However, on completion the Enforce console does not load.
DLP 15.1, 2 or 3 tier installtion on Windows
Tomcat logs (C:\ProgramData\Symantec\Data Loss Prevention\Enforce Server\15.1\logs\tomcat) show:
WARNING [com.vontu.util.jdbc.JDBCTestConnection] Cannot connect to database
java.sql.SQLRecoverableException: IO Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The documentation version referenced above does not have the correct path for the keytool.exe
If you run the command as it is written in the documentation from the bin folder where the keytool.exe actually is and provide the correct, adjusted path to the certs.txt file – you will add your certificate to a second keystore called ‘cacerts’ (because the command automatically creates a keystore if none is present) - instead of adding it to the ‘real’ cacerts keystore which is the one being referenced by the jdbc connector.
Verify that this situation applies to you by:
Searching on the Enforce Server in folder: C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\ for ‘cacerts’
You will probably see 2 matches:
One will be in C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\lib\security\ - which is the correct location
Another will be in C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\bin\ - which is the wrong location.
You will see that the one in the security folder is much larger because it contains all the default certificates whereas the one in the bin directory will be just 1KB as it only contains the wrongly imported oracle certificate
If you run the two commands below on your Enforce Server this should add the certificate import to the correct keystore:
Cd C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\bin\
keytool.exe -import -alias oracleservercert -keystore 'C:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\lib\security\cacerts' -file <Your Path To cert.txt>
Note: When you receive the password prompt this will probably be ‘changeit’ which is the default password.
Stop the services:
Symantec DLP Incident Persister
Symantec DLP Detection Server Controller
Symantec DLP Manager
Symantec DLP Notifier
3. Start the DLP services in the reverse order to step 2
4. Wait for a few minutes then open the Enforce Console – you should be connected.
Subscribing will provide email updates when this Article is updated. Login is required.