000033024 - Endpoint Agents Certificate Renewal Pending error in RSA Data Loss Prevention 9.6 and later

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jun 26, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033024
Applies ToRSA Product Set: RSA DLP
RSA Product/Service Type: Endpoint
RSA Version/Condition: 9.6/9.6/SP2
Platform: Windows Server 2008R2 / Windows 7
IssueBy default, the Endpoint infrastructure certificates are renewed automatically. The Enterprise Manager initiates the renewal process 180 days before the existing certificates expire. If the certificate renewal fails, the respective Endpoint component attempts to renew the certificates, until the certificates are successfully renewed.

If the certificates are not renewed even after the existing certificates are expired, the respective DLP Endpoint component stops communicating with the other DLP Endpoint components. The DLP Endpoint components with the expired certificates will appear nonoperational on the Enterprise Manager console. 

In which the Endpoint Agents are showing red/down on Enterprise Manager UI  with the status "Certificate renewal pending" error as depicted below: 

User-added image
Cause-This issue occurs because the EM server does not pass the correct certification authority information back to the Root Endpoint Coordinator during the negotiation of the TLS connection due to that the REPC trusts so many certification authorities that the list has grown too long. This list has thus been truncated.

- The below logs captured from  "Enterprise-Manager/em.log file"  under path: [C:\program Files(x86)\RSA\Enterprise Manager\logs] shows that TLS certificates exchange between Enterprise-Manager & Root-End-point-coordinator servers failed due to a Microsoft Windows Server error with "Schannel".

18 Feb 2016 05:10:38,652 | DEBUG - RootEpcCertificateRenewer.renewCertificate(87) | No certificate exist for Root epc [Root Endpoint Coordinator] signed by CA, alias [em-ca-key-1441260004260]
18 Feb 2016 05:10:38,652 | INFO - RootEpcCertificateRenewer.renewCertificate(94) | Initiating renewal flow for Root Endpoint Coordinator
18 Feb 2016 05:10:39,432 | ERROR - RootEpcCertificateRenewer.renewCertificate(119) | Failed to renew sub-ca certificate of Root Endpoint coordintator
at com.rsa.dlp.em.security.certificate.scheduledjobs.RootEpcCertificateRenewer.renewRootEndpointCoordinatorCertificate(RootEpcCertificateRenewer.java:125)
at com.rsa.dlp.em.security.certificate.scheduledjobs.RootEpcCertificateRenewer.renewCertificate(RootEpcCertificateRenewer.java:95)
at com.rsa.dlp.em.security.certificate.scheduledjobs.CertificateRenewalJob.secureExecuteInternal(CertificateRenewalJob.java:60)
18 Feb 2016 05:15:38,604 | ERROR - RootEpcCertificateRenewer.renewCertificate(119) | Failed to renew sub-ca certificate of Root Endpoint coordintator

  • The DLP administrator should review the certification authorities trusted for client authentication and remove those that do not really need to be trusted.
  • For details steps, please follow the KB# https://support.microsoft.com/en-us/kb/2464556
  • Upon applying that MS fix and restarting the "RSA DLP Endpoint coordinator" service  the certificates will be sent to Enterprise Manager followed by new certificates exchange where a new REPC certificate will be generated and placed on rEPC inside the certificate store "RSA DLP EPi Trust" which will be utilized in renewing the Endpoint agent(s) certificates.