Error accessing REST API
search cancel

Error accessing REST API

book

Article ID: 278276

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

The following error message is displayed when testing the API connection to Symantec DLP Enforce in the New Configuration Wizard in the Information Centric Analytics (ICA) console:

Test Failure

Error accessing REST API

The underlying connection was closed. Could not establish trust relationship for the SSL/TLS secure channel.

Cause

This error can be caused by any of the following conditions:

  1. The SSL certificate on the Enforce server is invalid or expired
  2. The system time is incorrect on either the server hosting Internet Information Systems (IIS) or the Enforce server
  3. The Security Protocol selected for the integration is incorrect (for example, Tls11 is selected when only Tls12 is supported by the Enforce server)
  4. There is a cipher suite mismatch between the server hosting IIS and the Enforce server

Resolution

The solution for this error will vary depending upon its underlying cause.

  1. The SSL certificate on the Enforce server is invalid or expired

    Ensure the security certificate includes the correct hostname or IP address matching the server details provided in the New Connection Wizard. Check the certificate's expiration date and replace the certificate if it has expired. For assistance, consult with your DLP administrator.

  2. The system time is incorrect on either the server hosting Internet Information Systems (IIS) or the Enforce server

    Ensure the host operating system time is correct on both the IIS and Enforce servers. The time zones do not need to match, but the time must be correct for the time zone assigned to each server.

  3. The Security Protocol selected for the integration is incorrect (for example, Tls11 is selected when only Tls12 is supported by the Enforce server)

    Ensure the Security Protocol selected in the New Configuration Wizard is enabled on the Enforce server. If you are unsure or do not know which protocols are enabled, consult with your DLP administrator.
  4. There is a cipher suite mismatch between the server hosting IIS and the Enforce server

    Different Windows versions support different TLS cipher suites and their priority order. Consult with your DLP administrator to identify the cipher suites that are compatible with the ciphers enabled on the IIS server. To identify the ciphers enabled on the IIS server, open PowerShell and execute the following command:
    Get-TlsCipherSuite

Additional Information

Broadcom KB article: Selecting Ciphers for DLP

https://knowledge.broadcom.com/external/article?articleNumber=219871

Powered by Wolken Software