Despite the successful issuance of the PKI certificate (confirmed by Backline support engineers who have access to the PKI server), the keystore file on the Enforce management server has not been updated with a copy of the certificate. This file resides in this location, for Windows and Linux, respectively:
DLP 14.6, or 15.0, with one or more Cloud Detection Servers
The following error is in the Tomcat localhost log:
09 Feb 2018 08:17:35,130- Thread: 4792 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.
09 Feb 2018 08:17:40,005- Thread: 4792 WARNING [org.jscep.message.PkiMessageDecoder] Unable to verify message because the signedData contained no certificates.
09 Feb 2018 08:17:40,005- Thread: 4792 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationTask] org.bouncycastle.asn1.ASN1ObjectIdentifier cannot be cast to org.bouncycastle.asn1.DERObjectIdentifier
The noted error revealed in the Tomcat log indicates there is an issue with the loglevel for the Vontu Manager service on Enforce - most likely, the server has previously been configured to increase global logging to "FINE", which has implications for a specific component involved with the acceptance of the PKI certificate.
Without the presence of the above error, it's also possible that the Enforce server keystore file is set with incorrect permissions. The DLP 'protect' account needs to have 'write' access to this file, otherwise the certificate obtained in memory by the MonitorController service cannot be written to disk by the Vontu Manager. For that issue, see related article TECH250216.
In the ManagerLogging.properties file, the following global level may be set:
.level = FINE
Reverting this to default will resolve this issue:
.level = INFO
However, to specifically address the level impacting this issue, add the following line to the file:
#dropping JSCEP Log Level org.jscep.level=INFO
Once the change is saved, recycle the VontuManager service.
A new bundle will be required, because the certificate on the PKI server can only be issued once.
Note - with the receipt of a new bundle, it may be necessary to also recycle the VontuMonitorController service, to ensure successful enrollment.
After recycling services, delete the existing entry for the new Cloud Detection Server, then reattempt enrollment with a new bundle.
Subscribing will provide email updates when this Article is updated. Login is required.