Flex response plugin fails after upgrading DLP to 25.1
search cancel

Flex response plugin fails after upgrading DLP to 25.1

book

Article ID: 426895

calendar_today

Updated On:

Products

Data Loss Prevention Network Monitor and Prevent for Email

Issue/Introduction

Email block flex response plugin fails after upgrading to DLP 25.1

Environment

25.1

Cause

You see the following error in logs.

[IncidentUpdateManager] ERROR - failed to publish incident updates to 
com.sun.xml.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Could not generate secret
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:132)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:153)
at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:94)
at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:116)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.api.pipe.helper.AbstractTubeImpl.process(AbstractTubeImpl.java:112)
at com.sun.xml.xwss.XWSSClientPipe.process(XWSSClientPipe.java:160)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:115)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
at com.sun.xml.ws.client.Stub.process(Stub.java:222)
at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:135)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)
at com.sun.proxy.$Proxy92.updateIncidentRemediationStatus(Unknown Source)
at com.symantec.smg.controlcenter.quarantine.contentincident.dlp.IncidentUpdateClient.remediate(IncidentUpdateClient.java:224)
at com.symantec.smg.controlcenter.quarantine.contentincident.dlp.IncidentUpdateManager.publishIncidentUpdates(IncidentUpdateManager.java:226)
at com.symantec.smg.controlcenter.quarantine.contentincident.dlp.IncidentUpdateTask.executeTask(IncidentUpdateTask.java:84)
at com.symantec.smg.controlcenter.internal.scheduledtask.ScheduledTask.execute(ScheduledTask.java:133)
at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
Caused by: javax.net.ssl.SSLHandshakeException: Could not generate secret
at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.t13DeriveKey(ECDHKeyExchange.java:479)
at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.deriveKey(ECDHKeyExchange.java:419)
at sun.security.ssl.ServerHello$T13ServerHelloConsumer.consume(ServerHello.java:1277)
at sun.security.ssl.ServerHello$ServerHelloConsumer.onServerHello(ServerHello.java:966)
at sun.security.ssl.ServerHello$ServerHelloConsumer.consume(ServerHello.java:869)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1401)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1357)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1332)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264)
at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:120)
... 26 more
Caused by: java.security.InvalidKeyException: Invalid key
at com.rsa.cryptoj.o.ma.a(Unknown Source)
at com.rsa.cryptoj.o.mb.engineInit(Unknown Source)
at javax.crypto.Mac.init(Mac.java:413)
at sun.security.ssl.HKDF.extract(HKDF.java:91)
at sun.security.ssl.HKDF.extract(HKDF.java:119)
at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.t13DeriveKey(ECDHKeyExchange.java:469)
... 44 more

 

The cause for this failure is due to a handshake failure.

Resolution

This is caused by the servers trying to use different version of TLS when trying to establish a connection.  To force DLP to accept TLS 1.2 connections you can modify the following file.

Filename: server.xml

Location: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\conf

Add ( protocols="TLSv1.2" ) to the SSLHostConfig header.  So now the line looks like:

<SSLHostConfig certificateVerification="none" revocationEnabled="false" sslProtocol="TLS" protocols="TLSv1.2" truststoreFile="${catalina.base}/conf/truststore.jks" 

Please note this is not the complete line and is an example.

Save the file and restart the Symantec DLP Manager service.  This will allow the enforce console and API to utilize TLS 1.2.

Powered by Wolken Software