Skip to main content
Skyhigh Security

Known Issue - CWPP PoP/Agent May Fail to Communicate if Older than One Year

There is a Known Issue where the CWPP PoP/Agent may fail to communicate with Skyhigh CASB if it is older than one year. This happens because the certificate has expired. 

To fix the issue, renew your certificates, and then uninstall and reinstall the Agent. 

IMPORTANT: If your certificates are near their expiration date, but have not expired yet, they will be automatically renewed. 

Determine if your Certificates are Expired

You can determine whether your certificates are expired in Skyhigh CASB, in the PoP instance, or in the Agent instance. 

In Skyhigh CASB

To identify the certificate issue:

  1. In Skyhigh CASB go to Settings > PoP Management.
  2. The Status of the PoP is displayed as Unhealthy

In the PoP Instance

You can also verify the issue from the PoP instance using the following steps:

  1. Log in to the PoP primary instance.
  2. To check the pod status, run the command sudo kubectl get pod -n cwpp
    NOTE: In a healthy PoP instance, all pods should be in the state Running/Completed.
  3. Go to the following log path for the vendor location:
    /opt/.../cwpp/pop/PoPDeployment/PoPCreation/{vendor}/efs/.../cwpp/log/{pop-name}/cwpp-connector/

    pop_issue_new_1.png
  4. Run the Cat command on the the latest cwpp-connector log file and look for an SSL certificate expired error. 
    This confirms that tenant certificates are expired on the PoP instance.
    pop_issue_new_2.png

In the CWPP Agent Instance

To verify that the certificate is expired in the CWPP Agent, use the following steps:

  1. Login to CWPP Agent instance.
  2. Run the following commands as the root user:
    cat /var/.../cwpagent/log/cwpagentd.log
  3. Look for any SSL certificate expired errors. 

Renew the Certificate

When the Skyhigh CASB tenant certificate is expired, Skyhigh CASB and the PoP/Agent cannot communicate.  

To renew the Skyhigh CASB tenant certificate, perform the following steps.

  1. Log in to Skyhigh CASB.
  2. Go to Setting > Service Management, select your instance (AWS, Azure, or GCP), and choose the registered account.
  3. In the Overview section, click Deploy New POP.
  4. Click Download Deployment package.
    The PoPPackage.tar file downloads. 
  5. Extract the package and at PoPPackage\PoPDeployment\PoPCreation locate the file update_cert.sh.
  6. Log in to the PoP primary instance and create a folder called cert-update-package in the following path: /opt/.../cwpp/pop/PoPDeployment/PoPCreation/$VENDOR/efs/.../cwpp/log/$POP_NAME/
  7. Copy the downloaded PoPPackge.tar file to /opt/.../cwpp/pop/PoPDeployment/PoPCreation/$VENDOR /efs/.../cwpp/log/$POP_NAME/cert-update-package/
  8. Run cd from the current directory.
  9. Copy the extracted update_cert.sh file to the PoP primary instance.
  10. Execute the following command for the respective vendors:
    sudo bash update_cert.sh VENDOR
    • For AWS: sudo bash update_cert.sh aws
    • For Azure: sudo bash update_cert.sh azure
    • For GCP: sudo bash update_cert.sh gcp
  11. Wait for the script to execute and verify that the certificate renewal was in the console logs, as shown:
    pop_issue3.png
  12. Wait for 10 minutes, then in Skyhigh CASB, check the PoP Status in the PoP Management page.

This confirms that the certificates are renewed from the CWPP PoP instance and communication to Skyhigh CASB is reestablished.

Uninstall and Reinstall the Agent

  1. Log in to Skyhigh CASB.
  2. Go to go to Settings > PoP Management.
  3. Select your PoP instance, and in the Cloud Card, for Client Configuration Package, click Download
    The ClientConfiguration.tar file downloads. 
  4. To uninstall the Agent and remove all the old certificates from the client, log in to the CWPP Agent instance and execute the following commands:
    • For Ubuntu/deb OS: sudo dpkg -P cwpagent
    • For RHEL/rpm OS: sudo rpm -e CWPAgent
    • DXL config cleanup command: sudo rm -rf /opt/.../cwpagent
  5. Now reinstall the CWPP Agent using the new client configuration package following the Agent install steps.
  6. Wait for 10 minutes and go to Analytics > Resources > Resources for your instance to check the CWPP Agent Managed status. 
  7. The CWPP Agent instance reestablishes communication and reports the Agent status as Active.

You can also verify that communication is reestablished in the log at the following path:

cat /var/.../cwpagent/log/cwpagentd.log

Logs will show a successful Agent status sent.

  • Was this article helpful?