App Control: Agent or Rules Package Installer Fails Due to Air Gapped or Limited Network
search cancel

App Control: Agent or Rules Package Installer Fails Due to Air Gapped or Limited Network

book

Article ID: 286673

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • When uploading new Agent or Rules Package Installer via the Console, the upload fails with error:
    Installation failed.
  • Sometimes the following prompt is displayed, but the install still fails:
    We have validated that the signature on this file's certificate is from Carbon Black and that the file integrity is intact.
    However, due to environmental circumstances we are unable to check externally and determine whether this certificate has been revoked.
    Do you want to bypass this check and allow this file to execute?

Environment

  • App Control Server: All Supported Versions

Cause

  • New logic introduced in specific Server versions (8.5.16, 8.6.8, 8.7.6, 8.8.4+) to handle Agent/Rules Package Installer certificate validation is more thorough and secure.
  • The new logic requires the file uploaded be signed with a valid certificate from Carbon Black that passes certificate validation and a file integrity check.
  • If the App Control Server is installed on an application server with limited or not Internet access, the certificate validation fails.
  • In some instances a prompt is displayed allowing the Certificate Revocation Check to be bypassed. This is only for the CRL Check bypass, and not a bypass of the full certificate validation on the file being uploaded. All certificates would then be required to be present and valid in the Certificate Store on the application server.

Resolution

If Agents or Rules Package Installer uploaded to the console fails due to failed certificate validation, please run the Installer locally on the application server.

Additional Information

The hostPackageInstallerSignatureCheck shepherd config has been removed and there is no longer a way to disable the certificate validation check