Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Cloud Connector Certificate Issues

When you upgrade an older version of Skyhigh Cloud Connector (3.9.x) to the latest version of Cloud Connector (4.x), you might encounter install or upgrade failures because Cloud Connector cannot fetch or install certificates.

This can happen due to the following reasons. 

Symbolic Server Name

The Symbolic Server Name was not registered with Skyhigh CASB during the previous install (3.9.x). and upgrading to 4.x fails. 

With Cloud Connector 4.x and later, it is mandatory to have a Symbolic Server Name created for every instance of the Cloud Connector.

To fix this, run the following curl command to register the Symbolic Server Name with Skyhigh CASB:

curl -X POST https://www.myshn.net/shnapi/rest/dobf/createdns -u '<username>:<Actual Password>' -H 'content-type:application/json' -d '{"localIP":"10.131.131.25","symbolicName":"t4680-1035590323.do.myshn.net","port":8443,"shnmanaged":true}'

After running the command, the upgrade will complete successfully.

Contact Skyhigh Support for assistance. 

To update Cloud Connector's IP/port/version details for IAM and Non-IAM enabled user, run the following command:

  1. For Non-IAM enabled user:

curl -X POST https://www.myshn.net/shnapi/rest/dobf/createdns -u '<username>:<Actual Password>' -H 'content-type:application/json' -d '{"localIP":"IPADD","symbolicName":"<symbolicname>","port":<"portvalue">,"version":"<ECVersion>","softwareUpdate":false}

 

  1. For IAM enabled user:

curl -X POST "https://www.myshn.net/shnapi/rest/dobf/createdns" -H 'bps-tenant-id:<TenantID>' --header 'Content-Type:application/json' -u '<UserName>:<PassWord>' -d '{"localIP":"<IPADD>","symbolicName":"<symbolicName>","port":<portvalue>,"version":"<ECVersion>","softwareUpdate":false}'

Example:

curl -X POST https://www.myshn.net/shnapi/rest/dobf/createdns -H 'bps-tenant-id: 55C939FB-AA11-413B-BD16-D5F7688ABAE2' --header 'Content-Type:application/json'-u '<username>:<Actual Password>' -H 'content-type:application/json' -d '{"localIP":"10.131.131.25","symbolicName":"t4680-1035590323.do.myshn.net","port":8443,"softwareUpdate":false}
 

 

-VignoreCertificate Option

The Skyhigh Cloud Connector was installed behind a proxy and the -VignoreCertificate option was provided to accept any certificates from the proxy. The -VignoreCertificate option is NOT supported for Cloud Connector 4.x and later. 

To confirm this issue, review the logprocessor.local.properties file. If it has acceptAnyCert=true, that means -VignoreCertificate was used during installation.

To fix this issue, import the proxy certificate to the Cloud Connector trust store so that the call goes through.

Perform the following steps:

  1. Remove the "acceptanycert=true" property from logprocessor.local.properties file.
  2. Place the customer proxy root CA certificate in the location where the installation file is saved.
  • For Windows. Open a command prompt with the "run as administrator" option. Then run the following command from the administrator command prompt:

./MVISION_Cloud_Connector_WIN64_4_1_2_1.exe -Vcertificates=<cert_dir_absolute_path>/<cert_name>.crt

  • For Linux. Run the following command as a user that has root permissions. Alternately, you can run it using the sudo command and provide the root password if/when prompted.

sh MVISION_Cloud_Connector_WIN64_4_1_2_1.sh -Vcertificates=<cert_dir_absolute_path>/<cert_name>.crt


 

 

  • Was this article helpful?