For Data Loss Prevention versions 12.5.x or 14.0.x, in some circumstances, incident data can be missing or appear garbled in the Enforce Server administration console. The incident data cannot be decrypted by an cryptographic key.
The range of symptoms include:
A yellow banner error message appears, indicating an error highlighting violating text for an incident.
Garbled text appears in the Message Body Preview pane.
Garbled text appears when opening the original message.
Garbled text appears within the yellow match highlight on the incident detail page.
The symptoms may not appear immediately even if there are cryptographic key issues. See the "Cause" section below for more details.
The problem occurs because the cryptographic key in the Data Loss Prevention Oracle database that was used to encrypt incident information is no longer available to decrypt the incident information.
When a new Endpoint Server is registered or an Endpoint channel is added to an existing server, the latest SYSTEM cryptographic key is overwritten. However, the original key continues to operate while in memory until Vontu services are restarted, memory cache is refreshed, or a new key is generated by cryptographic key rotation. Incidents are created and incident data is encrypted with the original key. When the server is recycled, the new key is put into use, but it can't decrypt the incident components encrypted by the original key.
Note: The problem affects all incident types, not only Endpoint incidents.
Because incidents can be created and encrypted with the original cryptographic key while that key is in memory, the symptoms of the problem (in which a key capable of decrypting the incident data is missing from the Data Loss Prevention database) may not appear immediately.
Important: Incidents created and encrypted with the original key and which cannot be decrypted by the new key, as described here, are not recoverable.
Before you add an Endpoint Server or add an Endpoint channel, upgrade to version 12.5.3. A hot fix is available for version 14.0.1; contact Technical Support for the hot fix.
Until you upgrade, you can use the following manual workaround.
Before you add an Endpoint Server or add an Endpoint channel using the Enforce Server administration console, follow these steps:
1. Restart the Vontu Monitor Controller service, or verify that the Monitor Controller service was restarted after the most recent cryptographic key rotation took place.
2. Verify that the next cryptographic key rotation will occur after you add the Endpoint Server or Endpoint channel.
To verify the key rotation history and schedule, use the following Oracle query:
select CRYPTOGRAPHICKEYID, KEYALIAS, CREATEDDATE from CRYPTOGRAPHICKEY
where KEYTYPE = 'SYSTEM' order by CRYPTOGRAPHICKEYID
Look for the last record (highest KEYALIAS number) and CREATEDDATE value to know when the most recent key rotation occurred. The default schedule for key rotation (the timing of the creation of a new cryptographic key) is 30 days unless the setting has been changed. You should be able to determine when the next key rotation will occur, and you can determine whether you have time to add the Endpoint Server or Endpoint channel before the key rotation.
As indicated previously, the incidents already affected by the problem cannot be recovered.
Original defect etrack for issue as occurring in 12.5.
Subscribing will provide email updates when this Article is updated. Login is required.