Importing SSL certificates for Secure LDAP to Enforce with custom directory
search cancel

Importing SSL certificates for Secure LDAP to Enforce with custom directory

book

Article ID: 262990

calendar_today

Updated On: 04-25-2024

Products

Data Loss Prevention Data Loss Prevention Enforce Data Loss Prevention Enterprise Suite

Issue/Introduction

SSL communication is enabled in the Directory Server Connection settings and the previously configured certificates or path are no longer working.

You see the following error (or similar) in the tomcat localhost log:

File: Enforce\logs\tomcat\localhost.yyyy-mm-dd.log
Date: m/d/yyyy hh:mm:ss am/pm
Thread: nnn
Level: WARNING
Source: com.vontu.manager.admin.directoryconnection.DirectoryConnectionManager
Message: Test Directory Connection Failed: 
Cause:
org.springframework.ldap.CommunicationException: simple bind failed: AD_server_name:port; nested exception is javax.naming.CommunicationException: simple bind failed: AD_server_name:port [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]org.springframework.ldap.CommunicationException: simple bind failed: AD_server_name:port; nested exception is javax.naming.CommunicationException: simple bind failed: AD_server_name:port [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

Environment

Release: 15.8.x

Cause

Expired Secure LDAP Certificate in Enforce Keystore requires updating.

Resolution

  1. Copy the certificate file you want to import to the Enforce Server into the bin directory (where keytool.exe is located) in this example ServerJRE in use.

    E:\SymantecDLP15.8\jdk8u262-b10-jre\bin

  2. Note Enforce ServerJRE location:

    E:\SymantecDLP15.8\jdk8u262-b10-jre\lib\security

  3. Execute the keytool utility with the –importcert option to import the public key certificate to the Enforce Server, as keytool is in Bin directory getting into directory at command prompt ready to run command:

    E:\SymantecDLP15.8\jdk8u262-b10-jre\bin

  4. Enter command:

    keytool -importcert -alias ‘LDAP Name in DLP Enforce’ -keystore ..\lib\security\cacerts -file ‘LDAP cert name’

    (If Spaces in LDAP name in Enforce have _ e.g Firstname_Lastname to avoid Illegal character warning)

  5. When you are prompted, enter the password for the keystore.
    By default, the password is:

    changeit

    If you want you can change the password when prompted.

  6. Answer Yes when you are asked if you trust this certificate.
  7. Restart Enforce services in correct order
    Restart DLP Enforce services in the correct order