Endpoint Agents Certificate Renewal Pending error in RSA Data Loss Prevention 9.6 and later
4 years ago
Originally Published: 2016-05-02
Article Number
000064080
Applies To
RSA Product Set: RSA DLP
RSA Product/Service Type: Endpoint
RSA Version/Condition: 9.6/9.6/SP2
Platform: Windows Server 2008R2 / Windows 7
 
Issue
By default, the Endpoint infrastructure certificates are renewed automatically. The Enterprise Manager initiates the renewal process 180 days before the existing certificates expire. If the certificate renewal fails, the respective Endpoint component attempts to renew the certificates, until the certificates are successfully renewed.

If the certificates are not renewed even after the existing certificates are expired, the respective DLP Endpoint component stops communicating with the other DLP Endpoint components. The DLP Endpoint components with the expired certificates will appear nonoperational on the Enterprise Manager console. 

In which the Endpoint Agents are showing red/down on Enterprise Manager UI  with the status "Certificate renewal pending" error as depicted below: 

User-added image
Cause
-This issue occurs because the EM server does not pass the correct certification authority information back to the Root Endpoint Coordinator during the negotiation of the TLS connection due to that the REPC trusts so many certification authorities that the list has grown too long. This list has thus been truncated.

- The below logs captured from  "Enterprise-Manager/em.log file"  under path: [C:\program Files(x86)\RSA\Enterprise Manager\logs] shows that TLS certificates exchange between Enterprise-Manager & Root-End-point-coordinator servers failed due to a Microsoft Windows Server error with "Schannel".
  
18 Feb 2016 05:10:38,652 | DEBUG - RootEpcCertificateRenewer.renewCertificate(87) | No certificate exist for Root epc [Root Endpoint Coordinator] signed by CA, alias [em-ca-key-1441260004260] 
18 Feb 2016 05:10:38,652 | INFO - RootEpcCertificateRenewer.renewCertificate(94) | Initiating renewal flow for Root Endpoint Coordinator 
18 Feb 2016 05:10:39,432 | ERROR - RootEpcCertificateRenewer.renewCertificate(119) | Failed to renew sub-ca certificate of Root Endpoint coordintator 
at com.rsa.dlp.em.security.certificate.scheduledjobs.RootEpcCertificateRenewer.renewRootEndpointCoordinatorCertificate(RootEpcCertificateRenewer.java:125) 
at com.rsa.dlp.em.security.certificate.scheduledjobs.RootEpcCertificateRenewer.renewCertificate(RootEpcCertificateRenewer.java:95) 
at com.rsa.dlp.em.security.certificate.scheduledjobs.CertificateRenewalJob.secureExecuteInternal(CertificateRenewalJob.java:60) 
18 Feb 2016 05:15:38,604 | ERROR - RootEpcCertificateRenewer.renewCertificate(119) | Failed to renew sub-ca certificate of Root Endpoint coordintator



 
Resolution
 
  • The DLP administrator should review the certification authorities trusted for client authentication and remove those that do not really need to be trusted.
  • For details steps, please follow the KB# https://support.microsoft.com/en-us/kb/2464556
  • Upon applying that MS fix and restarting the "RSA DLP Endpoint coordinator" service  the certificates will be sent to Enterprise Manager followed by new certificates exchange where a new REPC certificate will be generated and placed on rEPC inside the certificate store "RSA DLP EPi Trust" which will be utilized in renewing the Endpoint agent(s) certificates. 

Related Articles

Trending Articles

Don't see what you're looking for?