New Cloud Detector unable to register successfully, even though following issues have been eliminated as issue:

• ManagerLogging.properties does not have any FINE or higher loglevels set (as per TECH249263)
• enforce_keystore.jks file has full permissions required for certificate import (as per TECH250216)
• Bundle is not expired

Tomcat log reveals error at enrollment:

------------------------------
16 May 2018 12:22:32,726- Thread: 124 INFO [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] Cloud Detector created in Enforce. Cloud detector PROD DLP DIM Cloud Connector created in Enforce.
16 May 2018 12:22:33,663- Thread: 281 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.
16 May 2018 12:22:33,930- Thread: 281 WARNING [org.jscep.client.Client] AbstractTransport problem when determining capabilities.  Using empty capabilities.
16 May 2018 12:22:34,058- Thread: 281 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] org.jscep.transport.TransportException: Error connecting to server
Cause:
com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: Error connecting to server
org.jscep.client.ClientException: org.jscep.transport.TransportException: Error connecting to server
org.jscep.transport.TransportException: Error connecting to server
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 

Enforce 15.x with new bundle for DLP Cloud Detection Service

The above error specifically "Using empty capabilities" indicates the CACerts file on Enforce is likely missing default CA or other Root certs required to negotiate with the Cloud Gateway.

To confirm this, install an openssl client on the Enforce server, and perform the following test:

openssl s_client -showcerts -connect pki-scep.symauth.com:443

If the following output occurs, the CACerts file is either corrupt, has incorrect permissions, or is not the correct copy for the DLP version:

Server certificate
subject=/jurisdictionC=US/jurisdictionST=STATE/businessCategory=Private Organization/serialNumber=1234567/C=US/postalCode=98765/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations/CN=pki-scep.symauth.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 4038 bytes and written 366 bytes
Verification error: unable to get local issuer certificate

Confirm that the CACerts file in this location: ../lib/security/cacerts has not been modified or removed.

It might need to be replaced with a known good copy - either from a backup or from another Enforce server (versions need to match exactly).

Then restart all DLP services in order, as per TECH220062.

FYI - in DLP 15.x, the default size of this file should be 111 Kb in size. Much smaller files indicate this has been replaced - and because this is the Certificate Authority for Java, handshakes will fail if it does not contain the latest CAs.

Additional information about replacing the CACerts file is found in this KB: DLP upgrade overwrites the CACERTS keystore causing the secure LDAP connection to break. (broadcom.com)