General SSLENGINE problem - Detection Server "unknown"

book

Article ID: 159838

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

When adding a new Detection Server, the detection server status is showing "unknown" in Enforce.

Check to see if there is an ssl keystore file located on the Enforce server in the following location:

\protect\keystore\

If it contains a file that looks like this; enforce.<timestamp>.sslKeyStore, then an SSL keystore file was generated using the sslkeytool.

Check to see if there is a similar looking file on another Detection server in your environment. It will start with 'monitor' instead of 'enforce'. Note if the enforce file is on the detection server then the error will continue. The file will be in the following location on the detection server: 

<DLP installed folder>\protect\keystore\

 

You may see the following error in the MonitorController0.log file:

Jul 21, 2009 9:47:36 AM com.vontu.communication.transport.ChannelManager processOperationResult
INFO: Operation com.vontu.communication.transport.ConnectWrapperOperation:1248184056174:discover:xx.xx.xx.xx:[email protected] failed with exception: com.vontu.communication.transport.exception.TransportException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Jul 21, 2009 9:47:36 AM com.vontu.communication.transport.ChannelManager handleOperationFailure

Cause

This same error will occur if customers place more than one .sslKeyStore file in the Enforce's keystore folder. In some cases, customer have mistakenly copied both the enforce and monitor .sslKeyStore files into the Enforce's keystore folder.

Resolution

If you can find the SSL keystore file on another detection server that was previously deployed, then simply copy the file to the new Detection server. If you do not have any other Detection servers, then you will need to run the SSLKEYTOOL and generate new keystore files. Check the Symantec Installation Guide for detailed information regarding the sslkeytool utility. To generate a keystore file:

  1. Run sslkeytool from the Enforce Server. From a command window, go to the DLP installed folder\Protect\bin directory (Windows) or /opt/Vontu/Protect/bin (Linux) to locate the sslkeytool utility.
  2. As the Symantec Data Loss Prevention operating system user account, which by default would be “protect,” run the sslkeytool utility by typing: sslkeytool -genkey  

Optionally, you can create the files in a different directory by adding the argument -dir=directory after the genkey option.

The sslkeytool utility generates two keystore files. These files must be placed in the proper directory on each server. One file stays on the Enforce Server, and the other file is copied to all of the other servers. You must place the keystore files as follows:

  • The file that starts with Enforce must be placed in the keystore directory that is located on the Enforce Server at <DLP install folder>\Protect\keystore (Windows) or /opt/Vontu/Protect/keystore (Linux).
  • The file that starts with monitor must be placed in the same keystore directory that is located on every detection server.