Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: App Control Agent is Missing a Trusted Certlist File

App Control: App Control Agent is Missing a Trusted Certlist File

Environment

  • App Control Server: 8.7.0-8.7.2

Symptoms

  • After upgrading to App Control Server to 8.7.x version the following agent health check event is generated in the console > reports > events:
Carbon Black App Control Agent detected a problem: Carbon Black App Control Agent is missing a trusted certlist file. Options[00000003] TotalFailures[2] FailureId[970]
  • In  phpError log file we can found the following error:
[19-Nov-2021 12:21:21 America/New_York] PHP Fatal error:  Uncaught TypeError: Return value of Certificate::getSubject() must be of the type array, null returned in C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Certificate.php:122
Stack trace:
#0 C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Certificate.php(126): Certificate->getSubject()
#1 C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Certificate.php(42): Certificate->getSubjectAsString()
#2 C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\CertificateChain.php(63): Certificate->getDataForApi()
#3 C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Pages\AgentTrustCertificates.php(78): CertificateChain->getLeafListApiData()
#4 C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Pages\ApiTablePage.php(1154): AgentTrustCertificates->handleActions(true)
#5 C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Ajax\AjaxTableDataController.php(86): ApiTablePage->doAction(Array)
#6 C:\Program Files (x86)\Bit9\Pari in C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Certificate.php on line 122
[19-Nov-2021 12:29:05 America/New_York] PHP Fatal error:  Uncaught TypeError: Return value of Certificate::getSubject() be of the type array, null returned in C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\Objects\Certificate.php:122
  • Trusted Communication Certificates list is empty under Administration > System Configuration > Security tab
  • Agents may show "Connected, using archived communication key"
  1. If not listed, enable using these directions

Cause

  • Empty or corrupted fie <App Control Server installation directory>\Parity Server\Hostpkg\TrustedCertList.pem

Resolution

  1. Verify that the Trusted Communication Certificates panel is visible under Administration > System Configuration > Security tab
    1. If not listed, enable using these directions
  2. Logon into the server who is hosting App Control server
  3. Open MMC
  4. From the file menu select "Add/Remove snap-in"
  5. Select "certificates" from the available snap-ins
  6. Click on add button and select "computer account"
  7. Select "local computer" and click next
  8. Click the OK button in the "add/remove snap-ins" screen
  9. Expand certificates > trusted people > certificates
  10. Look for the App Control server certificate (you can validate the attributes against the App Control server certificate from the console > gear icon > System Configuration > Security tab) especially the expiration date and subject from the details tab
  11. Export the console certificate by doing right click on it > all tasks > export > click on next > select "do not export the private key" > click next > select "DER encoded binary x.509(.cer) " > enter a file name > click on next > click on Finish
  12. Open the console and navigate to gear icon > system configuration >security tab > navigate to Trusted Communication Certificates > click on import certificate > navigate for the exporter certificate, select the cert from the list and click upload.

Additional Notes

If the certificate import failed, follow the below steps:
  • rename the certificate to AppControlServerCertificate.cer
  • copy the exported certificate in C:\temp
  • open CMD as admin and enter the below commands
cd C:\temp
certutil -encode AppControlServerCertificate.cer AppControlServerCertificate.pem
  • Copy the contents of the generated files AppControlServerCertificate.pem
  • logon into the app control server and open notepad as admin
  • open the file c:\Program Files (x86)\Bit9\Parity Server\Hostpkg\TrustedCertList.pem , delete any existing content and pate the copied value.
  • Save the change.
If you were not able to save the change in the TrustedCertList.pem file please follow the below steps: 
  • Stop the App Control Server and Reporter services
  • Open cmd as administrator and enter the below commands
cd "c:\program files(x86)\bit9\parity agent"
dascli password <your CLI or global password without the quotes>
dascli tamperprotect 0
net stop parity
fltmc unload paritydriver
  • Save the changes to the TrustedCertList.pem file and close the file.
  • Start the App Control Server and Reporter services
  • Open again the file c:\Program Files (x86)\Bit9\Parity Server\Hostpkg\TrustedCertList.pem to confirm the change still remains
  • (if not please copy again the values of AppControlServerCertificate.pem and save the changes)
  • Restart the agent services:
  • Open cmd as administrator and enter the below commands
fltmc loadparitydriver
net start parity

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-22-2021
Views:
1016
Contributors