FIPS 140-2 does not work with SICAP
search cancel

FIPS 140-2 does not work with SICAP


Article ID: 189612


Updated On:


Data Loss Prevention Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite Data Loss Prevention Network Monitor Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Prevent for Web Virtual Appliance Data Loss Prevention Network Protect Data Loss Prevention Plus Suite Data Loss Prevention Core Package


In Data Loss Prevention Web Prevent, new integrated Secure ICAP feature does not work in FIPS 140-2 mode. Secure ICAP connection cannot be established.


Data Loss Prevention versions 15.1+


This issue may arise due to a bug in FIPS 140-2 validated cryptographic library, causing the TLS handshake to fail. FileReader log file (FileReaderX.log, X is sequentially increasing starting 0) may have either following entry: 

WARNING: On ICAP connection ID=1 SSL error: Received fatal alert: internal_error. Closing this connection. 


SEVERE: Failed to check the status of the Connection has been Unsupported curveId: 65535
If this is the first time the detection server is added to the Enforce console, the SymantecDLPDetectionServer service may not start and the SymantecDLPDetectionServer.log may show the following error:
WrapperSimpleApp Error: java.lang.ExceptionInInitializerError
WrapperSimpleApp Error: java.lang.ExceptionInInitializerErrorWrapperSimpleApp Error: Caused by: java.util.NoSuchElementException
WrapperSimpleApp Error:      at java.util.StringTokenizer.nextToken(
WrapperSimpleApp Error:      at$Constraints.<init>(
WrapperSimpleApp Error:      at<init>(
WrapperSimpleApp Error:      at<clinit>(


Disable Elliptic-Curve cryptography, by including it in the list of disabled algorithms (jdk.tls.disabledAlgorithms property) of configuration file. Follow these steps:

  1. Edit <<DLP_INSTALL_DIR>>/Server JRE/<<JRE_VERSION>>/lib/security/ (this is the system-wide JRE security configuration file)
  2. Search for jdk.tls.disabledAlgorithms. It should look like:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40

  1. Change the property to:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC, DES40_CBC, RC4_40

  1. Restart FileReader. It should now come up fine without any errors.


DLP_INSTALL_DIR is the home directory of DLP installation, typically “C:\Program Files\Symantec\Data Loss Prevention” for Windows installations, and “/opt/Symantec/DataLossPrevention” for Linux installations.

JRE_VERSION would typically be the version of JRE bundled with the product, for example 1.8.0_162.