search cancel

After upgrade from 15.1 to 15.5 Enforce keystore errors observed and all detection servers unknown


Article ID: 174815


Updated On:


Data Loss Prevention Enforce


After upgrading to DLP 15.5 on Windows from DLP 15.1, Enforce is unable to establish a connection with the detection servers.  Localhost logs indicate a keystore error.  This has been frequently seen if the default installation directory is different in the 15.5 install than what was used in 15.1 (i.e. \Program Files and \programdata in 15.1, and in 15.5 you are using \Program Files and \programdata)

Errors from MonitorController.log file:

File: Enforce\logs\debug\MonitorController0.log
Date: 5/17/19 8:40:06 AM
Class: com.vontu.logging.LocalLogWriter
Method: write
Message:  Certificate authority file is corrupt.. Certificate authority file certificate_authority_v1.jks is corrupt

File: Enforce\logs\debug\MonitorController0.log
Date: 5/17/19 8:40:06 AM
Class: com.vontu.monitor.controller.informationmonitor.mapper.MonitorChannelKeystoreUpdater
Method: generateKeyAndTrustStoreAndAddData
Message:  Certificate authority file missing or corrupt. Cannot generate server keystore and trustore for this server <detection server name>

File: Enforce\logs\debug\MonitorController0.log
Date: 5/17/19 8:40:06 AM
Class: com.vontu.enforce.domainlayer.certificate.CertificateService
Method: getValidatedRootCertificate
Message:  Root certificate file certificate_authority_v1.jks not found

File: Enforce\logs\debug\MonitorController0.log
Date: 5/17/19 8:40:07 AM
Class: com.hazelcast.instance.Node
Message:  []:5702 [enforceMessaging] [3.6.5] Terminating forcefully...



This issue occurs when during upgrading to DLP version 15.5, some configuration files may have been reverted to default values rather than using values specified in the installation of the 15.5 software prior to migrating.   There are a number of configuration files that contain paths to the keystore folder which aren't updated to reflect the correct path for required items such as keystores.  These keystore files are required to initiate communications between Enforce and Detection Server. 

This will cause the SymantecDLP Detection Server Controller Service to:

  • Crash
  • Fail to startup fully
  • Cause Detection Servers to be in an "Unknown" state in the Enforce Console.


DLP 15.5


Please review and update the correct paths in the following configuration files on the Enforce server, and detection server(s).  These should be modified to match the actual location of the keystore folder instead of the standard path /ProgramData/Symantec/DataLossPrevention/EnforceServer/15.5/keystore.

Restart the SymantecDLPDetectionServerControllerService on Enforce and the SymantecDLPDetectionServerservices on the detection server and verify the servers change from an "Unknown" to a "Running" status

For example:

SSLkeystore.dir = /ProgramData/Symantec/DataLossPrevention/EnforceServer/15.5/keystore

ssl.keystore.file.path = /ProgramData/Symantec/DataLossPrevention/EnforceServer/15.5/keystore/enforce_keystore.jks = /ProgramData/Symantec/DataLossPrevention/EnforceServer/15.5/keystore

com.vontu.inline_smtp.keystore = /ProgramData/Symantec/DataLossPrevention/EnforceServer/15.5/keystore/prevent.ks

com.vontu.manager.enforce.keystore.file = /ProgramData/Symantec/DataLossPrevention/EnforceServer/15.5/keystore/enforce_keystore.jks

Icap.Keystore.Path = /ProgramData/Symantec/DataLossPrevention/EnforceServer/15.5/keystore/secureicap.jks Server)

endpointKeystoreDir = /ProgramData/Symantec/DataLossPrevention/DetectionServer/15.5/keystore/monitor.<timestamp>.sslkeystore Server)

/Program Files/Symantec/DataLossPrevention/Detection Server/15.5/keystore/monitor.<timestamp>.sslkeystore