000032664 - Network controller stopped getting new usermaps after using Secure LDAP (LDAPS) with RSA DLP

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032664
Applies ToRSA Product Set: DLP
RSA Product/Service Type: Network
RSA Version/Condition: 9.6 SP2
Platform: Centos
 
IssueNetwork controller stopped getting new usermaps after using LDAPS
You receive an alert (notification email or syslog) that the usermaps are not updated in the network devices.
The RSA DLP system has encountered an unexpected error that may require immediate attention.
 
Hostname: sensor.example.com
Component: NW sensor
Type: NW_025
Timestamp: Mar 01 01:07:35
Description: LDAP based user record cache /opt/tablus/sensor/db/ldap/usermap/dc.example.com_usermap.umap has not been refreshed within expiry interval (default 7 days). Policy evaluation will continue to use existing cache. Please ensure Controller can communicate with LDAP server and publish new cache.
Resolution1. import the CA public certificate (used to sign the server certificate of Domain Controller)
  a. Get the CA cert from the domain controller admins
  b. Upload the certificate to the network controller under /home/tablus (using any of the SFTP client e.g. WinSCP,,) 
2. Use openssl tool to convert from der to pem format
openssl x509 -inform der -in <inputcertificate.cer> -out <outputcertificate.pem>
e.g.
[tablus@nc ~]$  openssl x509 -inform der -in ddd.cer -out cert.pem

3. Copy the above pem file to /opt/tablus/config/ldap/certs/ directory
[tablus@nc ~]$ cp /home/tablus/cert.pem /opt/tablus/config/ldap/certs/

4. Restart ldapresolver service
[tablus@nc ~]$ moncmd restart ldapresolver
Process ldapresolver will be restarted

5. Monitor the new usermaps created by checking the timestamp under /opt/tablus/controller/db/ladp/usermaps
[tablus@nc security]# cd /opt/tablus/controller/db/ldap/usermap/
[tablus@nc usermap]# ll
total 20
-rw-rw-rw- 1 tablus tablus 4099 Mar  2 06:16 dc.example.com_usermap.umap
-rw-rw-rw- 1 tablus tablus 4099 Mar  2 06:16 dc.example.com_usermap.umap.backup
-rw-rw-rw- 1 tablus tablus  583 Mar  2 06:16 dc.example.com_usermap.umap.log


 
WorkaroundThe network controller do a hard validation of certificates ,so the hostname of LDAP server has to match the CN in the server certificate.
This means, the LDAP server has to be configured using FQDN in the EM LDAP configuration page.
If you need to configure the LDAP using the IP and not the FQDN, As a workaround, you can disable the Certificate checking on Network controller as following:
 
[tablus@nc ~]$ cd /opt/tablus/config/
[tablus@nc config]$ vi nwsystemconfig.xml
.
.
.
<validatecertificate type="boolean">false</validatecertificate> <.......change the setting validatecertificate from true to false
.

Restart ldapresolver service
[tablus@nc ~]$ moncmd restart ldapresolver
Process ldapresolver will be restarted
NotesThe article assumes that you already enabled the Secure LDAP (LDAPS) between an RSA Data Loss Prevention Enterprise Manager server and an LDAP server.
If not, please refer to the article entitled Enabling Secure LDAP (LDAPS) between an RSA Data Loss Prevention Enterprise Manager server and an LDAP server.

Attachments

    Outcomes