Error: "javax.net.ssl.SSLHandshakeException: General SSLEngine problem" seen in the Aggregator logs on an Endpoint Server.
Article ID: 233352
Updated On:
Products
Issue/Introduction
The "DLP Root Certification Authority" certificate has expired, or otherwise needs to be renewed.
In this particular scenario we were seeing the following errors appear in the Aggregator log:
WARNING:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1566)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:545)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:819)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:783)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1285)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:917)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:310)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.SimpleChannelHandler.messageReceived(SimpleChannelHandler.java:142)
at com.symantec.dlp.communications.transportlayer.impl.NettyChannelEventCaptureConnectionHandler.messageReceived(NettyChannelEventCaptureConnectionHandler.java:57)
at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1729)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:333)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2055)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1015)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:1012)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1504)
at org.jboss.netty.handler.ssl.ImmediateExecutor.execute(ImmediateExecutor.java:31)
at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1453)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1326)
... 23 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=DLP Root Certification Authority" is not a CA certificate
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:380)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:273)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:235)
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:107)
at com.symantec.dlp.communications.transportlayer.impl.CustomSslTrustManager.checkClientTrusted(CustomSslTrustManager.java:94)
at sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:1106)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:2042)
... 32 more
Caused by: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=DLP Root Certification Authority" is not a CA certificate
at sun.security.validator.PKIXValidator.verifyTrustAnchor(PKIXValidator.java:404)
at sun.security.validator.PKIXValidator.toArray(PKIXValidator.java:344)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:377)
... 40 more
Please assist
Environment
Impacts Endpoint Servers/Agents and Discover Servers
Cause
There appears to be a problem with the root certificate used to sign all the agent certificates. This is the "DLP Root Certification Authority" certificate that exists inside the "certirficate_authority_v1.jks" keystore.
Resolution
How to Locate the DLP Root CA Certificate:
- Log into the Enforce Console
- System > Settings > General
- Scroll down to the "Endpoint and Network Discover Communications Settings"
- Here you will see a keystore name listed, this is the keystore that contains your DLP Root Certification Authority.
- Default Keystore Location and Name
- C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore\certificate_authority_v1.jks
How to update your DLP Root Certification Authority:
- Rename or remove the old "certificate_authority_v1.jks"
- Restart the DLP Services
- When the services come back online it will automatically recreate this missing certificate for you.
- You should now see a "certificate_authority_v2.jks" has been created.
It is important to note that after this keystore has been recreated, you will need to create a new agent package to get the updated certificates. And you will then need to uninstall and reinstall all agents, a simple upgrade will not replace the certificates.
Feedback
