ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Messaging Gateway Directory Integration TLS connection fails

book

Article ID: 172482

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

After the upgrade to Symantec Messaging Gateway (SMG) 10.6.6, the Directory Integration connection may fail if using TLS (still listed as SSL in the product). And verification for the certificate fails. Such as if you configure an IP for a connection that is not listed in the certificate's Common Name or Subject Alternative Name.

This issue can include inbound email not being processed, the Message Audit Log shows message aborts.

The error can be found in the Directory Data Service logs:

Sep 17 2018 06:14:19 [btpool0-1] [LoggingDDS] ERROR - 800402
com.symantec.sms.dds.api.exception.DataAccessSearchFailureException: Permanent failure while attempting to search data source: 
Internal.test AD   Reason: No subject alternative names matching IP address 192.168.2.10 found

Alternatively, one can see:

[1532521186618] 800412 com.symantec.sms.dds.api.exception.DataAccessUnavailableException: The data source is unavailable: NFC-LDAP at com.symantec.sms.dds.bl.EntrySourceMonitor.available(EntrySourceMonitor.java:108) at com.symantec.sms.dds.bl.EntryS

Or:

[1532521186618] 800412 com.symantec.sms.dds.api.exception.DataAccessUnavailableException: The data source is unavailable: NFC-LDAP at com.symantec.sms.dds.bl.EntrySourceMonitor.available(EntrySourceMonitor.java:108) at com.symantec.sms.dds.bl.EntryS

 

Cause

Messaging Gateway 10.6.6 has taken many steps to increase security of the appliance. As a result, strictness of the TLS (SSL) connection for Directory Integration has changed. This issue occurs when the verification for the certificate fails for some reason. Such as when you connect with a host name or IP that is not listed in the certificate's Common Name or Subject Alternative Name.

Resolution

Apply patch 10.6.6-273 with the command line to temporarily address this issue in Messaging Gateway 10.6.6.

For more information on the patching process see; How to apply patches by command line.

Enable the patch after it is installed. Connect to the SMG by ssh and use the command 'service dds set-name-verification-lax'.

The core cause of this issue is that the LDAP server certificates cannot be validated in the current environment by the Messaging Gateway DDS client. For security, it is important to make sure that the environment and certificates are configured properly. Do so to ensure that the certificates can be verified upon initiating a TLS conversation. This step can include:

  • Update the configuration so that Directory Integration connects to a hostname/FQDN that is listed in the certificate (recommended).
  • Update the certificate so that it contains the IP or hostname that Directory Integration uses to connect.

Due to the security nature of this issue, the SMG development team has no plans to maintain the “lax” mode of operation in future releases.