ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

New Cloud Detector unable to be registered in Enforce with "PKIX path building failed" error in Tomcat

book

Article ID: 173215

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Package Data Loss Prevention

Issue/Introduction

New Cloud Detector unable to register successfully, even though following issues have been eliminated as issue:

  • ManagerLogging.properties does not have any FINE or higher loglevels set (as per TECH249263)
  • enforce_keystore.jks file has full permissions required for certificate import (as per TECH250216)
  • Bundle is not expired

Tomcat log reveals error at enrollment:

------------------------------
16 May 2018 12:22:32,726- Thread: 124 INFO [com.vontu.enforce.domainlayer.events.system.SystemEventLogger] Cloud Detector created in Enforce. Cloud detector PROD DLP DIM Cloud Connector created in Enforce.
16 May 2018 12:22:33,663- Thread: 281 SEVERE [org.jscep.client.Client] The self-signed certificate MUST use the same subject name as in the PKCS#10 request.
16 May 2018 12:22:33,930- Thread: 281 WARNING [org.jscep.client.Client] AbstractTransport problem when determining capabilities.  Using empty capabilities.
16 May 2018 12:22:34,058- Thread: 281 SEVERE [com.vontu.manager.admin.servers.clouddetector.prepare.DetectorPreparationExceptionHandler] org.jscep.transport.TransportException: Error connecting to server
Cause:
com.symantec.dlp.certificate.retrieval.CertificateRetrievalException: org.jscep.transport.TransportException: Error connecting to server
org.jscep.client.ClientException: org.jscep.transport.TransportException: Error connecting to server
org.jscep.transport.TransportException: Error connecting to server
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 

Cause

The above error specifically "Using empty capabilities" indicates the CACerts file on Enforce is likely missing default CA or other Root certs required to negotiate with the Cloud Gateway.

To confirm this, install an openssl client on the Enforce server, and perform the following test:

openssl s_client -showcerts -connect pki-scep.symauth.com:443

 

If the following output occurs, the CACerts file is either corrupt, has incorrect permissions, or is not the correct copy for the DLP version:

Server certificate
subject=/jurisdictionC=US/jurisdictionST=STATE/businessCategory=Private Organization/serialNumber=1234567/C=US/postalCode=98765/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations/CN=pki-scep.symauth.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 4038 bytes and written 366 bytes
Verification error: unable to get local issuer certificate

Environment

Enforce 15.x with new bundle for DLP Cloud Detection Service

Resolution

Confirm that the CACerts file in this location: ../lib/security/cacerts has not been modified or removed.

It might need to be replaced with a known good copy - either from a backup or from another Enforce server (versions need to match exactly).

Then restart all DLP services in order, as per TECH220062.

FYI - in DLP 15.x, the default size of this file should be 111 Kb in size. Much smaller files indicate this has been replaced - and because this is the Certificate Authority for Java, handshakes will fail if it does not contain the latest CAs.

Additional Information

Additional information about replacing the CACerts file is found in this KB: DLP upgrade overwrites the CACERTS keystore causing the secure LDAP connection to break. (broadcom.com)