When you upgrade to Deep Security 10.0, the installer generates a new certificate for the DSM web console if the Tomcat certificate is self-signed with less security (RSA 1024 / SHA1). The less secured certificate is usually generated by DSM 9.6 and below.
DSM starts the service after upgrading. At the same time, DSM re-imports the new certificate and sends a new policy to the co-located DSA. If either re-importing or sending of policy fails, the IPS on the co-located DSA blocks the DSM web console communication.
This issue happens because the SSL inspection cannot work properly without the proper certificate. If this scenario occurs, you can follow any of the following solutions to resolve the issue:
Solution 1: Use a web browser on the same machine
The IPS on co-located DSA only monitors the external connection. Therefore, users can successfully connect to the DSM web console using a web browser on the same machine.
- Log in the Linux or Windows server where the DSM is located.
- On the server, open a web browser to access DSM web console.
- On the DSM web console, re-import Tomcat's certificate for the co-located agent.
- Send policy to the agent to take effect.
Solution 2: Reset the Deep Security Agent
To reset the co-located DSA and manually re-import the certificate:
- Execute "dsa_control.cmd -r" in the DSA to reset.
- On the DSM web console, re-import Tomcat's certificate for the agent.
- Deactivate and then re-activate the agent.
Solution 3: Restore the backup certificate
The installer created a backup copy of the certificate before generating a new one. Users can manually restore the certificate from the backup folder.
- Stop the Deep Security Manager services.
- Copy the <DSM_ROOT>\.keystore to <DSM_ROOT>\new.keystore.
- Copy the backup certificate <DSM_ROOT>\backup\.keystore to <DSM_ROOT>, and overwrite the original one.
- Restore the keystorePass.
- Copy <DSM_ROOT>\configuration.properties to <DSM_ROOT>\new.configuration.properties.
- Open <DSM_ROOT>\backup\configuration.properties and copy the line starting with "keystorePass".
- Edit <DSM_ROOT>\configuration.properties, paste and overwrite the keystorePass.
- Save <DSM_ROOT>\configuration.properties.
- Start the Deep Security Manager service.
The procedure above lets you access the DSM web console, but the less secured certificate is retrieved. To use the stronger certificate that DS 10.0 installer generated, do the following:
- On the DSM web console, disable the IPS feature on the co-located DSA.
- Stop the Deep Security Manager service.
- Restore the backup files.
- Copy the <DSM_ROOT>\new.keystore to <DSM_ROOT>\.keystore.
- Copy the <DSM_ROOT>\new.configuration.properties to <DSM_ROOT>\configuration.properties.
- Start the Deep Security Manager service.
- Re-import the Tomcat's certificate for the co-located Agent.
- Enable the IPS.