ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

User data import from AD Logins Data Source failing with SSL handshake exception

book

Article ID: 226337

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

The user data import sync job starts to fail if the directory connection is configured to use a secure connection on port 636. The directory connection test is successful however the related data source for the AD logins sync is failing.

Below errors are seen in the localhost logs on the Enforce:


18 Jul 2021 07:00:05,719- Thread: 177 SEVERE [com.vontu.enforce.domainlayer.datauser.source.DataUserSyncTask] User Synchronization failed:
Cause: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: DomainDnsZones.abc.corp:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching DomainDnsZones.abc.corp found.]]org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: DomainDnsZones.abc.corp:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching DomainDnsZones.abc.corp found.]]

Cause

Certificates did not include the CN or SAN for which the LDAP certificate authentication fails.

Resolution

Following workaround can be applied to disable the Host Name verification (not recommended). We encourage to update the Host Name verification and recommend to update the certificate. 

  1. Stop the Symantec DLP Manager Service. 
  2. In SymantecDLPManager.conf under Services folder, uncomment the following lines (to uncomment remove # )
    # wrapper.java.additional.30 = -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
  3. The uncommented line should like below
    wrapper.java.additional.30 = -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
  4. Save the file.
  5. Restart the Symantec DLP Manager Service.