Environment
- App Control Agent: 8.7 and Higher
- App Control Console: 8.7 and Higher
Symptoms
- The App Control Console is generating an Alert: Archived Communication Key Use.
- The App Control Agent is generating a failed Health Check due to Archived Communication Key Use.
- Agents are not receiving updates to the Configlist.
Cause
The keychain.json file has changed on the Server and the Health Check has determined the local copy on the endpoint does not match.
Resolution
This message is only a problem if the same Agent is repeatedly generating this Health Check.By default the Agent initiates a Health Check automatically once every 6 hours. Depending on the timing of when the Communication Key (keychain.json) file was refreshed, and when the Agent last ran a Health Check, the message could be triggered erroneously.
To verify the issue is persisting,
manually initiate a Health Check. If the Health Check fails again:
- Verify the Resource Download Location (RDL) in System Configuration > Advanced Options:
- If using an alternate RDL, copy the updated keychain.json file (C:\Program Files (x86)\Bit9\Parity Server\hostpkg\keychain.json) to the alternate RDL.
- Verify the endpoint is able to download keychain.json via the RDL. By default this would be: https://ServerAddress/hostpkg/pkg.php?pkg=keychain.json
- Verify the certificate bound to the RDL (by default this is IIS on the application server) is not expired, and formatted correctly:
- Common Name shown should match Server Address from the General tab.
- Expiration Date should be in the future.
- A matching Certificate should be listed in the Console > System Configuration > Security > Trusted Communication Certificates list, and Trusted.
- The keychain.json file can be imported via the command line.
- Verify any new Agent deployments are always using the latest Policy Installer.
- The keychain.json file is built into the Policy Installer.
- Deploying Agents using an old Communication Key is not recommended.
Additional Notes
Related Content
