DLP upgrade overwrites the CACERTS keystore causing the secure LDAP connection to break.

book

Article ID: 170139

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

After upgrading your Enforce Server, the secure LDAP (LDAPS) Directory Connection longer works. Upon further investigation it was determined that the upgrader replaces the CACERTS keystore file in the "...SymantecDLP\jre\lib\security\" directory. Any secure connection from Enforce to Active Directory fails as there is no longer an entry in the CACERTS file.

org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: simple bind failed: ldaps.yourcompany.net:3269; nested exception is javax.naming.CommunicationException: simple bind failed: ldaps.yourcompany.net:3269 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Cause

The upgrader replaces the CACerts with a default one from the updated version of Java.

This does not include any CAs or Certs you might have imported previously.

Environment

DLP 15.x

Resolution

Although it is possible to copy over the previous CACerts file from a prior version, it is not recommended - a prior copy may retain custom CAs but will also retain possilbly outdated CAs that may expire or be less secure than more recent releases. The change to OpenJDK from Oracle JRE also changed some of the CAs in use in the latest release (15.8).

Therefore, instead of backing up of the CACERTS keystore, you can follow the steps outlined in TECH234490 to re-import the required certificates into Enforce.


Additional Information

Old instruction to replace with old CACerts if an immediate fix is essential to your business operations:

  1. Backup a copy of the CACerts keystore before upgrading; found by default at "...<SymantecDLP>\jre\lib\security\".
  2. After the upgrade use the backed up copy to replace the current CACerts keystore, e.g., as found in "C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_202\lib\security".
  3. Restart the DLP services on Enforce.
  4. Test the Directory Connection that previously had failed.

Note that the path in step 2 above is for an install using the default "ServerJRE" for 15.7 and earlier. DLP 15.8 uses OpenJDK, however, and so the path is different.