ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Cannot load Enforce console after configuring an encrypted jdbc connection to oracle server

book

Article ID: 172267

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You have configured encrypted communication between the Enforce and the oracle server via a jdbc connector as per chapter 5 of the:

Data Loss Prevention Installation Guide for Windows
Version: 15.1
Last updated: 31 July 2018

However, on completion the Enforce console does not load. 

 

Tomcat logs (C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\logs\tomcat) show: 

WARNING [com.vontu.util.jdbc.JDBCTestConnection] Cannot connect to database
Cause:
java.sql.SQLRecoverableException: IO Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The documentation version referenced above does not have the correct path for the keytool.exe

If you run the command as it is written in the documentation from the bin folder where the keytool.exe actually is and provide the correct, adjusted path to the certs.txt file – you will add your certificate to a second keystore called ‘cacerts’ (because the command automatically creates a keystore if none is present)  -  instead of adding it to the ‘real’ cacerts keystore which is the one being referenced by the jdbc connector.

Environment

DLP 15.1, 2 or 3 tier installtion on Windows

Resolution

 

Verify that this situation applies to you by:

  • Searching on the Enforce Server in folder:  C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\ for ‘cacerts’
  • You will probably see 2 matches:
  • One will be in C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\lib\security\ - which is the correct location
  • Another will be in C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\bin - which is the wrong location. 
  • You will see that the one in the security folder is much larger because it contains all the default certificates whereas the one in the bin directory will be just 1KB as it only contains the wrongly imported oracle certificate

 
The Fix:

  1. If you run the two commands below on your Enforce Server this should add the certificate import to the correct keystore:
  • Cd C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\bin\ 
  • keytool.exe -import -alias oracleservercert -keystore 'C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\lib\security\cacerts' -file <Your Path To cert.txt> 
    • Note: When you receive the password prompt this will probably be ‘changeit’ which is the default password.
  1. Stop the services:
  • Symantec DLP Incident Persister
  • Symantec DLP Detection Server Controller
  • Symantec DLP Manager
  • Symantec DLP Notifier

3.      Start the DLP services in the reverse order to step 2
4.      Wait for a few minutes then open the Enforce Console – you should be connected.