Unable to create DLP Agent package after upgrading DLP
search cancel

Unable to create DLP Agent package after upgrading DLP

book

Article ID: 262280

calendar_today

Updated On:

Products

Data Loss Prevention Core Package

Issue/Introduction

RSOD on Agent package page after upgrade DLP 16.0/16.1, we get below error in DLP tomcat logs. 

Thread: 125 INFO [com.symantec.dlp.enforcedomainservices.events.system.SystemEventLogger] Client certificates and key generated.. Client certificates and key generated.

Thread: 125 WARNING [com.symantec.dlp.enforcedomainservices.certificatemanagement.CertificateStoreService] Keystore with name DLP_Endpoint_Addin_Certificate_Authority already exists.

Cause:

java.nio.file.FileAlreadyExistsException:

C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\keystore\DLP_Endpoint_Addin_Certificate_Authority.jksjava.nio.file.FileAlreadyExistsException: C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\keystore\DLP_Endpoint_Addin_Certificate_Authority.jks

at sun.nio.fs.WindowsException.translateToIOException(WindowsException.java:81)

at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:97)

at sun.nio.fs.WindowsException.rethrowAsIOException(WindowsException.java:102)

at sun.nio.fs.WindowsFileSystemProvider.newByteChannel(WindowsFileSystemProvider.java:230)

at java.nio.file.spi.FileSystemProvider.newOutputStream(FileSystemProvider.java:434)

at java.nio.file.Files.newOutputStream(Files.java:216)

at java.nio.file.Files.copy(Files.java:3016)

at com.symantec.dlp.enforcedomainservices.certificatemanagement.KeystoreFileManager.saveKeystoreFile(KeystoreFileManager.java:74)

at com.symantec.dlp.enforcedomainservices.certificatemanagement.CertificateStoreService.addKeystore(CertificateStoreService.java:125)

Environment

Release : 16.0/16.1

Cause

This can be cuased by the config files pointing to the wrong keystore folder.  Also, this error most likely represents that entries in certificate table for "DLP_Endpoint_Addin_Certificate_Authority " and the files in current Keystore folder do not match. 

16.0 Keystore Location = (\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.00000\keystore)

 

Resolution

Verify the config files are pointing to the correct keystore folder.  This can be done by checking the below config files to make sure the path is correct to the keystore folder.

File: Manager.properties

Verify the below location is correct and pointing to the correct version of the product.

# The root certificates keystore file directory location
SSLkeystore.dir = <install drive>:/ProgramData/Symantec/DataLossPrevention/EnforceServer/<DLP Version>/keystore

If the paths are correct and your getting the same error than you can follow the below procedure.

  • Compare the details and file names of DLP 16.0 keystore location with previous DLP enforce version. 
  • Use SQLPLUS as PROTECT and get details from Certificate table "Select * from certificate;" command would be useful.
  • Make sure file version mentioned in the CERTIFICATEFILENAME column in the table is present in the Keystore folder. for eg: addin_certificate_authority_v3.jks

  • In some scenarios it could be possible that addin_certificate_authority_v3.jks was never present and keystore folder has DLP_Endpoint_Addin_Certificate_Authority.jks only while the database show entry for addin_certificate_authority_v3.jks file.
    Here we will have to remove addin_certificate_authority_v3.jks certificate entry from certificate table and create the agent package so it will recreate the DLP_Endpoint_Addin_Certificate_Authority.jks file in <Install Drive>\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP Version>\keystore directory and a corresponding entry in the certificate table.

If the above situation still leaves you with the same error then please log a ticket with support.

 

 

 

Powered by Wolken Software