Following the update to Messaging Gateway 10.7.4, the Directory Integration with Microsoft Active Directory fails if it is configured to use TLS secured LDAPS. Depending on the SMG configuration this can significantly impact SMG's ability to accept and scan email depending on which directory dependant features are enabled (Recipient Validation, LDAP based policy groups, Control Center authentication, etc)
[LoggingDDS] ERROR - 800402
com.symantec.sms.dds.api.exception.DataAccessSearchFailureException: Permanent failure while attempting to search data source: AD: Unsupported ciphersuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384
Caused by: org.springframework.ldap.CommunicationException: ad.server:636; nested exception is javax.naming.CommunicationException: ad.server:636 [Root exception is java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_DH_DSS_WITH_AES_256_GCM_SHA384]
Release : 10.7.4
Component : Directory Integration / LDAPS
This issue may be caused by running SMG in FIPS mode which restricts the available cipher list for LDAPS connections.
This issue is currently under investigation and may be the result of running SMG in FIPS mode. To confirm whether SMG is running in FIPS mode, please run the following command from the admin command line interface (CLI):
smg [10.7.4-13]> fipsmode status
If the system is running in FIPS mode and you are able to disable FIPS mode, this may resolve the issue with LDAPS connections. To disable FIPS mode, you can run the following command from the admin CLI:
smg [10.7.4-13]> fipsmode off
After changing FIPS mode, the host will reboot
Are you sure you wish to proceed? [N/y]: y
Rebuilding initrd. Please wait.
non-FIPS mode set.
Please wait for reboot
If Active Directory has not beein updated to require TLS secured LDAP this issue may be temporarily resolved by switching to unencrypted LDAP: