DCE pinning
DCE pinning services are used to reduce a man-in-the-middle attack (MITM) and provide additional security by pinning your client to a specific DCE that belongs to your configuration for the duration of that configuration.
This additional security is achieved through certificate pinning where you are bound to the DCE using the certificate that the DCE provides upon connection and use it to validate the trust of subsequent communications with that server.
Possible failures
You may receive connection failures if the following occurs:
- Failure to create JavaKeystore (JKS) for any reason (example: HDD issues).
- Failure to write to the JKS for any reason (example: corrupt file, HDD issues).
- Invalid certificate is provided by the DCE (MITM server, DCE has changed its certificate sometime after).
-
The device time and server time are not synchronized.
Recovery
Validate if the DCE you are unable to connect to has the same certificate (since your initial client application configuration) to eliminate a possible MITM attack.
To recover from connection issues related to DCE pinning that are not related to hardware failures (HDD):
- Perform an Update Configuration action for a new configuration using the DRS, or
- Perform an Install and Configure action.A new configuration means that either a DCE endpoint has changed (IP, FQDN) or DCE endpoints have been added or removed from the list.
To reset DCE pinning, if the certificate is expired, updated, or regenerated, use the Uninstall and Install and Configure actions in DRS.