Summary
When executing the deployment script copied from Deep Security Manager (DSM), the following error may be encountered:
"Unable to load agent certificate for verification"
When activating DSA, it requires resolving the local hostname to generate the certification for client-server communication. In some environment, it cannot be resolved by DNS and the error slows down the initialization process of DSA. By checking execution log /var/opt/ds_agent/diag/ds_agent.log, you will encounter the error message "Cannot get the official hostname" which consumes more than 30 seconds in the initialization stage.
The significant delay causes the deployment script not to proceed with DSA activation. At the time of the mentioned issue, execute the "service ds_agent status" command to promptly check the state of DSA process by 1122160-monitoring-deep-security-services, and the expected result should be "active (running)".
However, DSA is not able to run the activation command successfully because initialization has not finished yet.
As a workaround, you may add a new record with the local IP address and hostname to /etc/hosts.
The file /etc/hosts is a plain text file used in matching an FQDN with the server IP hosting a specific domain. When the DNS server is not available or to resolve a non-existing domain, Linux uses the /etc/hosts file to resolve the domain name prior to DNS server lookups.
For example, we added a record for frada25g-leaf9-bo5 hostname below:
With the workaround, the DSA initialization finishes within 1 second.
