Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
startoff
Participant

Endpoint Security: Active Directory scanner LDAPS

Jump to solution

Hi all

I ran in problems while setting up Active Directory scanner with LDAPS enabled on a fresh installed R80.40 server.

The only error message i got is: unable to establish a connection to the domain controller

I've imported the certificates to keystore and restarted the needed services.

With 'bin/keytool -list -keystore lib/security/cacerts certificate.cer -storepass password' I can see the certificate listed. I also installed the intermediate cert.
Because I wasn't sure where to install the certs, I've put them in both stores:
- $CPDIR/jre_32
- $CPDIR/jre_64

From the CLI on the CP management server a 'telnet ip.add.re.ss 636' to the Active Directory domain controller is successfull.

Another thing I've tried is to change the settings in file
$UEPMDIR/engine/conf/ldap.utils.properties
from use.ssl=false to use.ssl=true

This didn't help either.

I tried then the AD sync with LDAP. This was successfull.

So it must have something to do with LDAPS. How can I troubleshoot this further?

Thanks for a hint...

 

0 Kudos
1 Solution

Accepted Solutions
startoff
Participant

So, had a call with Checkpoint this morning and we could resolve the issue!

To explain why the error happended a short info about our setup.

Our endpoint protection will reach the AD Domain Controller through a public IP on another FW and there we're doing a NAT to the DC.

On the endpoint protection server in the Organization scanner I entered the public IP, not a hostname. Therefore we saw an error in the log on the EP about the public IP not being a SAN inside the certificate we installed on the EP server.

I then added a host definition inside clish on the EP server:

add host name fqdn.from.domaincontroller ipv4-address pub.lic.ip.address

 

The pub.lic.ip.address is the IP address on the firewall where we're doing the NAT.

After that, I had to enter the hostname instead of the public IP address in the Organization Scanner settings.

 

 

View solution in original post

9 Replies
Daniel_Taney
Advisor

I'm actually having this same problem with an even older version of Endpoint Security. Did you ever find a solution? I've performed all the same steps you mentioned and get the same generic error.

I also haven't figured out whether there is another log file besides $UEPMDIR/logs/Authentication.log that may contain a hint as to the cause of the problem. There isn't anything relevant in that file for me.

R80 CCSA / CCSE
0 Kudos
Daniel_Taney
Advisor

It looks like there is more information logged in /opt/CPuepm-R77/logsserver_messages.log

I also made sure intermediate certs were imported to the keychain. Unfortunately, this doesn't do a whole lot to help me because I know my information is correct in terms of the LDAP path, server name, ports, etc. 

Telnet also works for me.

[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - An error has occurred while trying to connect to LDAP server on [LDAPS://myDC.ad.myDomain.net:636]. Check the URL and verify that an LDAP server is running on this machine. (AbstractLdapContext)
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - An error has occurred while trying to connect to LDAP server on [LDAPS://myDC.ad.myDomain.net:636]. (FilteredDirectorySearch)
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - Check the URL and verify that an LDAP server is running on this machine. Exception:  (FilteredDirectorySearch)
javax.naming.CommunicationException: myDC.ad.myDomain.net:636 [Root exception is java.net.SocketException: Connection reset]
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:224)
	at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136)
	at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1600)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
	at com.checkpoint.uepm.blm.directoryscanner.directoryservice.ldap.AbstractLdapContext.init(AbstractLdapContext.java:76)
	at com.checkpoint.uepm.blm.directoryscanner.directoryservice.ldap.AbstractLdapContext.init(AbstractLdapContext.java:35)
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.initContext(FilteredDirectorySearch.java:86)
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.getDirectOUsAndContainers(FilteredDirectorySearch.java:295)
	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:291)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:76)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:602)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:166)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:82)
	at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:55)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:68)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
	at java.util.concurrent.FutureTask.run(FutureTask.java:166)
	at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:98)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
	at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:98)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:392)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:170)
	at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:142)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:45)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:101)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:780)
Caused by: java.net.SocketException: Connection reset
	at java.net.SocketInputStream.read(SocketInputStream.java:189)
	at java.net.SocketInputStream.read(SocketInputStream.java:121)
	at com.ibm.jsse2.a.a(a.java:204)
	at com.ibm.jsse2.a.a(a.java:110)
	at com.ibm.jsse2.qc.a(qc.java:619)
	at com.ibm.jsse2.qc.h(qc.java:809)
	at com.ibm.jsse2.qc.a(qc.java:106)
	at com.ibm.jsse2.qc.startHandshake(qc.java:586)
	at com.sun.jndi.ldap.Connection.createSocket(Connection.java:379)
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:201)
	... 52 more
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - Throwing exception with error code : NO_CONNECTION_TO_DOMAIN_CONTROLLER (DirectoryScannerServiceImpl)
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 -  (DirectoryScannerServiceImpl)
com.checkpoint.uepm.api.epsbackend.is.EpsBackendException: 
TICKET_NUMBER = 1172162787. 

	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.handleDirectoryScannerException(DirectoryScannerServiceImpl.java:515)
	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:313)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:76)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:602)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:166)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:82)
	at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:55)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:68)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
	at java.util.concurrent.FutureTask.run(FutureTask.java:166)
	at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:98)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
	at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:98)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:392)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:170)
	at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:142)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:45)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:101)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:780)
Caused by: com.checkpoint.directoryServiceUtils.DirectoryScannerServiceException
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.initContext(FilteredDirectorySearch.java:137)
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.getDirectOUsAndContainers(FilteredDirectorySearch.java:295)
	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:291)

 

R80 CCSA / CCSE
0 Kudos
startoff
Participant

I'm actually working with Checkpoint on this case.

Will have a session with CP tomorrow.

As soon as I have a working solution I'll update this thread.

Daniel_Taney
Advisor

Excellent! Thanks for replying! Anxious to hear what you find. This one has me pretty stumped!

R80 CCSA / CCSE
0 Kudos
J_B
Contributor

We had something similar when our DC server certificates auto renewed. 

We followed sk84620 and that sorted the problem for us. 

Daniel_Taney
Advisor

@J_B I have seen these SK's, but had asked our server guys to provide the certificates. Since this fixed your problem, maybe I need to double back with them and make sure they followed the procedure correctly to acquire them.

Thanks!

R80 CCSA / CCSE
0 Kudos
startoff
Participant

So, had a call with Checkpoint this morning and we could resolve the issue!

To explain why the error happended a short info about our setup.

Our endpoint protection will reach the AD Domain Controller through a public IP on another FW and there we're doing a NAT to the DC.

On the endpoint protection server in the Organization scanner I entered the public IP, not a hostname. Therefore we saw an error in the log on the EP about the public IP not being a SAN inside the certificate we installed on the EP server.

I then added a host definition inside clish on the EP server:

add host name fqdn.from.domaincontroller ipv4-address pub.lic.ip.address

 

The pub.lic.ip.address is the IP address on the firewall where we're doing the NAT.

After that, I had to enter the hostname instead of the public IP address in the Organization Scanner settings.

 

 

View solution in original post

Daniel_Taney
Advisor

Glad to hear this resolved your issue! Your circumstances are a little different than mine. So, unfortunately, I don't think this fix applies to me. Was there anywhere else you looked during the troubleshooting session to see additional or more specific errors?

Thanks!

R80 CCSA / CCSE
0 Kudos
startoff
Participant

I'm sorry to hear that didn't help in your case.

We looked at the same log as you:

$UEPMDIR/log/server_messages.log

There we saw these two error messages:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address pub.lic.ip.address found

java.security.cert.CertificateException: No subject alternative names matching IP address pub.lic.ip.address found

 

The pub.lic.ip.address is the one where we're doing the NAT to the ADC.

0 Kudos