Views:

To prevent this issue from occurring:

Option A:

  1. Upgrade the DSM to version 20.0.737+ or higher.
  2. Wait for successful heartbeat.
Option B: 
  1. Follow the article, Upgrade the Deep Security cryptographic algorithm, to make sure that DSM generates secure certificates for itself and all managed agents.
  2. Wait for successful heartbeat - Event 702 Credential Generated should be created for the Agent. If the heartbeat interval is too long, instead of waiting for Event 702, perform these steps to force certificates regeneration for the Agent:
    1. Deactivate Agent.
    2. Activate Agent.

If the DSA has been upgraded to version 20.0.0.6313 and got Offline status due to unsecure certificate, the following steps should be done to resolve the problem:

  1. Follow the article, Upgrade the Deep Security cryptographic algorithm, to make sure that DSM is using secure algorithms for digital signature generation.
  2. Delete three certificates and a config file on the affected Agent:
    • Linux files:

      /var/opt/ds_agent/dsa_core/ds_agent_dsm.crt
      /var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt
      /var/opt/ds_agent/dsa_core/ds_agent.crt
      /var/opt/ds_agent/dsa_core/ds_agent.config

    • Windows files:

      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm.crt
      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm_ca.crt
      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.crt
      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.config

  3. Wait for next heartbeat from the Agent. Event 702 Credential Generated should be created for the Agent.
     
    If certificate file deletion and heartbeat do not help on their own then Agent service should be restarted.
     
  4. Clean up warnings for the Agent in DSM user interface.


Solution if Self-Protection is enabled

When Self-Protection is enabled, users are not allowed to delete agent files at run-time. The system has to be restarted to rescue mode to delete agent files.

  1. Reboot the system to safe mode on Windows, or Single-User Mode on Linux:
    • Restart the system to enter safe mode on Windows platform to remove following file list:

      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm.crt
      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm_ca.crt
      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.crt
      C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.config

    • Restart system to enter single-user mode on Linux platform to remove following file list

      /var/opt/ds_agent/dsa_core/ds_agent_dsm.crt
      /var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt
      /var/opt/ds_agent/dsa_core/ds_agent.crt
      /var/opt/ds_agent/dsa_core/ds_agent.config

  2. Reboot the system to normal mode.
  3. In the DSM UI console Activate the Agent.


Solution if Self-Protection is enabled (using tool to delete files)

 
Contact Trend Micro Support to obtain this tool.
 

When Self-Protection is enabled, users are not allowed to delete agent files at run-time. The system has to be restarted to rescue mode to delete agent files.

  • Option 1: Manual reboot

    You will need to manually reboot your system after using this tool. This allows you to choose a convenient time to perform the reboot.

    1. Put the DSAfixSHA1_ManualReboot file on the DSA machine. Please do not put it in the related DSA folder or /tmp folder. It is recommended to put it in the /home folder.
    2. Execute the following command to disable ds_agent:

      ./DSAfixSHA1_ManualReboot --PreAction

    3. Reboot the DSA machine.
    4. Execute the following command to delete related files.

      ./DSAfixSHA1_ManualReboot --Fix

    5. Go to the DSM UI and reactivate the Agent.
  • Option 2: Automatic reboot

    This tool will reboot your system automatically.

    1. Put the DSAfixSHA1_AutoReboot file on the DSA machine. Please do not put it in any related DSA folders or the /tmp folder. It is recommended to put it in the /home folder.
    2. Execute the tool using the following command to disable ds_agent then reboot, and delete related files:

      ./DSAfixSHA1_AutoReboot

    3. After the machine finishes rebooting, go to the DSM UI and reactivate the Agent.


Solution for DSVA

Below are the steps for DSVA. This is also applicable for Guest VM that went offline after upgrading to 20.0.0.6313:

  1. Follow the steps in the Help Center article, Upgrade the Deep Security cryptographic algorithm, to make sure the manager is using secure algorithms for digital signature generation.
  2. In the DSM UI console, deactivate the DSVA (Appliance).
  3. Log in to DSVA console and perform the following actions:
    1. Stop ds_agent service.
    2. Remove DSVA and Guest VM data files.
    3. Start ds_agent service.
    	systemctl stop ds_agent
	rm -rf /var/opt/ds_agent/dsa_core/ds_agent.config
	rm -rf /var/opt/ds_agent/dsa_core/ds_agent.crt
	rm -rf /var/opt/ds_agent/dsa_core/ds_agent_dsm.crt
	rm -f /var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt
	rm -rf /var/opt/ds_agent/guests/*
	rm -rf /var/opt/ds_agent/guests.info/*
	systemctl start ds_agent
  4. In the DSM UI console, activate the DSVA (Appliance).
  5. (Optional) Perform vCenter connector "Sync now" to force activate Guest VMs in case some Guest VMs may not activate immediately.

 

Keywords: DSA offline, agent offline deep security, DSA offline SHA-1
Comments (0)