Failed schemus synchronization due to SSL handshake errors when connecting to the Client Net API

book

Article ID: 172034

calendar_today

Updated On:

Products

Email Security.cloud Email Encryption.cloud Web Security.cloud

Issue/Introduction

The schemus tool is unable to connect with the Symantec.Cloud repository to update the contents extracted from the data source. Schemus checks the certificate store for the Certification Authority's certificate before allowing communication between the Server that is hosting schemus and Symantec.Cloud repository.

The certificate provided by Symantec.cloud has been signed by a Certification Authority whose certificate is present in the standard Java certificate store to enable secure communications with Symantec.cloud.  When an additional proxy service is used, it inspects SSL traffic between Symantec.Cloud and the schemus tool.  This causes the request to be interrupted while updating repository on port 443. 

Unable to find certification path to requested target
SSL: Peer shutdown incorrectly
SSL handshake Received Fatal alert: Handshake failed

 

Cause

The certificate used to authenticate against the Schemus API - https://api.symanteccloud.com/SyncAPI/Service.asmx has been replaced or it does not have the certificate used by proxy service to inspect SSL traffic. The Java certificate store in the embedded Java Runtime Environment which is distributed does not contain the Certification Authority's signing certificate, resulting in an error when the client application attempts to authenticate the server.

Java uses a certificate store, which usually consists of a cacerts file located in the jre/lib/security directory of your Java installation. If you are using Schemus with its own Java Runtime, the JRE directory is located in the directory where Schemus is installed. 

Environment

Schemus version 1.47 and above

Java Runtime Environment (JRE) 1.6.0_19 or above

 

Resolution

If you are using Schemus version 1.47 and lower:

To replace the certificate store, first, make a backup copy of the existing certificate store then replace with the downloaded file.  The certificate store can be found in the Schemus install location in the file jre/lib/security/cacerts. On Windows systems, this is usually C:Program Files/Schemus/jre/lib/security/cacerts

Note: that if any modifications had previously been made to the existing certificate store (e.g. to add a custom Certification Authority certificate) they will need to be reapplied to the replacement file. The certificate store password is 'changeit'.

If you are using Schemus version 1.5:

The Symantec API URL " https://api.symanteccloud.com/SyncAPI/Service.asmx” should be bypassed from SSL inspection on the web filtering/Proxy service.

Otherwise, import the web server certificate in to the Java certificate store.  Download the certificate used by the web scanning service and save it to the home directory on the server running schemus. The key tool application in jre/bin directory can be used for this purpose.

The following command will import a certificate from the file proxycert.cer into the cacerts file. (The proxycert is the certificate used by the SSL traffic scanning service):

keytool -import -trustcacerts -alias proxy-certificate -file proxycert.cer -keystore cacerts

 

Attachments

cacerts get_app