"HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints" is reported when Data Insight connects to DLP

Description

Error Message

Error text:

HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

Figure 1 shows the DI console at Settings > Data Loss Prevention > Configuration > Edit.

Figure 1
User-added image

Excerpt from the commd log on the DI Management Server, at C:\Program Files\DataInsight\log:

2016-08-23 10:56:30 INFO:    #{52} [JobRunShell.run] Job matrix.DlpSensitiveFilesJob threw a JobExecutionException:
org.quartz.JobExecutionException: Error fetching list of sensitive files from DLP [See nested exception: java.lang.Exception: [C:\Program Files\DataInsight\\bin\reportcli.exe, import_sensitive_files, -J-Xmx2048m] exited with code 1]
   at com.symc.matrix.commd.scheduler.DlpSensitiveFilesJob.execute(DlpSensitiveFilesJob.java:244)
   at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
   at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:557)
Caused by: java.lang.Exception: [C:\Program Files\DataInsight\\bin\reportcli.exe, import_sensitive_files, -J-Xmx2048m] exited with code 1
   at com.symc.matrix.commd.scheduler.DlpSensitiveFilesJob.execute(DlpSensitiveFilesJob.java:226)
   ... 2 more

Generating a new Enforce Server self-signed certificate

1. Collect the following information:

Common Name: The domain name of the DLP Enforce Server. This must be the actual name of the server that is accessible by all the clients.

Example: https://Server_Name

Organization Name: The name of your company or organization
Organizational Unit: The name of your division, department, unit, etc.
City: The city, town, or area where you are located
State: The name of your state, province, or region
Country: Your two-letter country code
Expiration: The certificate expiration time, in number of days

2. Stop all Vontu services on the DLP Enforce Server

Run services.msc from an administrative command prompt.
Right-click each service and select stop.

3. On the Enforce Server, the keystore tool can be located in the \SymantecDLP\jre\bin directory. Navigate to c:\SymantecDLP\jre\bin:
cd c:\SymantecDLP\jre\bin

4. Use keytool to generate the self-signed certificate.

   From within the \bin directory where keystore is located, run the following command using the information collected earlier:
   keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore .keystore -validity 365 -storepass protect -dname     "cn=, o=, ou=, L=, S=, C="

   If you are asked for a keypass password, hit Return to make the keypass password is the same as the storepass password.

The -alias parameter specifies the name of this certificate key. The value for the -alias parameter MUST be tomcat.
The -keystore parameter specifies the name and location of the keystore file, which must be the .keystore that is located in this directory.
The -keyalg parameter specifies the algorithm to be used to generate the key pair. In this case, the algorithm to specify is RSA.
The -keysize parameter specifies the size of each key to be generated. For example, 1024.
The -validity parameter specifies the number of days that the certificate is good for. The number of days you choose to specify is up to you.
The -storepass parameter specifies the password used to protect the integrity of the keystore. The value for the -storepass parameter MUST be protect.
The -dname parameter specifies the X.500 Distinguished Name to be associated with the alias. It is used as the issuer and subject fields in a self-signed certificate. The parameters that follow are the value of the dname parameter.

Example:
User-added image

5. Rename, or move, the existing .keystore file from the \Protect\tomcat\conf directory.
   cd c:\SymantecDLP\Protect\tomcat\conf
   SymantecDLP\Protect\tomcat\conf> ren .keystore .keystore_old

User-added image

6. Move the updated .keystore file you created in Step 4 to the \Protect\tomcat\conf directory.
SymantecDLP\Protect\tomcat\conf> move C:\SymantecDLP\jre\bin\.keystore .keystore

User-added image

7. Restart the Vontu services on the DLP Enforce Server.

Run services.msc from an administrative command prompt.
Right-click each service and select start.

Importing the SSL certificate from the DLP Enforce Server to Data Insight using Firefox

1. From the DI Management Server, type the URL to connect to the DLP Enforce Server admin console.
Example: https://DLPServer1/ProtectManager/

2. On the security certificate warning page, click I understand the risks.

3. Click Add Exception.

User-added image

4. On the Add Security Exception Page, click View to view the certificate details.

5. Click the Details tab, and click Export.

6. From the Save as type drop-down, select X.509 Certificate (DER).

User-added image

7. Click Save.

Importing the SSL certificate from the DLP Enforce Server to Data Insight using Internet Explorer

1. Type the URL to connect to the DLP Enforce Server Admin Console and select Continue to this website .
Example: https://DLPServer1/ProtectManager/

2. On the security certificate warning page, click Certificate Error next to the address bar.

User-added image

3. Select View Certificates.

4. Click the Details tab, and select the appropriate certificate.

5. Click Copy to File.

6. In the Certificate Export Wizard, select, DER encoded binary.

7. Click Next.

8. Enter the name of the file and browse to the location where you want to save the file.

9. Click Next.

10. Click Finish to save the file.

After the SSL certificate is saved on the DI Management Server, complete the following steps to import the SSL certificate on the DI Management Server

1. Open an administrative command prompt.

2. Run the following command:
cd C:\Program Files\DataInsight\jre\bin

Note: Prior to 5.1, use C:\Program Files\Symantec\DataInsight\jre\bin

   To delete the old dlp keystore, use this command:
       C:\Program Files\DataInsight\jre\bin> keytool -delete -alias dlp -keystore C:\DataInsight\data\keys\commd.keystore

       Enter changeit for the password.

       If the alias does not exist, you will receive a Java error indicating that the alias does not exist. This error can be ignored.

User-added image

Follow these steps, to import the new dlp keystore:

       C:\Program Files\DataInsight\jre\bin> .\keytool -importcert -alias dlp -keystore C:\DataInsight\data\keys\commd.keystore -trustcacerts -file

       Specify changeit as the password for the keystore.

       Type yes when asked whether you trust this certificate.

User-added image

3. Close all Web browsers

4. Open the DI Admin Console and navigate to Settings > Data Loss Prevention > Configuration > Edit and select Test Connection.

User-added image

Importing the SSL certificate from the DLP Enforce Server to Data Insight using Firefox

1. From the DI Management Server, type the URL to connect to the DLP Enforce Server admin console.
Example: https://DLPServer1/ProtectManager/

2. On the security certificate warning page, click I understand the risks.

3. Click Add Exception.

User-added image

4. On the Add Security Exception Page, click View to view the certificate details.

5. Click the Details tab, and click Export.

6. From the Save as type drop-down, select X.509 Certificate (DER).

User-added image

7. Click Save.

Importing the SSL certificate from the DLP Enforce Server to Data Insight using Internet Explorer

1. Type the URL to connect to the DLP Enforce Server Admin Console and select Continue to this website .
Example: https://DLPServer1/ProtectManager/

2. On the security certificate warning page, click Certificate Error next to the address bar.

User-added image

3. Select View Certificates.

4. Click the Details tab, and select the appropriate certificate.

5. Click Copy to File.

6. In the Certificate Export Wizard, select, DER encoded binary.

7. Click Next.

8. Enter the name of the file and browse to the location where you want to save the file.

9. Click Next.

10. Click Finish to save the file.

After the SSL certificate is saved on the DI Management Server, complete the following steps to import the SSL certificate on the DI Management Server

1. Open an administrative command prompt.

2. Run the following command:
cd C:\Program Files\DataInsight\jre\bin

Note: Prior to 5.1, use C:\Program Files\Symantec\DataInsight\jre\bin

   To delete the old dlp keystore, use this command:
       C:\Program Files\DataInsight\jre\bin> keytool -delete -alias dlp -keystore C:\DataInsight\data\keys\commd.keystore

       Enter changeit for the password.

       If the alias does not exist, you will receive a Java error indicating that the alias does not exist. This error can be ignored.

User-added image

Follow these steps, to import the new dlp keystore:

       C:\Program Files\DataInsight\jre\bin> .\keytool -importcert -alias dlp -keystore C:\DataInsight\data\keys\commd.keystore -trustcacerts -file

       Specify changeit as the password for the keystore.

       Type yes when asked whether you trust this certificate.

User-added image

3. Close all Web browsers

4. Open the DI Admin Console and navigate to Settings > Data Loss Prevention > Configuration > Edit and select Test Connection.

User-added image

Cause

The certificate that was imported to the DI Management Server, from the DLP Enforce Server has expired. When DI was upgraded, and it tried to make a connection to the DLP Enforce Server, Data Insight was not able to negotiate the SSL connection due to the expired certificate.

Resolution

A new certificate will need to be generated on the DLP Enforce Server, and then imported on the DI Management Server.

Issue/Introduction

The connection between DI (Data Insight) and DLP (Data Loss Prevention) is broken due to a certificate error. This interferes with the ability to import sensitive files from the DLP server, and causes subsequent report failures.

Welcome to "KB Articles"