Known Issue - CWPP PoP/Agent May Fail to Communicate if Older than One Year
There is a Known Issue where the CWPP PoP/Agent may fail to communicate with Skyhigh CASB if it is older than one year. This happens because the certificate has expired.
To fix the issue, renew your certificates, and then uninstall and reinstall the Agent.
IMPORTANT: If your certificates are near their expiration date, but have not expired yet, they will be automatically renewed.
Determine if your Certificates are Expired
You can determine whether your certificates are expired in Skyhigh CASB, in the PoP instance, or in the Agent instance.
In Skyhigh CASB
To identify the certificate issue:
- In Skyhigh CASB go to Settings > PoP Management.
- The Status of the PoP is displayed as Unhealthy.
In the PoP Instance
You can also verify the issue from the PoP instance using the following steps:
- Log in to the PoP primary instance.
- To check the pod status, run the command
sudo kubectl get pod -n cwpp
NOTE: In a healthy PoP instance, all pods should be in the state Running/Completed. - Go to the following log path for the vendor location:
/opt/.../cwpp/pop/PoPDeployment/PoPCreation/{vendor}/efs/.../cwpp/log/{pop-name}/cwpp-connector/
- Run the
Cat
command on the the latest cwpp-connector log file and look for an SSL certificate expired error.
This confirms that tenant certificates are expired on the PoP instance.
In the CWPP Agent Instance
To verify that the certificate is expired in the CWPP Agent, use the following steps:
- Login to CWPP Agent instance.
- Run the following commands as the root user:
cat /var/.../cwpagent/log/cwpagentd.log
- Look for any SSL certificate expired errors.
Renew the Certificate
When the Skyhigh CASB tenant certificate is expired, Skyhigh CASB and the PoP/Agent cannot communicate.
To renew the Skyhigh CASB tenant certificate, perform the following steps.
- Log in to Skyhigh CASB.
- Go to Setting > Service Management, select your instance (AWS, Azure, or GCP), and choose the registered account.
- In the Overview section, click Deploy New POP.
- Click Download Deployment package.
The PoPPackage.tar file downloads. - Extract the package and at
PoPPackage\PoPDeployment\PoPCreation
locate the file update_cert.sh. - Log in to the PoP primary instance and create a folder called cert-update-package in the following path:
/opt/.../cwpp/pop/PoPDeployment/PoPCreation/$VENDOR/efs/.../cwpp/log/$POP_NAME/
- Copy the downloaded PoPPackge.tar file to
/opt/.../cwpp/pop/PoPDeployment/PoPCreation/$VENDOR /efs/.../cwpp/log/$POP_NAME/cert-update-package/
- Run
cd
from the current directory. - Copy the extracted update_cert.sh file to the PoP primary instance.
- Execute the following command for the respective vendors:
sudo bash update_cert.sh VENDOR
- For AWS:
sudo bash update_cert.sh aws
- For Azure:
sudo bash update_cert.sh azure
- For GCP:
sudo bash update_cert.sh gcp
- For AWS:
- Wait for the script to execute and verify that the certificate renewal was in the console logs, as shown:
- Wait for 10 minutes, then in Skyhigh CASB, check the PoP Status in the PoP Management page.
This confirms that the certificates are renewed from the CWPP PoP instance and communication to Skyhigh CASB is reestablished.
Uninstall and Reinstall the Agent
- Log in to Skyhigh CASB.
- Go to go to Settings > PoP Management.
- Select your PoP instance, and in the Cloud Card, for Client Configuration Package, click Download.
The ClientConfiguration.tar file downloads. - To uninstall the Agent and remove all the old certificates from the client, log in to the CWPP Agent instance and execute the following commands:
- For Ubuntu/deb OS:
sudo dpkg -P cwpagent
- For RHEL/rpm OS:
sudo rpm -e CWPAgent
- DXL config cleanup command:
sudo rm -rf /opt/.../cwpagent
- For Ubuntu/deb OS:
- Now reinstall the CWPP Agent using the new client configuration package following the Agent install steps.
- Wait for 10 minutes and go to Analytics > Resources > Resources for your instance to check the CWPP Agent Managed status.
- The CWPP Agent instance reestablishes communication and reports the Agent status as Active.
You can also verify that communication is reestablished in the log at the following path:
cat /var/.../cwpagent/log/cwpagentd.log
Logs will show a successful Agent status sent.