App Control: Healthcheck Error Agent is Missing a Keychain Or a Trusted Certlist File
search cancel

App Control: Healthcheck Error Agent is Missing a Keychain Or a Trusted Certlist File

book

Article ID: 286656

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Healthcheck errors with Failure ID 970 or 980 with the error similar to:
    Carbon Black App Control Agent is missing a trusted certlist file... FailureId[970]
    Carbon Black App Control Agent is missing a keychain file... FailureId[980]

Environment

  • App Control Server: 8.7 and higher
  • App Control Agent: 8.7 and higher

Cause

The "TrustedCertList.pem" and/or "Keychain.json" files are missing from the Agent's data folder here:
C:\ProgramData\Bit9\Parity Agent

Resolution

  1. Copy the "TrustedCertList.pem" and/or "Keychain.json" from the App Control Server located here:
    C:\Program Files (x86)\Bit9\Parity Server\hostpkg
  2. Open a command prompt and issue the following commands:
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli password GlobalPassword
    dascli tamperprotect 0
  3. Copy the file(s) into the Agent's data folder here:
    C:\ProgramData\Bit9\Parity Agent\
  4. Import the file(s) with the following commands:
    dascli password GlobalPassword
    dascli importkeychain C:\ProgramData\Bit9\Parity Agent\keychain.json
    dascli importservercertlist C:\ProgramData\Bit9\Parity Agent\TrustedCertList.pem
    dascli healthcheck
    dascli status
    

Additional Information

To prevent this Health Check Error:
  1. Verify the Resource Download Location in System Configuration > Advanced is still accurate, and contains the necessary files.
    Note: If this location has been customized: copy the updated "trustedcertlict.pem" and/or "keychain.json" file to the new custom RDL
  2. Verify the IIS Certificate bound to Port 443 is not expired, and formatted correctly
    • Common Name shown should match Server Address from the General tab.
    • Expiration Date should be in the future.
    • A matching Certificate should be listed in the Trusted Communication Certificates list at the bottom of the Security tab, and Trusted.
  3. Verify the endpoints are able to download the files via the RDL. By default this would be:
    https://ServerAddress/hostpkg/pkg.php?pkg=TrustedCertList.pem
    https://ServerAddress/hostpkg/pkg.php?pkg=keychain.json