topic Endpoint Security: Active Directory scanner LDAPS in Endpoint

Endpoint Security: Active Directory scanner LDAPS

startoff — Fri, 14 Feb 2020 13:49:52 GMT

Hi all

I ran in problems while setting up Active Directory scanner with LDAPS enabled on a fresh installed R80.40 server.

The only error message i got is: unable to establish a connection to the domain controller

I've imported the certificates to keystore and restarted the needed services.

With 'bin/keytool -list -keystore lib/security/cacerts certificate.cer -storepass password' I can see the certificate listed. I also installed the intermediate cert.
Because I wasn't sure where to install the certs, I've put them in both stores:
- $CPDIR/jre_32
- $CPDIR/jre_64

From the CLI on the CP management server a 'telnet ip.add.re.ss 636' to the Active Directory domain controller is successfull.

Another thing I've tried is to change the settings in file
$UEPMDIR/engine/conf/ldap.utils.properties
from use.ssl=false to use.ssl=true

This didn't help either.

I tried then the AD sync with LDAP. This was successfull.

So it must have something to do with LDAPS. How can I troubleshoot this further?

Thanks for a hint...

Re: Endpoint Security: Active Directory scanner LDAPS

Daniel_Taney — Mon, 09 Mar 2020 13:59:42 GMT

I'm actually having this same problem with an even older version of Endpoint Security. Did you ever find a solution? I've performed all the same steps you mentioned and get the same generic error.

I also haven't figured out whether there is another log file besides $UEPMDIR/logs/Authentication.log that may contain a hint as to the cause of the problem. There isn't anything relevant in that file for me.

Re: Endpoint Security: Active Directory scanner LDAPS

Daniel_Taney — Mon, 09 Mar 2020 14:27:12 GMT

It looks like there is more information logged in /opt/CPuepm-R77/logsserver_messages.log

I also made sure intermediate certs were imported to the keychain. Unfortunately, this doesn't do a whole lot to help me because I know my information is correct in terms of the LDAP path, server name, ports, etc.

Telnet also works for me.

[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - An error has occurred while trying to connect to LDAP server on [LDAPS://myDC.ad.myDomain.net:636]. Check the URL and verify that an LDAP server is running on this machine. (AbstractLdapContext) [2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - An error has occurred while trying to connect to LDAP server on [LDAPS://myDC.ad.myDomain.net:636]. (FilteredDirectorySearch) [2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - Check the URL and verify that an LDAP server is running on this machine. Exception: (FilteredDirectorySearch) javax.naming.CommunicationException: myDC.ad.myDomain.net:636 [Root exception is java.net.SocketException: Connection reset] at com.sun.jndi.ldap.Connection.<init>(Connection.java:224) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1600) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) at com.checkpoint.uepm.blm.directoryscanner.directoryservice.ldap.AbstractLdapContext.init(AbstractLdapContext.java:76) at com.checkpoint.uepm.blm.directoryscanner.directoryservice.ldap.AbstractLdapContext.init(AbstractLdapContext.java:35) at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.initContext(FilteredDirectorySearch.java:86) at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.getDirectOUsAndContainers(FilteredDirectorySearch.java:295) at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:291) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:76) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:602) at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:166) at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:82) at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:55) at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:68) at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37) at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:98) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104) at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:98) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:392) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:170) at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:142) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:45) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:101) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:780) Caused by: java.net.SocketException: Connection reset at java.net.SocketInputStream.read(SocketInputStream.java:189) at java.net.SocketInputStream.read(SocketInputStream.java:121) at com.ibm.jsse2.a.a(a.java:204) at com.ibm.jsse2.a.a(a.java:110) at com.ibm.jsse2.qc.a(qc.java:619) at com.ibm.jsse2.qc.h(qc.java:809) at com.ibm.jsse2.qc.a(qc.java:106) at com.ibm.jsse2.qc.startHandshake(qc.java:586) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:379) at com.sun.jndi.ldap.Connection.<init>(Connection.java:201) ... 52 more [2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - Throwing exception with error code : NO_CONNECTION_TO_DOMAIN_CONTROLLER (DirectoryScannerServiceImpl) [2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - (DirectoryScannerServiceImpl) com.checkpoint.uepm.api.epsbackend.is.EpsBackendException: TICKET_NUMBER = 1172162787. at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.handleDirectoryScannerException(DirectoryScannerServiceImpl.java:515) at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:313) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:76) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:602) at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:166) at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:82) at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:55) at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:68) at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37) at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:98) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104) at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:98) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:392) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:170) at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:142) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:45) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:101) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) at java.lang.Thread.run(Thread.java:780) Caused by: com.checkpoint.directoryServiceUtils.DirectoryScannerServiceException at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.initContext(FilteredDirectorySearch.java:137) at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.getDirectOUsAndContainers(FilteredDirectorySearch.java:295) at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:291)

Re: Endpoint Security: Active Directory scanner LDAPS

startoff — Mon, 09 Mar 2020 14:30:38 GMT

I'm actually working with Checkpoint on this case.

Will have a session with CP tomorrow.

As soon as I have a working solution I'll update this thread.

Re: Endpoint Security: Active Directory scanner LDAPS

Daniel_Taney — Mon, 09 Mar 2020 14:33:27 GMT

Excellent! Thanks for replying! Anxious to hear what you find. This one has me pretty stumped!

Re: Endpoint Security: Active Directory scanner LDAPS

J_B — Tue, 10 Mar 2020 10:52:45 GMT

We had something similar when our DC server certificates auto renewed.

We followed sk84620 and that sorted the problem for us.

Re: Endpoint Security: Active Directory scanner LDAPS

startoff — Tue, 10 Mar 2020 11:58:06 GMT

So, had a call with Checkpoint this morning and we could resolve the issue!

To explain why the error happended a short info about our setup.

Our endpoint protection will reach the AD Domain Controller through a public IP on another FW and there we're doing a NAT to the DC.

On the endpoint protection server in the Organization scanner I entered the public IP, not a hostname. Therefore we saw an error in the log on the EP about the public IP not being a SAN inside the certificate we installed on the EP server.

I then added a host definition inside clish on the EP server:

add host name fqdn.from.domaincontroller ipv4-address pub.lic.ip.address

The pub.lic.ip.address is the IP address on the firewall where we're doing the NAT.

After that, I had to enter the hostname instead of the public IP address in the Organization Scanner settings.

Re: Endpoint Security: Active Directory scanner LDAPS

Daniel_Taney — Tue, 10 Mar 2020 18:37:13 GMT

Glad to hear this resolved your issue! Your circumstances are a little different than mine. So, unfortunately, I don't think this fix applies to me. Was there anywhere else you looked during the troubleshooting session to see additional or more specific errors?

Thanks!

Re: Endpoint Security: Active Directory scanner LDAPS

Daniel_Taney — Tue, 10 Mar 2020 18:38:08 GMT

@J_B I have seen these SK's, but had asked our server guys to provide the certificates. Since this fixed your problem, maybe I need to double back with them and make sure they followed the procedure correctly to acquire them.

Thanks!

Re: Endpoint Security: Active Directory scanner LDAPS

startoff — Wed, 11 Mar 2020 06:49:54 GMT

I'm sorry to hear that didn't help in your case.

We looked at the same log as you:

$UEPMDIR/log/server_messages.log

There we saw these two error messages:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address pub.lic.ip.address found

java.security.cert.CertificateException: No subject alternative names matching IP address pub.lic.ip.address found

The pub.lic.ip.address is the one where we're doing the NAT to the ADC.