloud detector showing “disconnected” after bundle upload to Enforce

book

Article ID: 171006

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service

Issue/Introduction

This issue can occur with one or more Cloud Detectors enrolled, and has the following symptoms:

  • Bundle upload is saved but the only event recorded is a 4201 code:

"Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service"

  • Connectivity through any proxies has been confirmed, as recommended by TECH236383 and TECH239588
  • Despite the successful issuance of the PKI certificate (confirmed by Backline support engineers who have access to the PKI server), the keystore file on the Enforce management server has not been updated with a copy of the certificate. This file resides in this location, for Windows and Linux, respectively:

\SymantecDLP\Protect\keystore\enforce_keystore.jks

/opt/SymantecDLP/Protect/keystore/enforce_keystore.jks

The following error is in the Tomcat localhost log:

09 Feb 2018 08:17:35,130- Thread: 4792 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.
09 Feb 2018 08:17:40,005- Thread: 4792 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.
09 Feb 2018 08:17:40,005- Thread: 4792 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationTask] org.bouncycastle.asn1.ASN1ObjectIdentifier cannot be cast to org.bouncycastle.asn1.DERObjectIdentifier

Cause

The noted error revealed in the Tomcat log indicates there is an issue with the loglevel for the Vontu Manager service on Enforce - most likely, the server has previously been configured to increase global logging to "FINE", which has implications for a specific component involved with the acceptance of the PKI certificate.

Without the presence of the above error, it's also possible that the Enforce server keystore file is set with incorrect permissions. The DLP 'protect' account needs to have 'write' access to this file, otherwise the certificate obtained in memory by the MonitorController service cannot be written to disk by the Vontu Manager. For that issue, see related article TECH250216.

Environment

DLP 14.6, or 15.0, with one or more Cloud Detection Servers

Resolution

In the ManagerLogging.properties file, the following global level may be set:

.level = FINE

Reverting this to default will resolve this issue:

.level = INFO

However, to specifically address the level impacting this issue, add the following line to the file:

#dropping JSCEP Log Level
org.jscep.level=INFO

Once the change is saved, recycle the VontuManager service.

A new bundle will be required, because the certificate on the PKI server can only be issued once.

Note - with the receipt of a new bundle, it may be necessary to also recycle the VontuMonitorController service, to ensure successful enrollment.

After recycling services, delete the existing entry for the new Cloud Detection Server, then reattempt enrollment with a new bundle.