Network controller stopped getting new usermaps after using Secure LDAP (LDAPS) with RSA DLP
Originally Published: 2016-03-02
Article Number
Applies To
RSA Product/Service Type: Network
RSA Version/Condition: 9.6 SP2
Platform: Centos
Issue
You receive an alert (notification email or syslog) that the usermaps are not updated in the network devices.
The RSA DLP system has encountered an unexpected error that may require immediate attention.
Hostname: sensor.example.com
Component: NW sensor
Type: NW_025
Timestamp: Mar 01 01:07:35
Description: LDAP based user record cache /opt/tablus/sensor/db/ldap/usermap/dc.example.com_usermap.umap has not been refreshed within expiry interval (default 7 days). Policy evaluation will continue to use existing cache. Please ensure Controller can communicate with LDAP server and publish new cache.
Component: NW sensor
Type: NW_025
Timestamp: Mar 01 01:07:35
Description: LDAP based user record cache /opt/tablus/sensor/db/ldap/usermap/dc.example.com_usermap.umap has not been refreshed within expiry interval (default 7 days). Policy evaluation will continue to use existing cache. Please ensure Controller can communicate with LDAP server and publish new cache.
Resolution
a. Get the CA cert from the domain controller admins
b. Upload the certificate to the network controller under /home/tablus (using any of the SFTP client e.g. WinSCP,,)
2. Use openssl tool to convert from der to pem format
openssl x509 -inform der -in <inputcertificate.cer> -out <outputcertificate.pem> e.g. [tablus@nc ~]$ openssl x509 -inform der -in ddd.cer -out cert.pem3. Copy the above pem file to /opt/tablus/config/ldap/certs/ directory
[tablus@nc ~]$ cp /home/tablus/cert.pem /opt/tablus/config/ldap/certs/4. Restart ldapresolver service
[tablus@nc ~]$ moncmd restart ldapresolver Process ldapresolver will be restarted
5. Monitor the new usermaps created by checking the timestamp under /opt/tablus/controller/db/ladp/usermaps
[tablus@nc security]# cd /opt/tablus/controller/db/ldap/usermap/ [tablus@nc usermap]# ll total 20 -rw-rw-rw- 1 tablus tablus 4099 Mar 2 06:16 dc.example.com_usermap.umap -rw-rw-rw- 1 tablus tablus 4099 Mar 2 06:16 dc.example.com_usermap.umap.backup -rw-rw-rw- 1 tablus tablus 583 Mar 2 06:16 dc.example.com_usermap.umap.log
Workaround
This means, the LDAP server has to be configured using FQDN in the EM LDAP configuration page.
If you need to configure the LDAP using the IP and not the FQDN, As a workaround, you can disable the Certificate checking on Network controller as following:
[tablus@nc ~]$ cd /opt/tablus/config/ [tablus@nc config]$ vi nwsystemconfig.xml . . . <validatecertificate type="boolean">false</validatecertificate> <.......change the setting validatecertificate from true to false .Restart ldapresolver service
[tablus@nc ~]$ moncmd restart ldapresolver Process ldapresolver will be restarted
Notes
If not, please refer to the article entitled Enabling Secure LDAP (LDAPS) between an RSA Data Loss Prevention Enterprise Manager server and an LDAP server.
Related Articles
Cloud Access Service - Administrators Number of Views Configure RADIUS Settings Number of Views How to configure LDAP synchronization from RSA ACE/Server 5.2 to Microsoft Active Directory 2003 Number of Views Patching RSA Governance & Lifecycle fails with error Unable to connect to controller. Number of Views Connect to Identity Sources Using LDAPS Number of Views
Trending Articles
An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process
Don't see what you're looking for?
