This issue can occur with one or more Cloud Detectors enrolled, and has the following symptoms:

• Bundle upload is saved but the only event recorded is a 4201 code:

"Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service"

• Connectivity through any proxies has been confirmed, as recommended by DLP Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service (broadcom.com).
  
  
• Also, the following error is in the Tomcat localhost log:

09 Feb 2018 08:17:35,130- Thread: 4792 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.
09 Feb 2018 08:17:40,005- Thread: 4792 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.
09 Feb 2018 08:17:40,005- Thread: 4792 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationTask] org.bouncycastle.asn1.ASN1ObjectIdentifier cannot be cast to org.bouncycastle.asn1.DERObjectIdentifier

DLP 15.x, with one or more Cloud Detection Servers

The keystore file on the Enforce management server has not been updated with a copy of the certificate. This file resides in this location, for Windows and Linux, respectively:

C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP-version>\keystore\enforce_keystore.jks

/var/Symantec/DataLossPrevention/DetectionServer/<DLP-version>/keystore/enforce_keystore.jks

The noted error revealed in the Tomcat log indicates there is an issue with the loglevel for the SymantecDLPManager service on Enforce - most likely, the server has previously been configured to increase global logging to "FINE", which has implications for a specific component involved with the acceptance of the PKI certificate.

In the ManagerLogging.properties file, the following global level may be set:

.level = FINE

Reverting this to default will resolve this issue:

.level = INFO

However, to specifically address the level impacting this issue, add the following line to the file:

#dropping JSCEP Log Level
org.jscep.level=INFO

Once the change is saved, recycle the SymantecDLPManager service.

A new bundle will be required, because the certificate on the PKI server can only be issued once.

Note - with the receipt of a new bundle, it may be necessary to also recycle the SymantecDLPDetectionServerController service, to ensure successful enrollment.

After recycling services, delete the existing entry for the new Cloud Detection Server, then reattempt enrollment with a new bundle.

Without the presence of the above errors, it's also possible that the Enforce server keystore file is set with incorrect permissions. The DLP 'protect' account needs to have 'write' access to the "enforce_keystore.jks" file, otherwise the certificate obtained in memory by enrollment process cannot be written to disk by the SymantecDLPManager service. For that issue, see related article Unable to write key store file "enforce_keystore.jks" when registering new Cloud Detection Server (broadcom.com).