New Cloud Detector unable to register successfully, even though following issues have been eliminated as issue:
Tomcat log reveals error at enrollment:
------------------------------ 16 May 2018 12:22:32,726- Thread: 124 INFO [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] Cloud Detector created in Enforce. Cloud detector PROD DLP DIM Cloud Connector created in Enforce. 16 May 2018 12:22:33,663- Thread: 281 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request. 16 May 2018 12:22:33,930- Thread: 281 WARNING [org.jscep.client.Client] AbstractTransport problem when determining capabilities. Using empty capabilities. 16 May 2018 12:22:34,058- Thread: 281 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] org.jscep.transport.TransportException: Error connecting to server Cause: com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: Error connecting to server org.jscep.client.ClientException: org.jscep.transport.TransportException: Error connecting to server org.jscep.transport.TransportException: Error connecting to server javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Enforce 15.x with new bundle for DLP Cloud Detection Service
The above error specifically "Using empty capabilities" indicates the CACerts file on Enforce is likely missing default CA or other Root certs required to negotiate with the Cloud Gateway.
To confirm this, install an openssl client on the Enforce server, and perform the following test:
openssl s_client -showcerts -connect pki-scep.symauth.com:443
If the following output occurs, the CACerts file is either corrupt, has incorrect permissions, or is not the correct copy for the DLP version:
Server certificate subject=/jurisdictionC=US/jurisdictionST=STATE/businessCategory=Private Organization/serialNumber=1234567/C=US/postalCode=98765/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations/CN=pki-scep.symauth.com issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: DH, 1024 bits --- SSL handshake has read 4038 bytes and written 366 bytes Verification error: unable to get local issuer certificate
Confirm that the CACerts file in this location: ../lib/security/cacerts has not been modified or removed.
It might need to be replaced with a known good copy - either from a backup or from another Enforce server (versions need to match exactly).
Then restart all DLP services in order, as per TECH220062.
FYI - in DLP 15.x, the default size of this file should be 111 Kb in size. Much smaller files indicate this has been replaced - and because this is the Certificate Authority for Java, handshakes will fail if it does not contain the latest CAs.
Additional information about replacing the CACerts file is found in this KB: DLP upgrade overwrites the CACERTS keystore causing the secure LDAP connection to break. (broadcom.com)