Adding TrustStore to Enforce provokes an Internal Server Error
search cancel

Adding TrustStore to Enforce provokes an Internal Server Error

book

Article ID: 273437

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

During an import of a custom TrustStore, an Internal Server error occurs, as per below:

This is what I am seeing in the relevant tomcat localhost log:

18 Jul 2023 09:50:10,811- Thread: 119 SEVERE [com.symantec.dlp.enforcedomainservices.certificatemanagement.DLPCertificateManager] Failed to add DLP Root CA cert to truststore. Error:mark/reset not supported

18 Jul 2023 09:50:10,812- Thread: 119 SEVERE [com.symantec.dlp.enforcedomainwebapi.resources.certificatemanagement.CertificateManagementController] Failed to create  Certificate :

com.symantec.dlp.enforcedomainservices.certificatemanagement.DLPCertificateException: Failed to add DLP Root CA cert to truststore. Error:mark/reset not supported

Environment

Release : 16.0

Cause

This issue only impacts imports of large trust stores with many certificates. When a truststore file is imported, based on its size "ThresholdingOutputStream" decides which underlying streamtype to use, for small size jks it uses "bytearrayinputstream" and for bigger it uses "fileinputstream". After cert validation, a reset mark on stream is attempted, but that method is not supported for fileinputstream, unlike bytearrayinputstream where it is. 

Resolution

This will be resolved in an upcoming product release and a hotfix for DLP 16 RU1 which will be made available on support.broadcom.com portal.