search cancel

Directory Connection test fails after importing certificates

book

Article ID: 163055

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

Scenario: Intermediate Certificate Authority (CA) certificates need to be imported into DLP for connecting to Active Directory.

WARNING [com.vontu.manager.admin.directoryconnection.DirectoryConnectionManager] Test Directory Connection Failed:
Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

Cause

1. Certificate chain imported into tomcat .keystore instead of the Java CACerts keystore.
The Active Directory certificate chain uses the cacerts file instead of the .keystore file.

2. Only LDAP server certificate and no whole certificate chain is imported into the Java CACerts keystore.

Resolution

1. Certificate chain imported into tomcat .keystore instead of the Java CACerts keystore.
The Active Directory certificate chain uses the cacerts file instead of the .keystore file.

Certificates used for Active Directory Connections are added to the cacerts keystore located in <java installed dir>\lib\security folder.

If you are not sure where or which version of java is being used by DLP then use the following steps to verify.

  1. First navigate to <drive letter:\Program Files\Symantec\DataLossPrevention\EnforceServer\Services
  2. Here you should see 4 different .conf file.  Open any one of these with a text editor.
  3. Looking for line that begins with "wrapper.java.command"
  4. On this line it should tell you where java is pointing to.  This is the java path that is being used by DLP.  
  5. If you like you can verify step 3 in other conf files as they should all match.



Below are a summary of steps to resolve the issue. For more information, refer to the "Symantec DLP Help Center", Importing SSL Certificates to Enforce or Discover Servers.

  1. Copy the AD certificate file you want to import to the Enforce Server.
  2. Change directory to the existing JRE install location on the Enforce Server (also verified above) - e.g., C:\Program Files\Symantec\DataLossPrevention\ServerJRE\<version>\bin\ or C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\bin in DLP 15.8.
  3. Execute the keytool utility with the -importcert option to import the public key certificate to the Enforce Server or Discover Server keystore. Example: <path to java\bin directory>\keytool -importcert -alias new_DC -keystore <path to jre\lib\security\cacerts> -file <path to cert>\my-domaincontroller.crt
  4. When you are prompted, enter the password for the Java Keystore (by default it is changeit )
  5. Answer Yes when you are asked if you trust this certificate.
  6. Restart the Enforce Server.

2. Only LDAP server certificate and no whole certificate chain is imported into the Java CACerts keystore.

Proceed with importing LDAP Certificate and remaining Root Certificate Authority (Root CA) and Intermediate Certificate Authority (Intermediate CA) with the method above, to have whole certificate chain in CACerts.