Unable to login to Enforce console after enabling certificate revocation checks
Article ID: 240697
Updated On:
Products
Issue/Introduction
After enabling revocation check with certificate authentication configured, enforce console login fails with below error:
Issue happens with Chrome and Edge browser, haven't tested with Mozilla.
If we disable revocation check with certification authentication still enabled, enforce console login works.
As per SymantecDLPManager.log, we see that LDAP URL is used CRL fetch:
INFO | jvm 1 | | certpath: Trying to fetch CRL from DP ldap:///CN=ServerName-CA,CN=MachineName,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
INFO | jvm 1 | 2021/09/09 15:16:30 | certpath: LDAPCertStore.engineInit about to throw InvalidAlgorithmParameterException
Environment
DLP 15.8 and later
Cause
DLP does not support specifying the CRLDP using an LDAP URL
Resolution
DLP retrieves revocation lists from a Certificate Revocation List Distribution Point (CRLDP). To check revocation using a CRLDP, the client certificate must include a CRL distribution point field.
We need to configure the CRLDP to use HTTP URL instead of LDAP URL.
Additional Information
References:
Configuring certificate revocation checks:
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/15-8/working-with-general-settings-vont_0235-d297e6924/about-certificate-authentication-configuration-v54291812-d297e14012/about-certificate-revocation-checks-v54482910-d297e14610/configuring-certificate-revocation-checks-v54373866-d297e14659.html
About certificate revocation checks:
https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-1/managing-the-enforce-server/managing-roles-and-users/about-certificate-authentication-configuration/about-certificate-revocation-checks.html
Feedback
