This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernhard_Sayer
Contributor
‎2018-06-05 10:35 AM

Cisco ISE integration into Identity Collector

Hi,

has everyone ever implemented a Cisco ISE into Identity Collector? I could not find any information about the certificate field with required *.jks certificates ....

BR,

Bernhard

0 Kudos
4 Replies
Houssameddine_1
Collaborator
‎2018-06-05 10:52 AM

I think you might contact cisco support to get help on how to generate the jks certificate format  for ISE and the Identity collector. You might check with checkpoint support for internal documentation but they will not support it.

In the meantime you can check the following link

To Use keytool to Create a ServerCertificate (The Java EE 6 Tutorial) 

Thanks

Houssameddine_1
Collaborator
‎2018-06-05 11:17 AM

Please check this link

How To: Deploying Certificates with pxGrid: | Cisco Communities 

lolith
Participant
‎2023-04-18 06:28 AM
In response to Houssameddine_1

Hello,

 

Sorry to ask my query in this old post. But i could only see this one more relevant to my query:

Checkpoint IDC - 81.028.000

Checkpoint PDP and PEP: R80.40

I have integrate IDC with Cisco Pxgrid v2 (Cisco ISE3.1.0.518) and is working quite well for learning the SGT and enforcing the SGT in access policy. The problem is the IDC only learns the ISE logs in bulk and not instantly.

 

The ia_ise_extension.log says the below error:

[3728][0015][2023.04.18 15:16:55.569] GatheringManager::updateSessions: failed to query session 10.xx.xx.xx from ISE rnxx1tc1xxxxx.xxxx-01.net
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.checkpoint.ISE.GatheringManager.PxgridControl.sendRequest(PxgridControl.java:53)
at com.checkpoint.ISE.GatheringManager.PxgridControl.getSessionByIP(PxgridControl.java:167)
at com.checkpoint.ISE.GatheringManager.ISEServerPxgV2.querySessionByIp(ISEServerPxgV2.java:197)
at com.checkpoint.ISE.GatheringManager.GatheringManager.updateSessions(GatheringManager.java:485)
at com.checkpoint.ISE.GatheringManager.GatheringManager.access$000(GatheringManager.java:33)
at com.checkpoint.ISE.GatheringManager.GatheringManager$UpdateSessionDBTimerTask.run(GatheringManager.java:79)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)

 

But every 30 mins or so, it does a bulk import and gets all the machine records:

[3728][0031][2023.04.18 15:16:56.178] GatheringManager::processSession: new event received during bulk download, will exclude 10.xx.xx.xx from further bulk download operations

 

I tried to play around with certificate, but unable to find a solution.

 

I have created the jks cert using this white paper document and as you see, it works partially. Anyone has any idea how to fix this issue to pass on the instant machine authentication records to IDC.

Regards,

Lolith

0 Kudos
lolith
Participant
‎2023-05-03 03:27 AM
In response to lolith

Hello,

The issue got fixed after importing the self signed cert chain into java keystore.

The problem I had was that the pxgrid cert was signed using system and IDC was not trusting the pxgrid cert.

Also the ISE ver 3 with patch 3 was having a bug that everytime you patch/upgrade ISE, the self signed cert also get renewed, which is fixed in patch 4 and above.

 

Conclusion, the IDC and PxGrid 2 works fine with right set of certs in the java keystore.

 

Thanks and Regards,

Lolith

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events