Cloud detector showing “disconnected” after bundle upload to Enforce
search cancel

Cloud detector showing “disconnected” after bundle upload to Enforce


Article ID: 171006


Updated On:


Data Loss Prevention Enforce Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Package


This issue can occur with one or more Cloud Detectors enrolled, and has the following symptoms:

  • Bundle upload is saved but the only event recorded is a 4201 code:

"Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service"

09 Feb 2018 08:17:35,130- Thread: 4792 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.
09 Feb 2018 08:17:40,005- Thread: 4792 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.
09 Feb 2018 08:17:40,005- Thread: 4792 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationTask] org.bouncycastle.asn1.ASN1ObjectIdentifier cannot be cast to org.bouncycastle.asn1.DERObjectIdentifier


DLP 15.x, with one or more Cloud Detection Servers


The keystore file on the Enforce management server has not been updated with a copy of the certificate. This file resides in this location, for Windows and Linux, respectively:



The noted error revealed in the Tomcat log indicates there is an issue with the loglevel for the SymantecDLPManager service on Enforce - most likely, the server has previously been configured to increase global logging to "FINE", which has implications for a specific component involved with the acceptance of the PKI certificate.


In the file, the following global level may be set:

.level = FINE

Reverting this to default will resolve this issue:

.level = INFO

However, to specifically address the level impacting this issue, add the following line to the file:

#dropping JSCEP Log Level

Once the change is saved, recycle the SymantecDLPManager service.

A new bundle will be required, because the certificate on the PKI server can only be issued once.

Note - with the receipt of a new bundle, it may be necessary to also recycle the SymantecDLPDetectionServerController service, to ensure successful enrollment.

After recycling services, delete the existing entry for the new Cloud Detection Server, then reattempt enrollment with a new bundle.

Additional Information

Without the presence of the above errors, it's also possible that the Enforce server keystore file is set with incorrect permissions. The DLP 'protect' account needs to have 'write' access to the "enforce_keystore.jks" file, otherwise the certificate obtained in memory by enrollment process cannot be written to disk by the SymantecDLPManager service. For that issue, see related article Unable to write key store file "enforce_keystore.jks" when registering new Cloud Detection Server (