Despite the apparently successful retrieval of the PKI certificate during the Cloud Detection Server's enrollment process, as per the following entry:
[Enforce Console Code]: 4200 "Cloud Service enrollment: client certificate successfully obtained from Symantec Managed PKI Service"
The new server remains in an "Unknown" or "Disconnected" state.
Just as per TECH236383, the MonitorController log has the following entry:
27 Feb 2017 16:53:31,100- Thread: 60910 SEVERE [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service. ERROR DLP-5000.
But this entry is also present in that log:
27 Feb 2017 16:53:31,093- Thread: 60910 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.
27 Feb 2017 16:53:31,094- Thread: 60910 SEVERE [com.symantec.dlp.certificate.retrieval.ScepRequestor] SCEP failure response received. Failure Description : badRequest; Failure Value : 2
27 Feb 2017 16:53:31,095- Thread: 60910 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] SCEP failure response received. Failure Description : badRequest; Failure Value : 2
Cause:
com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: SCEP failure response received. Failure Description : badRequest; Failure Value : 2
And the Tomcat log also contains the following:
27 Feb 2017 21:29:37,306- Thread: 123 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.
27 Feb 2017 21:29:41,235- Thread: 123 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.
27 Feb 2017 21:29:41,257- Thread: 123 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] Unable to write key store file: ../keystore/enforce_keystore.jks.
Cause:
com.vontu.security.KeyStorehouseException: Unable to write key store file: ../keystore/enforce_keystore.jks.
java.io.FileNotFoundException: ../keystore/enforce_keystore.jks (Permission denied)
com.vontu.security.KeyStorehouseException: Unable to write key store file: ../keystore/enforce_keystore.jks.
The keystore file on the Enforce management server could not be updated with a copy of the PKI certificate. This file resides in this location, for Windows and Linux, respectively:
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<DLP-version>\keystore\enforce_keystore.jks
/var/Symantec/DataLossPrevention/DetectionServer/<DLP-version>/keystore/enforce_keystore.jks
Data Loss Prevention Enforce, with any of the following Cloud Detectors involved:
Ensure the the Enforce "protect" user has Read, Write and Modify permissions on the file above.
If this was not the issue (permission already correct), please see article TECH249263 for a separate resolution to another problem functionally similar to this issue.