Resolving connection issues of the Cloud Workload Protection Linux agents

book

Article ID: 179278

calendar_today

Updated On:

Products

Cloud Workload Protection

Issue/Introduction

Some older versions of Linux agents may not be able to connect to CWP server.

 

Cause

Older Linux distribution may not contain CA trusted SSL certificates in Certificate Bundle

Resolution

Determine if CA trusted certificate is installed. If not follow the suggested steps to install CA trusted certificate

Determining if you already have the CA certificate installed

Use the following command on the Linux instances to determine if a trusted CA certificate used in CWP server is installed:
 echo | sudo openssl s_client -connect scwp.securitycloud.symantec.com:443
 

If the result of this command contains "Verify return code: 0 (ok)", the required CA  certificate is installed on the system

If the result of this command contains "Verify return code: <none zero> (Error message)", the CA Root certificate is not installed on the system.

Installing CA Root certificate manually

First download certificates from the issuing Certificate Authority. 

Depending on the Linux platform and the OS version, perform the steps below to install the CA certificate on your Linux instances:


Download Certificates from the issuing Certificate Authority.

As of July 2020 the following list of certificates are in use  with the CWP server and console. Please download these certificates in pem and crt formats.

Note: Symantec may change to a different set of certificates from time to time and the following download links may become invalid. Please contact technical support if the links are no longer valid. 

  DigiCertGlobalRootCA  

              https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem

              https://cacerts.digicert.com/DigiCertGlobalRootCA.crt

  DigiCertSHA2SecureServerCA  

             https://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt.pem

             https://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt



OS specific Certificate installation instructions

Ubuntu 14.04:

    1. Copy the downloaded pem file to /usr/local/share/ca-certificates.
    2. Run the command:
      sudo cp <download pem files> /usr/local/share/ca-certificates; sudo update-ca-certificates

Ubuntu 16.04:

    1. Copy the downloaded pem file to /etc/ssl/certs.
    2. Run the command:
      sudo cp <download pem files> /etc/ssl/certs; sudo update-ca-certificates

RHEL, CentOS, Oracle Linux, and Amazon Linux:

    1. Copy the downloaded CRT file into /home/ec2-user
    1. Run the following commands:
      • To install ca-certificates package:
        sudo yum install ca-certificates
      • To enable the dynamic CA configuration feature:
        sudo update-ca-trust force-enable
        or
        sudo update-ca-trust enable
      • To copy the crt file to /etc/pki/ca-trust/source/anchors/
        sudo cp <downloaded crt files> /etc/pki/ca-trust/source/anchors/
      • To extract and add the intermediate CA certificate to the list of trusted CAs:
        sudo update-ca-trust extract