Cloud Detector enrollment fails when Enforce is using a Cloud Proxy server to connect to the Internet
Article ID: 224196
Updated On:
Products
Data Loss Prevention Cloud Service for Email
Issue/Introduction
You are attempting to enroll a Cloud Detection Server to Enforce but the enrollment fails. Enforce has a Cloud Proxy configured and all outgoing web traffic from Enforce goes through the proxy to the Internet, including the Cloud Service Gateway and the PKI website from which Cloud Certificates are pulled.
Cause
Enforce logs may contain entries similar to below:
SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] org.jscep.transport.TransportException: 407 authenticationrequired
Cause:
com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: 407 authenticationrequiredcom.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: 407 authenticationrequired
at com.symantec.dlp.certificate.retrieval.ScepCertificateRetriever.retrieveCertificate(ScepCertificateRetriever.java:80)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationSequence.retrieveCertificate(DetectorPreparationSequence.java:135)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationSequence.runPreparationSequence(DetectorPreparationSequence.java:101)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationTask.run(DetectorPreparationTask.java:55)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.jscep.client.ClientException: org.jscep.transport.TransportException: 407 authenticationrequired
at org.jscep.client.Client.getCaCertificate(Client.java:278)
at org.jscep.client.Client.getEncoder(Client.java:694)
at org.jscep.client.Client.enrol(Client.java:619)
at org.jscep.client.Client.enrol(Client.java:577)
at com.symantec.dlp.certificate.retrieval.ScepEnroller.enroll(ScepEnroller.java:53)
at com.symantec.dlp.certificate.retrieval.ScepRequestor.makeEnrollmentScepRequest(ScepRequestor.java:86)
at com.symantec.dlp.certificate.retrieval.ScepCertificateRetriever.retrieveCertificate(ScepCertificateRetriever.java:75)
... 8 more
Caused by: org.jscep.transport.TransportException: 407 authenticationrequired
at org.jscep.transport.UrlConnectionGetTransport.sendRequest(UrlConnectionGetTransport.java:61)
at org.jscep.client.Client.getCaCertificate(Client.java:276)
... 14 more
Or:
SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] org.jscep.transport.TransportException: Error connecting to server
Cause:
com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: Error connecting to servercom.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: Error connecting to server
at com.symantec.dlp.certificate.retrieval.ScepCertificateRetriever.retrieveCertificate(ScepCertificateRetriever.java:80)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationSequence.retrieveCertificate(DetectorPreparationSequence.java:135)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationSequence.runPreparationSequence(DetectorPreparationSequence.java:101)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationTask.run(DetectorPreparationTask.java:55)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.jscep.client.ClientException: org.jscep.transport.TransportException: Error connecting to server
at org.jscep.client.Client.getCaCertificate(Client.java:278)
at org.jscep.client.Client.getEncoder(Client.java:694)
at org.jscep.client.Client.enrol(Client.java:619)
at org.jscep.client.Client.enrol(Client.java:577)
at com.symantec.dlp.certificate.retrieval.ScepEnroller.enroll(ScepEnroller.java:53)
at com.symantec.dlp.certificate.retrieval.ScepRequestor.makeEnrollmentScepRequest(ScepRequestor.java:86)
at com.symantec.dlp.certificate.retrieval.ScepCertificateRetriever.retrieveCertificate(ScepCertificateRetriever.java:75)
... 8 more
Caused by: org.jscep.transport.TransportException: Error connecting to server
at org.jscep.transport.UrlConnectionGetTransport.sendRequest(UrlConnectionGetTransport.java:65)
at org.jscep.client.Client.getCaCertificate(Client.java:276)
... 14 more
Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 502 badgateway"
at sun.net.www.protocol.http.HttpURLConnection.doTunneling(HttpURLConnection.java:2152)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:92)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1490)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1488)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1487)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)
at org.jscep.transport.UrlConnectionGetTransport.sendRequest(UrlConnectionGetTransport.java:55)
... 15 more
Or:
SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] org.jscep.transport.TransportException: 401 401
Cause:
com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: 401 401com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: 401 401
at com.symantec.dlp.certificate.retrieval.ScepCertificateRetriever.retrieveCertificate(ScepCertificateRetriever.java:80)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationSequence.retrieveCertificate(DetectorPreparationSequence.java:135)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationSequence.runPreparationSequence(DetectorPreparationSequence.java:101)
at com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationTask.run(DetectorPreparationTask.java:55)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.jscep.transaction.TransactionException: org.jscep.transport.TransportException: 401 401
at org.jscep.transaction.Transaction.send(Transaction.java:101)
at org.jscep.transaction.EnrollmentTransaction.send(EnrollmentTransaction.java:116)
at org.jscep.client.Client.send(Client.java:680)
at org.jscep.client.Client.enrol(Client.java:635)
at org.jscep.client.Client.enrol(Client.java:577)
at com.symantec.dlp.certificate.retrieval.ScepEnroller.enroll(ScepEnroller.java:53)
at com.symantec.dlp.certificate.retrieval.ScepRequestor.makeEnrollmentScepRequest(ScepRequestor.java:86)
at com.symantec.dlp.certificate.retrieval.ScepCertificateRetriever.retrieveCertificate(ScepCertificateRetriever.java:75)
... 8 more
Caused by: org.jscep.transport.TransportException: 401 401
at org.jscep.transport.UrlConnectionPostTransport.sendRequest(UrlConnectionPostTransport.java:93)
at org.jscep.transaction.Transaction.send(Transaction.java:99)
... 15 more
Resolution
The above errors are example errors, and all of them are initiated by the Cloud Proxy.
The first error contains a HTTP 407 error code, which translates to "Proxy Authentication Required (RFC 7235)".
The second error contains a HTTP 502 error code - "Bad Gateway".
The third error contains HTTP 401 error code - "Unauthorized (RFC 7235)".
All of these suggest problems caused by the proxy - for example, if it requires authentication and Enforce has the wrong authentication credentials configured. Or, the proxy itself could be unreachable.
The problem could also be one of the next hops after the proxy in the network architecture - i.e. a second proxy. Either way, you should review your network architecture to find out which host in the network is generating the HTTP error codes.
Alternatively, reconfigure Enforce not to use a Cloud Proxy and instead connect with the CSG and PKI directly. Or, use the Cloud Proxy whitelisting settings as described here to allow traffic to the CSG and PKI to go directly and not via proxy:
Additional Information
This KB article should be used as the main resource when it comes to troubleshooting Enforce's connectivity to the CSG and PKI:
DLP Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service
Feedback
Yes
No
Powered by
