search cancel

Symantec Data Loss Prevention 15.x: ICT classification taxonomy synchronization failure

book

Article ID: 173511

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

In Data Loss Prevention 15.x, when you attempt to import the Information Centric Tagging 15.x classification taxonomy into the Enforce Server database, the import fails with the message: Failed to synchronize the ICT classification taxonomy.

The import is initiated from the Enforce Server administration console System > Settings > Information Centric Tagging page.

Cause

The ICT classification taxonomy import can fail if any of these prerequisites are not in place:

  • For the ICT setup, association of a user account with the appropriate Active Directory ICT User Groups. This association provides the user with access privileges to the necessary ICT Administration Webservice methods.
  • For the DLP configuration, specification of a privileged user when defining credentials for the ICT server. To identify user access failure, see "User access failure log entries" at the end of this article.
  • For the Windows configuration, on the DLP Enforce Server, creation of an entry in the Hosts file for the ICT server.

Resolution

Below are the specifics for implementing the prerequisites.

Configuring ICT for synchronizing the classification taxonomy with Data Loss Prevention

To create a user account that has access to the necessary ICT Administration Webservice methods:

  1. Create Active Directory User Groups within an ICT Organizational Unit (OU) for ICT_CLASSIFICATIONS, ICT_ROLES, and ICT_RULES.
  2. Add one or more domain users who require access privileges to the appropriate groups. A user could be the Data Loss Prevention administrator.

Reference: Information Centric Tagging Deployment Guide

  • Chapter 3: Pre-Installation tasks, "Creating AD users, groups, and Organizational Units"
  • Chapter 5: Installing and configuring the ICT Administration Web Service, "Authentication requirements"

Configuring DLP for synchronizing the ICT classification taxonomy

To identify the user who has ICT access:

  • In the Enforce Server administration console, on the System > Settings > Credentials page, in the Access Username field, enter a privileged user name as "<domain_name>\<username>" in the NT4 format. Make sure the username is a Windows domain user account.

Reference: Data Loss Prevention 15.x Administration Guide

  • Chapter 7, Managing stored credentials, "Adding new credentials to the credential store"

Configuring Windows on the Enforce Server to recognize the ICT server

To identify the ICT server, on the DLP Enforce Server:

  1. Navigate to %systemdrive%\Windows\System32\drivers\etc\.
  2. Edit the Windows Hosts file to map the ICT server IP address to its host name, using the tabulated format: <IP>   <FQDN of ICT server>

Importing the ICT taxonomy

When the ICT, DLP, and Windows prerequisites are in place, to import the ICT taxonomy:

  1. On the Enforce Server administration console, navigate to the System > Settings > Information Centric Tagging page.
  2. In the Server Credential field, select the just created ICT server credential from the drop-down menu. The credential name represents the login and password to the ICT server for the privileged user.
  3. In the ICT Web Service URL field, enter the ICT Web Service URL.
  4. Establish a daily import schedule or do an immediate synchronization.

Reference: Data Loss Prevention 15.x Administration Guide

  • Chapter 11: Working with Symantec Information Centric Tagging, "Integrating the ICT server with the Enforce Server," "Using the ICT Web Service for scheduled classification taxonomy imports," and "Importing the ICT classification taxonomy."

User access failure log entries

If an ICT classification taxonomy import fails because of issues with the user account, you may see the following two error messages, one in DLP and one in ICT.

  • In DLP:
    In the tomcat log on the Enforce Server, in the directory
    %systemdrive%\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.[n]\logs\tomcat:
    23 Nov 2018 09:06:48,334- Thread: 122 SEVERE
    [com.symantec.dlp.ictconnector.ClassificationOperations] ICT classification taxonomy retrieval failed: Current user is not authorized to perform this operation.
  • In ICT (unless logging is turned off):
    The IIS logs on the ICT server may list user details for the attempted access of /ICT/Admin-Webservice/Classifications.asmx. For example, the log entry in the directory
    %systemdrive%\inetpub\logs\LogFiles\ would be similar to this:
    2018-11-23 17:23:12 192.168.127.40 POST /ICT/Admin-Webservice/Classifications.asmx - 80 ACME\protect 192.168.127.10 Metro/2.2+ (branches/2.2-7015;+2012-02-20T20:31:25+0000) +JAXWS-RI/2.2.6+JAXWS/2.2+svn-revision#unknown - 200 0 0 225

    In this example, "ACME\protect" is the name of the unauthorized user, who requires ICT access permission.