This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
startoff
Participant
‎2020-02-14 05:49 AM
Jump to solution

Endpoint Security: Active Directory scanner LDAPS

Hi all

I ran in problems while setting up Active Directory scanner with LDAPS enabled on a fresh installed R80.40 server.

The only error message i got is: unable to establish a connection to the domain controller

I've imported the certificates to keystore and restarted the needed services.

With 'bin/keytool -list -keystore lib/security/cacerts certificate.cer -storepass password' I can see the certificate listed. I also installed the intermediate cert.
Because I wasn't sure where to install the certs, I've put them in both stores:
- $CPDIR/jre_32
- $CPDIR/jre_64

From the CLI on the CP management server a 'telnet ip.add.re.ss 636' to the Active Directory domain controller is successfull.

Another thing I've tried is to change the settings in file
$UEPMDIR/engine/conf/ldap.utils.properties
from use.ssl=false to use.ssl=true

This didn't help either.

I tried then the AD sync with LDAP. This was successfull.

So it must have something to do with LDAPS. How can I troubleshoot this further?

Thanks for a hint...

 

0 Kudos
1 Solution

Accepted Solutions
startoff
Participant
‎2020-03-10 04:58 AM
In response to startoff
Jump to solution

So, had a call with Checkpoint this morning and we could resolve the issue!

To explain why the error happended a short info about our setup.

Our endpoint protection will reach the AD Domain Controller through a public IP on another FW and there we're doing a NAT to the DC.

On the endpoint protection server in the Organization scanner I entered the public IP, not a hostname. Therefore we saw an error in the log on the EP about the public IP not being a SAN inside the certificate we installed on the EP server.

I then added a host definition inside clish on the EP server:

add host name fqdn.from.domaincontroller ipv4-address pub.lic.ip.address

 

The pub.lic.ip.address is the IP address on the firewall where we're doing the NAT.

After that, I had to enter the hostname instead of the public IP address in the Organization Scanner settings.

 

 

View solution in original post

9 Replies
Daniel_Taney
Advisor
‎2020-03-09 06:59 AM
Jump to solution

I'm actually having this same problem with an even older version of Endpoint Security. Did you ever find a solution? I've performed all the same steps you mentioned and get the same generic error.

I also haven't figured out whether there is another log file besides $UEPMDIR/logs/Authentication.log that may contain a hint as to the cause of the problem. There isn't anything relevant in that file for me.

R80 CCSA / CCSE
0 Kudos
Daniel_Taney
Advisor
‎2020-03-09 07:27 AM
Jump to solution

It looks like there is more information logged in /opt/CPuepm-R77/logsserver_messages.log

I also made sure intermediate certs were imported to the keychain. Unfortunately, this doesn't do a whole lot to help me because I know my information is correct in terms of the LDAP path, server name, ports, etc. 

Telnet also works for me.

[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - An error has occurred while trying to connect to LDAP server on [LDAPS://myDC.ad.myDomain.net:636]. Check the URL and verify that an LDAP server is running on this machine. (AbstractLdapContext)
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - An error has occurred while trying to connect to LDAP server on [LDAPS://myDC.ad.myDomain.net:636]. (FilteredDirectorySearch)
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - Check the URL and verify that an LDAP server is running on this machine. Exception:  (FilteredDirectorySearch)
javax.naming.CommunicationException: myDC.ad.myDomain.net:636 [Root exception is java.net.SocketException: Connection reset]
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:224)
	at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136)
	at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1600)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2698)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
	at javax.naming.InitialContext.init(InitialContext.java:242)
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153)
	at com.checkpoint.uepm.blm.directoryscanner.directoryservice.ldap.AbstractLdapContext.init(AbstractLdapContext.java:76)
	at com.checkpoint.uepm.blm.directoryscanner.directoryservice.ldap.AbstractLdapContext.init(AbstractLdapContext.java:35)
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.initContext(FilteredDirectorySearch.java:86)
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.getDirectOUsAndContainers(FilteredDirectorySearch.java:295)
	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:291)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:76)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:602)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:166)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:82)
	at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:55)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:68)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
	at java.util.concurrent.FutureTask.run(FutureTask.java:166)
	at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:98)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
	at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:98)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:392)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:170)
	at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:142)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:45)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:101)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:780)
Caused by: java.net.SocketException: Connection reset
	at java.net.SocketInputStream.read(SocketInputStream.java:189)
	at java.net.SocketInputStream.read(SocketInputStream.java:121)
	at com.ibm.jsse2.a.a(a.java:204)
	at com.ibm.jsse2.a.a(a.java:110)
	at com.ibm.jsse2.qc.a(qc.java:619)
	at com.ibm.jsse2.qc.h(qc.java:809)
	at com.ibm.jsse2.qc.a(qc.java:106)
	at com.ibm.jsse2.qc.startHandshake(qc.java:586)
	at com.sun.jndi.ldap.Connection.createSocket(Connection.java:379)
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:201)
	... 52 more
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 - Throwing exception with error code : NO_CONNECTION_TO_DOMAIN_CONTROLLER (DirectoryScannerServiceImpl)
[2020-03-09 10:19:56,390] ERROR Dispatcher-Thread-10 -  (DirectoryScannerServiceImpl)
com.checkpoint.uepm.api.epsbackend.is.EpsBackendException: 
TICKET_NUMBER = 1172162787. 

	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.handleDirectoryScannerException(DirectoryScannerServiceImpl.java:515)
	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:313)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:76)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:602)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:166)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:82)
	at org.apache.cxf.jaxws.JAXWSMethodInvoker.invoke(JAXWSMethodInvoker.java:55)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:68)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
	at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
	at java.util.concurrent.FutureTask.run(FutureTask.java:166)
	at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:98)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:104)
	at org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestination.java:98)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:392)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:170)
	at org.apache.cxf.transport.servlet.AbstractCXFServlet.invoke(AbstractCXFServlet.java:142)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:45)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:101)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:780)
Caused by: com.checkpoint.directoryServiceUtils.DirectoryScannerServiceException
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.initContext(FilteredDirectorySearch.java:137)
	at com.checkpoint.directoryServiceUtils.FilteredDirectorySearch.getDirectOUsAndContainers(FilteredDirectorySearch.java:295)
	at com.checkpoint.uepm.ws.directoryscannerservice.v1.DirectoryScannerServiceImpl.getDirectChilds(DirectoryScannerServiceImpl.java:291)

 

R80 CCSA / CCSE
0 Kudos
startoff
Participant
‎2020-03-09 07:30 AM
In response to Daniel_Taney
Jump to solution

I'm actually working with Checkpoint on this case.

Will have a session with CP tomorrow.

As soon as I have a working solution I'll update this thread.

Daniel_Taney
Advisor
‎2020-03-09 07:33 AM
In response to startoff
Jump to solution

Excellent! Thanks for replying! Anxious to hear what you find. This one has me pretty stumped!

R80 CCSA / CCSE
0 Kudos
J_B
Collaborator
‎2020-03-10 03:52 AM
In response to Daniel_Taney
Jump to solution

We had something similar when our DC server certificates auto renewed. 

We followed sk84620 and that sorted the problem for us. 

Daniel_Taney
Advisor
‎2020-03-10 11:38 AM
In response to J_B
Jump to solution

@J_B I have seen these SK's, but had asked our server guys to provide the certificates. Since this fixed your problem, maybe I need to double back with them and make sure they followed the procedure correctly to acquire them.

Thanks!

R80 CCSA / CCSE
0 Kudos
startoff
Participant
‎2020-03-10 04:58 AM
In response to startoff
Jump to solution

So, had a call with Checkpoint this morning and we could resolve the issue!

To explain why the error happended a short info about our setup.

Our endpoint protection will reach the AD Domain Controller through a public IP on another FW and there we're doing a NAT to the DC.

On the endpoint protection server in the Organization scanner I entered the public IP, not a hostname. Therefore we saw an error in the log on the EP about the public IP not being a SAN inside the certificate we installed on the EP server.

I then added a host definition inside clish on the EP server:

add host name fqdn.from.domaincontroller ipv4-address pub.lic.ip.address

 

The pub.lic.ip.address is the IP address on the firewall where we're doing the NAT.

After that, I had to enter the hostname instead of the public IP address in the Organization Scanner settings.

 

 

Daniel_Taney
Advisor
‎2020-03-10 11:37 AM
In response to startoff
Jump to solution

Glad to hear this resolved your issue! Your circumstances are a little different than mine. So, unfortunately, I don't think this fix applies to me. Was there anywhere else you looked during the troubleshooting session to see additional or more specific errors?

Thanks!

R80 CCSA / CCSE
0 Kudos
startoff
Participant
‎2020-03-10 11:49 PM
In response to Daniel_Taney
Jump to solution

I'm sorry to hear that didn't help in your case.

We looked at the same log as you:

$UEPMDIR/log/server_messages.log

There we saw these two error messages:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address pub.lic.ip.address found

java.security.cert.CertificateException: No subject alternative names matching IP address pub.lic.ip.address found

 

The pub.lic.ip.address is the one where we're doing the NAT to the ADC.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events