DCE pinning

DCE pinning services are used to reduce a man-in-the-middle attack (MITM) and provide additional security by pinning your client to a specific DCE that belongs to your configuration for the duration of that configuration. Details This additional security is achieved through certificate pinning where you are bound to the DCE using the certificate that the DCE provides upon connection and use it to validate the trust of subsequent communications with that server.

You are not allowed to change the DCE endpoints until you reconfigure the client application again (until then, you are bound to the DCE you have configured initially).

Possible failures

You may receive connection failures if the following possibilities occur:

  • Failure to create JavaKeystore (JKS) for any reason (example: HDD issues)
  • Failure to write to the JKS for any reason (example: corrupt file, HDD issues)
  • Invalid certificate is provided by the DCE (MITM server, DCE has changed its certificate sometime after).

Recovery

Validate if the DCE you are unable to connect to has the same certificate (since your initial client application configuration) in order to eliminate a possible MITM attack.

To recover from connection issues related to DCE pinning that are not related to hardware failures (HDD):

  • Perform a Configure and reboot action for a new configuration using the DRS, or
  • Perform a Full Install action.
    New configuration means that either a DCE endpoint has changed (IP, FQDN) or DCE endpoints have been added or removed from the list.

To reset DCE pinning, use the Uninstall and Full Install actions only.