Error: "Unable to generate agent install package. The certificate authority keystore is missing or corrupt."

book

Article ID: 184644

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention

Issue/Introduction

Unable to create agent install packages in a non-production environment after cloning the production database.
Despite the error message, you can use keytool.exe without a password to view the details of the certificate_authority_v1.jks file.

Source: com.vontu.manager.admin.endpoint.agentpackage.AgentPackageController
Message: Unable to generate an agent install package. The certificate authority keystore is missing or corrupt. Please repair the keystore before creating an agent package.

Cause

The AgentPackageController retrieves an encrypted password from the Oracle database when generating a keypair using the certificate_authority_v1.jks file.
However, the password stored in the database is for the original file on the production Enforce server and the file on the non-production Enforce server has a different password so the operation fails.
The keystore file's password is randomly-generated at install and is non-recoverable.

Environment

This error could manifest after installing Enforce on a non-production server and then attaching a cloned copy of a database from another environment.
The password stored in the cloned Oracle database is for the original copy of the certificate authority keystore file (certificate_authority_v1.jks) located on the production server.

Resolution

There are multiple ways to resolve this situation.
If you have access to the original keystore file from the production server, then copy the original keystore file to the non-production server:

  1. Stop DLP services on the non-production Enforce server
  2. Copy the certificate_authority_v1.jks from the production Enforce server to the non-production Enforce server (e.g., C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\keystore)
  3. Restart DLP services
  4. Create an agent installer package

Another possible solution is to update the password for the certificate_authority_v1.jks using the Enforce console:

  1. System > Settings > General > Configure
  2. Scroll to the bottom of the page
  3. Click on the banner [Change Endpoint and Network Discover Communications Keystore Password]
  4. Enter a new password
  5. Confirm the password
  6. Save the changes
  7. Create an agent installer package