Hello,
Sorry to ask my query in here. But I could only see this one more relevant to my query:
Checkpoint IDC - 81.028.000
Checkpoint PDP and PEP: R80.40
I have integrate IDC with Cisco Pxgrid v2 (Cisco ISE3.1.0.518) and is working quite well for learning the SGT and enforcing the SGT in access policy. The problem is the IDC only learns the ISE logs when it imports it in bulk and not instantly when new authentoication happens on ISE. Which makes the user access fail as it does not match any SGT rules and create issues.
The ia_ise_extension.log says the below error:
[3728][0015][2023.04.18 15:16:55.569] GatheringManager::updateSessions: failed to query session 10.xx.xx.xx from ISE rnxx1tc1xxxxx.xxxx-01.net
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.checkpoint.ISE.GatheringManager.PxgridControl.sendRequest(PxgridControl.java:53)
at com.checkpoint.ISE.GatheringManager.PxgridControl.getSessionByIP(PxgridControl.java:167)
at com.checkpoint.ISE.GatheringManager.ISEServerPxgV2.querySessionByIp(ISEServerPxgV2.java:197)
at com.checkpoint.ISE.GatheringManager.GatheringManager.updateSessions(GatheringManager.java:485)
at com.checkpoint.ISE.GatheringManager.GatheringManager.access$000(GatheringManager.java:33)
at com.checkpoint.ISE.GatheringManager.GatheringManager$UpdateSessionDBTimerTask.run(GatheringManager.java:79)
at java.util.TimerThread.mainLoop(Unknown Source)
at java.util.TimerThread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
But every 30 mins or so, it does a bulk import and gets all the machine records:
[3728][0031][2023.04.18 15:16:56.178] GatheringManager::processSession: new event received during bulk download, will exclude 10.xx.xx.xx from further bulk download operations
I tried to play around with certificate, but unable to find a solution.
I have created the jks cert using this white paper document and as you see, it works partially. Anyone has any idea how to fix this issue to get the instant machine authentication records on IDC.
Regards,
Lolith