Guide to configuring Protection Engine 9.x to communicate via secure LDAP port 636
search cancel

Guide to configuring Protection Engine 9.x to communicate via secure LDAP port 636

book

Article ID: 281083

calendar_today

Updated On: 03-20-2025

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

When attempting to import or add a Protection Engine 9.x server into the Windows Console for SPE as a managed server the attempt fails.

An examination of SPE_REST_API.log (by default found in C:\Program Files\Symantec\Scan Engine\RestAPI ) something similar to the following error is found as the cause of the import failure

ERROR spe.authentication.security.CustomLdapAuthenticationProvider:94 - CustomLdapAuthenticationProvider - authentication failed due to invalid ldap configurations. Exception: org.springframework.ldap.CommunicationException: simple bind failed: server.example.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: DC-Server.example.com:636 [Root exception is java.net.SocketException: Connection or outbound has closed]

Environment

SPE 9.x

Cause

The LDAP configuration was set to use secure LDAP via port 636 but the necessary certificate was either missing or the incorrect one.

Resolution

The following is a guide on how to configure Protection Engine 9.x to communicate via LDAP secure port 636.

Section 1 – Preliminary Configuration of Java Key Store

 

 1. Obtain the root certificate of authority.

 

2.   If a root CA is not available one can be exported if you have a certificate chain similar to the following example:  If familiar with how to do this jump down to step #3.

 Next

 

 Next

  Next

Next

3.  Copy the exported certificate to an easy to reference location on the server. “C:\Temp” works. The certificate will not need to be there permanently. But it will be very good to have it saved somewhere for future deployments.

 

4. Verify the root path to the active version of Java on the server running Protection Engine 9.x. This is important because occasionally remnant folders  of previous versions of Java may still exist, and cause confusion.

  • Open a command prompt.
  • Type: java –version        Example output (excerpt):     java version “1.8.0_301”
  • Based on the version number and build you can find the path to it in Windows explorer

5. Import the certificate into the Java key store file (using the previous path as an example. The path will vary depending on Java version)

  • Locate the Java “cacerts” file (the key store) which would usually be in the Java root folder under “.\lib\security”  If it can’t be found perform a search for cacerts. The path to cacerts will be needed in the upcoming command to be constructed.

          Example:  “C:\Program Files\Java\jre1.8.0_301\lib\security\cacerts

  • Open an administrator command prompt.
  • CD\
  • CD “C:\Program Files\Java\jre1.8.0_301\bin”
  • Copy the following command to notepad and modify it to fit the current environment. The Goal is to compose a command similar to the following which points to the correct path to the key store. Some of it is color coded for the explanation that will follow:

 

keytool -importcert -alias "example-com-ldaps" -keystore "C:\Program Files\Java\jre1.8.0_301\lib\security\cacerts " -file "c:\temp\Server-Example-Com CA-1.cer" –storepass changeit

 

An alias of your own choosing that describes the certificate. It must be unique in the key store

The path to the Java key store

The path to the root CA certificate exported in step #2

The key store password. The default password for the Java key store is changeit  If it has been changed then hopefully you know it.

 

If the previous command is constructed correctly you will be asked to confirm that the certificate should be trusted. Type yes

 

6. A much easier way to import the certificate into the key store would be to download and install KeyTool explorer from keystore-explorer.org and use it to insert the root CA into the Java cacerts.  Steps not provided here but it is pretty easy to use.

 

Section 2 - Install Protection Engine for Cloud or NAS 9.x.  (If SPE has already been installed skip to section 3)

 

There are several steps to installing SPE. This article will discuss the important steps as it relates to AD/LDAP communications.

 

1. From the extracted SPE installation folder find and run SymantecProtectionEngine.exe

 

2. When prompted for the option to install SPE in “Core Server with REST API service..” select it.

 

3. When prompted for the option for “Windows Active Directory-based authentication” select it.

 

 

4. When prompted for the AD/LDAP configuration to use the format will look something similar to the following: If unsure of what to select follow KB270669

 

5. Complete the rest of the installation with the options desired.

 

Section 3 - Protection Engine for Cloud or NAS is already installed but unable to be imported/added as a managed server in the Windows Console.

 

  Section 1 is the most important step to complete in order for this to work.  Proceed to verify that the application.properties file is configured correctly

 

1. From Windows File Explorer browse to “:\Program Files\Symantec\Scan Engine\RestAPI”

2. With a text editor open application.properties

3. Verify that the LDAP section is configured correctly. It would look something similar to the following:

#LDAP Configuration

sperestapi.ldap.enabled=true

sperestapi.ldap.url=server-dc.example.com

sperestapi.ldap.port=636

sperestapi.ldap.basedn=dc=example,dc=com

sperestapi.ldap.groupdn=CN=GroupName,OU=Groups,DC=example,DC=com

sperestapi.ldap.ssl.enabled=true

 

4. If there are doubts on if the configuration is correct the, again, go review KB270669.    If any changes are made to application.properties then make sure to restart the "Symantec Protection Engine REST API" service.

 

Attempt to add the server as a managed device into the Windows Console program.

Note:  Do not select “Use SSL” unless configurations outlined in the SSL-SPE REST API service guide have been correctly configured (not covered in this article)

 

TROUBLESHOOTING  

Note: Sometimes troubleshooting is best done by first enabling debug logging by editing log4j2.xml per KB264918


As of the publish date of this article, the current version of Protection Engine is 9.1.0.25  Future versions of SPE will likely have the following issue(s) covered.

If, when attempting to add the server into the Windows Console, there is a failure related to "Invalid Credentials" do the following:

- Open ".\Program Files\Symantec\Scan Engine\RestAPI\log\SPE_REST_API.log

- Go to the bottom of the log results and look for "ERROR" in upper case letters.

- If an entry similar to the following is found the go to the REMEDIATION that follows:

Root exception is javax.naming.CommunicationException: simple bind failed: <Server Name>.Example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <Server Name>.Example.com found.

REMEDIATION

- Download and replace the existing sperestapi.jar with a newer version and update application.properties by following KB279312

Powered by Wolken Software