|Applies To||RSA Product Set: RSA DLP|
RSA Product/Service Type: Endpoint
RSA Version/Condition: 9.6/9.6/SP2
Platform: Windows Server 2008R2 / Windows 7
|Issue||By default, the Endpoint infrastructure certificates are renewed automatically. The Enterprise Manager initiates the renewal process 180 days before the existing certificates expire. If the certificate renewal fails, the respective Endpoint component attempts to renew the certificates, until the certificates are successfully renewed.|
If the certificates are not renewed even after the existing certificates are expired, the respective DLP Endpoint component stops communicating with the other DLP Endpoint components. The DLP Endpoint components with the expired certificates will appear nonoperational on the Enterprise Manager console.
In which the Endpoint Agents are showing red/down on Enterprise Manager UI with the status "Certificate renewal pending" error as depicted below:
|Cause||-This issue occurs because the EM server does not pass the correct certification authority information back to the Root Endpoint Coordinator during the negotiation of the TLS connection due to that the REPC trusts so many certification authorities that the list has grown too long. This list has thus been truncated.|
- The below logs captured from "Enterprise-Manager/em.log file" under path: [C:\program Files(x86)\RSA\Enterprise Manager\logs] shows that TLS certificates exchange between Enterprise-Manager & Root-End-point-coordinator servers failed due to a Micrsosft Windows Server error with "Schannel".
18 Feb 2016 05:10:38,652 | DEBUG - RootEpcCertificateRenewer.renewCertificate(87) | No certificate exist for Root epc [Root Endpoint Coordinator] signed by CA, alias [em-ca-key-1441260004260]