search cancel

FIPS 140-2 does not work with SICAP

book

Article ID: 189612

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Web Data Loss Prevention Network Prevent for Web Hardware Appliance Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Plus Suite Data Loss Prevention Core Package

Issue/Introduction

In Data Loss Prevention Web Prevent, new integrated Secure ICAP feature does not work in FIPS 140-2 mode. Secure ICAP connection cannot be established.

Cause

This issue may arise due to a bug in FIPS 140-2 validated cryptographic library, causing the TLS handshake to fail. FileReader log file (FileReaderX.log, X is sequentially increasing starting 0) may have either following entry: 

WARNING: On ICAP connection ID=1 SSL error: Received fatal alert: internal_error. Closing this connection. 
Or  
SEVERE: Failed to check the status of the inductor.javax.net.ssl.SSLException: Connection has been shutdown:javax.net.ssl.SSLHandshakeException: Unsupported curveId: 65535

Environment

Data Loss Prevention versions 15.1+

Resolution

Disable Elliptic-Curve cryptography, by including it in the list of disabled algorithms (jdk.tls.disabledAlgorithms property) of java.security configuration file. Follow these steps:

  1. Edit <<DLP_INSTALL_DIR>>/Server JRE/<<JRE_VERSION>>/lib/security/java.security (this is the system-wide JRE security configuration file)
  2. Search for jdk.tls.disabledAlgorithms. It should look like:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40

  1. Change the property to:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC, DES40_CBC, RC4_40

  1. Restart FileReader. It should now come up fine without any errors.

 

DLP_INSTALL_DIR is the home directory of DLP installation, typically “C:\Program Files\Symantec\Data Loss Prevention” for Windows installations, and “/opt/Symantec/DataLossPrevention” for Linux installations.

JRE_VERSION would typically be the version of JRE bundled with the product, for example 1.8.0_162.