How Endpoint Protection uses encryption and certificates

book

Article ID: 158445

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How does a Symantec Endpoint Protection Manager (SEPM) use encryption and certificates to secure communications between itself, other managers and its clients? What types of encryption are used?

Resolution

About the Server Certificates

Each SEPM server generates its own self-signed certificate using a 2048 bit SHA256RSA key pair during its initial Management Server Configuration Wizard (MSCW) run. This certificate is stored in two locations and formats on the SEPM file system.

  • The certificate and private key are stored in Java Keystore as C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks
  • The certificate and private key are also stored separately in the Privacy Enhanced Mail (PEM) format as C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.crt and C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.key
Secure Communications

Client to Manager Communications

Managers host client to server communications through the SEPM Apache server. By default, the Apache server listens on TCP port 443 for encrypted HTTPS connections, and TCP port 8014 for unencrypted HTTP connections.

As of SEPM 14, newly installed managers are configured to accept HTTPS connections by default. For SEPM 12.1 managers, or 12.1 to 14 migrations, the SEPM Apache server can be configured to accept TLS encrypted HTTPS connections by following the steps in Enable HTTPS client-server communications.

Manager to Manager Communications

Managers communicate with other managers through the SEPM Tomcat server over port 8443/HTTPS. The connection is secured using the server.crt and server.key files stored in C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl.

Console to Manager Communications

You can access the SEPM either through the local/remote Java console, or the Web console. The local and remote Java consoles are digitally signed by Symantec, using a code signing certificate issued by Symantec. The Web console is generated by the SEPM Tomcat server and is accessed over port 8443/HTTPS.

Reporting Server Communications

The SEPM Apache server hosts the Reporting Server site over port 8445/HTTPS. This site also provides the information in the Home, Monitors and Reports tabs of the SEPM Console.

Web Services Communications

The SEPM Tomcat server hosts the Web Services site over port 8446/HTTPS.

 

Ports, protocols, configuration files, and certificates used for SEPM communications

Communications Type Port/Protocol Server Technology Configuration File Certificate File(s)
Client-Manager communications (secars and secreg) 443/HTTPS Apache C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf server.crt, server.key
Manager-Manager and Console-Manager communications 8443/HTTPS Tomcat C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml server.crt, server.key
Reporting Server 8445/HTTPS Apache C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\ssl.conf server.crt, server.key
Web Services 8446/HTTPS Tomcat C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\instances\sepm-api\conf\server.xml

server.crt, server.key

 

Client Policy Signing

Managers digitally sign the policy files they host using the public key contained in the keystore.jks. Clients compare the digital signature on policy files to the certificate associated with the manager in their sylink.xml file.

Client Policy Encryption

Managers encrypt policies and content with the Twofish algorithm using the pre-shared key created with the first SEPM in the site. This password is not changed when a new certificate is imported into the SEPM using the Manage Server Certificate wizard. Clients decrypt the content using the kcs value in their sylink.xml file.