When trying to access the DLP Enforce console through the web browser, the console is not loading properly and is stuck in a loop with NOT_FOUND displayed in the address bar. The SymantecDLPDetectionServerController service (formerly known as the Monitor Controller) is also not able to start.

The Tomcat logs contain the following error message:

SEVERE [com.vontu.config.enforce.EnforceSpringConfiguration] Exception accessing Enforce KeyStore at location: ../keystore/enforce_keystore.jks
Cause: 
com.vontu.security.KeyStorehouseException: Unable to ingnite cryptographic keys. 
java.io.IOException: Keystore was tampered with, or password was incorrect 
java.security.UnrecoverableKeyException: Password verification failed 
com.vontu.security.KeyStorehouseException: Unable to ingnite cryptographic keys. 
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect 
Caused by: java.security.UnrecoverableKeyException: Password verification failed

The error points to a problem with accessing the enforce_keystore.jks keystore file used by Enforce. This can prevent SymantecDLPDetectionServerController from starting, which in turn will not allow the Enforce console to load. 

• The keystore is recreated automatically when the DLP services are restarted and Enforce is not able to find the keystore file in the default location.

NOTE:

The workaround below should NOT be taken by customers who also have DLP Cloud Detection Service (Email, CloudSOC, or WSS Detectors added to Enforce):

Workaround:

The issue can be fixed then by moving, deleting or renaming the existing enforce_keystore.jks file and then restarting DLP services - this will recreate the keystore and should allow SymantecDLPDetectionServerController to start correctly and the Enforce console should also work as expected.

Customers who have Cloud Detectors enrolled in the Enforce Server console should contact Technical Support before removing the enforce_keystore.jks file as described in the Workaround above.

Doing so will result in the certificates previously stored during enrollment to be removed. Enforce will require a new enrollment bundle in order to connect to the Cloud Service Gateway.