After upgrading DLP 16.1, any new detection server added to the console does not report a version and its status is unknown.

DLP 16.1

An SSL Keystore mismatch with Enforce will cause the following WARNING in the SymantecDLPEnforceConnector log:

WARNING:
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Caused by: java.security.SignatureException: Signature does not match.

This warning may occur even when the monitor.<timestamp>.sslkeystore file is present in the detection servers keystore directory.

DLP 16.1 introduces more control over which keystore file to use for securing Enforce to Detection server communications.

Available options include:

• Using the default keystore provided with the product.
• Creating and configuring the use of custom ssl keystore files.
• Obtaining third-party certs and creating custom keystores.

Because of the added control, additional configuration is required when adding a new detector to the Enforce console.

Refer to the DLP 16.1 Help Center (broadcom.com) for creating new custom keystores or custom keystores with third party certificates.

DLP 16.1 Help Center - Using sslkeytool to Generate New Enforce Server and Detection Server Certificates (broadcom.com)

DLP 16.1 Help Center - Using sslkeytool to Add New Detection Server Certificates (broadcom.com)