ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error: "Cloud Service authentication to Enforce failed" due to certificate validity

book

Article ID: 206335

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Package Data Loss Prevention

Issue/Introduction

The Data Loss Prevention (DLP) Could Detector was disconnected. DLP Enforce is showing the following error:

  • Code: 2714
  • Summary: Cloud Service authentication to Enforce failed
  • Detail: Error [AUTHENTICATION_FAILURE] - Cloud Service unreachable due to an authentication issue. Please check the validity and availability of the certificate.

Cause

This error occurs when the Truststore on DLP Enforce does not have the correct certificate authority (CA) to perform authentication with the DLP Cloud Service.

As per the Product Advisory on the topic, the migration of the DLP Cloud Service has resulted in an update to the Truststore requirements for the DLP Enforce server.

 

Resolution

DLP Enforce 15.1 or earlier

Follow the steps in Replacing the Cloud Services Enforce Truststore prior to migration of DLP Cloud Service to Google Cloud Platform (broadcom.com)

DLP Enforce 15.1 MP1 or later

  • Check that the permissions on the "enforce_truststore.jks" file are correct. The DLP service has access to the folder as identified in the above article
  • If permissions are correct, the error may be a proxy issue. See DLP cloud detector in "Disconnected" status.

Additional Information

The MonitorController logs may contain the following:

1/19/2021 12:48:28 PM com.symantec.dlp.communications.common.activitylogging.JavaLoggerImpl
WARNING: 
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
 at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
 at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
 at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
 at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
 at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
 at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1285)
 at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:917)
 at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
 at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
 at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
 at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
 at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
 at org.jboss.netty.channel.SimpleChannelHandler.messageReceived(SimpleChannelHandler.java:142)
 at com.symantec.dlp.communications.transportlayer.impl.NettyChannelEventCaptureConnectionHandler.messageReceived(NettyChannelEventCaptureConnectionHandler.java:57)
 at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
 at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
 at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
 at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
 at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
 at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
 at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
 at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:318)
 at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
 at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
 at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
 at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
 at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
 at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
 at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
 at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
 at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
 at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
 at java.security.AccessController.doPrivileged(Native Method)
 at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
 at org.jboss.netty.handler.ssl.ImmediateExecutor.execute(ImmediateExecutor.java:31)
 at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1453)
 at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1326)
 ... 23 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
 at sun.security.validator.Validator.validate(Validator.java:262)
 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
 at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)
 at com.symantec.dlp.communications.transportlayer.impl.CustomSslTrustManager.checkServerTrusted(CustomSslTrustManager.java:102)
 at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1006)
 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
 ... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
 at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
 ... 40 more