Despite the apparently successful retrieval of the PKI certificate during the Cloud Detection Server's enrollment process, as per the following entry:

[Enforce Console Code]: 4200 "Cloud Service enrollment: client certificate successfully obtained from Symantec Managed PKI Service"

The new server remains in an "Unknown" or "Disconnected" state.

Just as per DLP Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service (broadcom.com), the MonitorController log has the following entry:

27 Feb 2017 16:53:31,100- Thread: 60910 SEVERE [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service. ERROR DLP-5000.

But this entry is also present in that log:

27 Feb 2017 16:53:31,093- Thread: 60910 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.

27 Feb 2017 16:53:31,094- Thread: 60910 SEVERE [com.symantec.dlp.certificate.retrieval.ScepRequestor] SCEP failure response received. Failure Description : badRequest; Failure Value : 2

27 Feb 2017 16:53:31,095- Thread: 60910 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] SCEP failure response received. Failure Description : badRequest; Failure Value : 2

Cause:

com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: SCEP failure response received. Failure Description : badRequest; Failure Value : 2

And the Tomcat log also contains the following:

27 Feb 2017 21:29:37,306- Thread: 123 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.

27 Feb 2017 21:29:41,235- Thread: 123 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.

27 Feb 2017 21:29:41,257- Thread: 123 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] Unable to write key store file: ../keystore/enforce_keystore.jks.

Cause:

com.vontu.security.KeyStorehouseException: Unable to write key store file: ../keystore/enforce_keystore.jks.

java.io.FileNotFoundException: ../keystore/enforce_keystore.jks (Permission denied)

com.vontu.security.KeyStorehouseException: Unable to write key store file: ../keystore/enforce_keystore.jks.

Data Loss Prevention Enforce, with any of the following Cloud Detectors involved:

• Data Loss Prevention Cloud Detection Service
• Data Loss Prevention Cloud Detection Service for ICAP
• Data Loss Prevention Cloud Detection Service for REST
• Data Loss Prevention Cloud Service for Email

The keystore file on the Enforce management server could not be updated with a copy of the PKI certificate. This file resides in this location, for Windows and Linux, respectively:

• C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP-version>\keystore\enforce_keystore.jks

• /var/Symantec/DataLossPrevention/DetectionServer/<DLP-version>/keystore/enforce_keystore.jks

Ensure the the Enforce "protect" user has Read, Write and Modify permissions on the file above.

If this was not the issue (permission already correct), please see article Cloud detector showing “disconnected” after bundle upload to Enforce (broadcom.com) for a separate resolution to another problem functionally similar to this issue.