When adding a new Detection Server to DLP 16.1, the server status is unknown and the version information is missing from the Enforce console
search cancel

When adding a new Detection Server to DLP 16.1, the server status is unknown and the version information is missing from the Enforce console

book

Article ID: 385691

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite

Issue/Introduction

After upgrading DLP 16.1, any new detection server added to the console does not report a version and its status is unknown.

Environment

DLP 16.1

Cause

An SSL Keystore mismatch with Enforce will cause the following WARNING in the SymantecDLPEnforceConnector log:

WARNING:
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
Caused by: java.security.SignatureException: Signature does not match.

This warning may occur even when the monitor.<timestamp>.sslkeystore file is present in the detection servers keystore directory.

Resolution

DLP 16.1 introduces more control over which keystore file to use for securing Enforce to Detection server communications.

Available options include:

  • Using the default keystore provided with the product.
  • Creating and configuring the use of custom ssl keystore files.
  • Obtaining third-party certs and creating custom keystores.

Because of the added control, additional configuration is required when adding a new detector to the Enforce console.

Refer to the DLP 16.1 Help Center (broadcom.com) for creating new custom keystores or custom keystores with third party certificates.

Additional Information