After upgrade to DLP 15.8, SSL Directory Connection test fails and LDAP sync is non-functional
search cancel

After upgrade to DLP 15.8, SSL Directory Connection test fails and LDAP sync is non-functional

book

Article ID: 217092

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

After an upgrade to DLP 15.8 where Directory Connection using "Use Secure Connection (SSL) " is utilized, the Directory Connection fails to index.  The "Test Connection" fails with a generic credential error.

Environment

Release : 15.8

Component : Enforce

Cause

Certificate handshake fails.  In localhost logs during a Test Connection, the following is observed:

Date: 6/1/2021 12:00:00 AM

Thread: 104

Level: SEVERE

Source: com.vontu.enforce.domainlayer.datauser.source.DataUserSyncTask

Message: User Synchronization failed:

Cause:

org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException:accd:636 nested exception is javax.naming.CommunicationException: addc:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]org.springframework.transaction.CannotCreateTransactionException: Could not create DirContext instance for transaction; nested exception is org.springframework.ldap.CommunicationException: addc:636; nested exception is javax.naming.CommunicationException: addc:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Resolution

Post-upgrade to 15.8, Domain Controller certificate chain needs to be re-imported into OpenJRE path ./lib/security.

 

Importing an SSL certificate to Enforce or Discover
Step
Description
1
Copy the certificate file you want to import to the Enforce Server or Discover Server computer.
2
Change directory to the OpenJRE installation folder, for example, the recommended installation path is "C:\Program Files\AdoptOpenJRE\jdk8u-jre" 
3
Execute the keytool utility with the -importcert option to import the public key certificate to the Enforce Server or Discover Server keystore:
 
keytool -importcert -alias new_endpointgroup_alias -keystore ..\lib\security\cacerts -file my-domaincontroller.crt
 
In this example command, new_endpointgroup_alias is a new alias to assign to the imported certificate and my-domaincontroler.crt is the path to your certificate.
 
Note:
keytool.exe is located in the "C:\Program Files\AdoptOpenJRE\jdk8u-jre\bin" directory.
The cacerts keystore is located in the "C:\Program Files\AdoptOpenJRE\jdk8u-jre\lib\security\" directory.
4
When you are prompted, enter the password for the keystore.
By default, the password is "changeit". If you want you can change the password when prompted.
 
To change the password, use: keytool -storepassword -alias new_endpointgroup_alias -keystore ..\lib\security\cacerts

5
Answer Yes when you are asked if you trust this certificate.
6
Restart the Enforce Server or Discover Server services