Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Deep Security Manager (DSM) web console is blocked after upgrading to version 10.0

    • Updated:
    • 21 Jun 2017
    • Product/Version:
    • Deep Security 10.0
    • Platform:
    • N/A N/A
Summary

When you upgrade to Deep Security 10.0, the installer generates a new certificate for the DSM web console if the Tomcat certificate is self-signed with less security (RSA 1024 / SHA1). The less secured certificate is usually generated by DSM 9.6 and below.

DSM starts the service after upgrading. At the same time, DSM re-imports the new certificate and sends a new policy to the co-located DSA. If either re-importing or sending of policy fails, the IPS on the co-located DSA blocks the DSM web console communication.

Details
Public

This issue happens because the SSL inspection cannot work properly without the proper certificate. If this scenario occurs, you can follow any of the following solutions to resolve the issue:

Solution 1: Use a web browser on the same machine

The IPS on co-located DSA only monitors the external connection. Therefore, users can successfully connect to the DSM web console using a web browser on the same machine.

  1. Log in the Linux or Windows server where the DSM is located.
  2. On the server, open a web browser to access DSM web console.
  3. On the DSM web console, re-import Tomcat's certificate for the co-located agent.
  4. Send policy to the agent to take effect.

Solution 2: Reset the Deep Security Agent

To reset the co-located DSA and manually re-import the certificate:

  1. Execute "dsa_control.cmd -r" in the DSA to reset.
  2. On the DSM web console, re-import Tomcat's certificate for the agent.
  3. Deactivate and then re-activate the agent.

Solution 3: Restore the backup certificate

The installer created a backup copy of the certificate before generating a new one. Users can manually restore the certificate from the backup folder.

  1. Stop the Deep Security Manager services.
  2. Copy the <DSM_ROOT>\.keystore to <DSM_ROOT>\new.keystore.
  3. Copy the backup certificate <DSM_ROOT>\backup\.keystore to <DSM_ROOT>, and overwrite the original one.
  4. Restore the keystorePass.
    1. Copy <DSM_ROOT>\configuration.properties to <DSM_ROOT>\new.configuration.properties.
    2. Open <DSM_ROOT>\backup\configuration.properties and copy the line starting with "keystorePass".
    3. Edit <DSM_ROOT>\configuration.properties, paste and overwrite the keystorePass.
    4. Save <DSM_ROOT>\configuration.properties.
  5. Start the Deep Security Manager service.

The procedure above lets you access the DSM web console, but the less secured certificate is retrieved. To use the stronger certificate that DS 10.0 installer generated, do the following:

  1. On the DSM web console, disable the IPS feature on the co-located DSA.
  2. Stop the Deep Security Manager service.
  3. Restore the backup files.
    1. Copy the <DSM_ROOT>\new.keystore to <DSM_ROOT>\.keystore.
    2. Copy the <DSM_ROOT>\new.configuration.properties to <DSM_ROOT>\configuration.properties.
  4. Start the Deep Security Manager service.
  5. Re-import the Tomcat's certificate for the co-located Agent.
  6. Enable the IPS.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1117551
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.