search cancel

Messaging Gateway Directory Integration TLS connection fails

book

Article ID: 172482

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

The Messaging Gateway (SMG) Directory Integration connection may fail if using TLS secured connections due to a certificate calidation failure. 

This issue can include inbound email not being processed, the Message Audit Log shows message aborts.

The error can be found in the Directory Data Service logs:

Sep 17 2018 06:14:19 [btpool0-1] [LoggingDDS] ERROR - 800402
com.symantec.sms.dds.api.exception.DataAccessSearchFailureException: Permanent failure while attempting to search data source: 
Internal.test AD   Reason: No subject alternative names matching IP address 192.168.2.10 found

Alternatively, one can see:

[1532521186618] 800412 com.symantec.sms.dds.api.exception.DataAccessUnavailableException: The data source is unavailable: NFC-LDAP at com.symantec.sms.dds.bl.EntrySourceMonitor.available(EntrySourceMonitor.java:108) at com.symantec.sms.dds.bl.EntryS

Or:

[1532521186618] 800412 com.symantec.sms.dds.api.exception.DataAccessUnavailableException: The data source is unavailable: NFC-LDAP at com.symantec.sms.dds.bl.EntrySourceMonitor.available(EntrySourceMonitor.java:108) at com.symantec.sms.dds.bl.EntryS

 

Cause

This issue occurs when the verification for the certificate fails, usually due to a difference between the hostname or IP in the SMG configuration and the Subject Alternative Names in the certificate. If the hostname or IP in the SMG DDS configuration does not match an entry in the LDAP server certificate's Subject Alternate Name list, the TLS negotiation will fail.

Resolution

The root cause of this issue is that the LDAP server certificates cannot be validated in the current environment by the Messaging Gateway DDS client. For security, it is important to make sure that the environment and certificates are configured properly. Do so to ensure that the certificates can be verified upon initiating a TLS conversation. This step can include:

  • Update the configuration so that Directory Integration connects to a hostname/FQDN that is listed in the certificate (recommended).
  • Update the certificate so that it contains the IP or hostname that Directory Integration uses to connect.