Upgrading lookup plugins for Data Loss Prevention version 11.6 FIPS-enabled systems

book

Article ID: 159974

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

On a FIPS-enabled Data Loss Prevention system, an upgrade of the Enforce Server to version 11.6 may fail to upgrade lookup plugins. If this is the case, the system displays the following error message: "INFO: IN PROCESS: Unable to ignite keys, cannot upgrade lookup plugins: KeyIgnition failed. Your lookup plugins may require manual configuration after the upgrade."

Resolution

Follow these steps to manually upgrade one or more lookup plugins to a version 11.6 FIPS-enabled Enforce Server. The process for manually upgrading each type of lookup plugin involves copying property values from a file stored on the Enforce Server to corresponding plugin fields in the Enforce Server administration console. Separate steps are provided for each type of lookup plugin: CSV, LDAP, Script, and Data Insight.

CSV Lookup Plugin Upgrade Steps

1. Open a copy of the CSV Lookup Plugin properties file.

This file is located in the directory \SymantecDLP\Protect\config\CsvLookup.properties. You copy/paste the values from this file to the Enforce Server administration console to upgrade the CSV plugin.

2. Log on to the Enforce Server administration console using the System Administrator credentials.

3. Navigate to System > Lookup Plugins screen.

4. Select New Plugin > CSV from the drop-down menu.

5. Enter a name and description for the plugin.

6. Select the Delimiter.

Select the Delimiter from the drop-down list based on the value of the property delimiter in the file CsvLookup.properties.

For example, select the pipe delimiter if the property is delimiter = |.

7. Select the character set.

Select the character set for the plugin from the File encoding drop-down list based on the value of the property csv_file_charset in the CsvLookup.properties file.

For example, select UTF-8 from the menu if the property value is as follows: csv_file_charset = UTF-8

8. Enter the attribute mapping.

From the CsvLookup.properties file, locate all the properties with prefixes "attr." and "keys" and copy these properties to the attribute mapping text field.

For example, if the properties are as follows:

attr.sender-email = sender-email-key and keys = sender-email-key:incident-id-key

Then copy these values to the attribute mapping field as follows:

attr.sender-email = sender-email-key
keys = sender-email-key:incident-id-key

9. Click Save and verify that the system reports a successful save message.

10. Enable and test the plugin. See the Symantec Data Loss Prevention 11.6 Administration Guide for details.

LDAP Lookup Plugin Upgrade Steps

1. Open a copy of the LDAP Lookup Plugin properties file.

The file is located in the directory \SymantecDLP\Protect\config\LiveLdapLookup.properties. You copy/paste the values from this file to the Enforce Server administration console for each LDAP Lookup Plugin you want to upgrade.

2. Log on to the Enforce Server administration console using the System Administrator credentials.

3. Select System > Settings > Group Directories > Create New Connection. (If you already have a directory connection configured, skip to step 13.)

4. Enter a name for the new directory connection in the Name field.

5. Enter the Hostname value from the servername property in the properties file.

For example: servername = enforce-ad.engdlp.symantec.com

6. Enter the Port value from the port property in the properties file.

For example: port = 389

7. Enter the Base DN value from the basedn property in the properties file.

For example: basedn = DC=enforce,DC=engdlp,DC=symantec,DC=com

8. Select the Encryption Method value from the authtype property from the properties file.

For example: authtype = simple

9. Enter the Username value from the username property in the properties file.

For example: username = enforce\\Administrator

10. Enter the Password from the password property in the properties file.

For example: password = myPassword

11. Click Test connection and verify the success message.

12. Click Save to save the new directory connection.

13. Navigate to the System >  Lookup Plugins screen.

14. Select New Plugin > LDAP from the drop-down menu.

15. Enter a name and description for the plugin.

16. Choose the Directory Connection.

17. Enter the attribute mapping strings.

Copy the attribute mapping properties from the file LiveLdapLookup.properties. Locate all the properties starting with "attr." For example:

attr.LDAP\ givenName = cn=users:(|(givenName=$endpoint-user-name$)(mail=$sender-email$)(streetAddress=$discover-server$)):givenName

Note: If the attribute mapping properties contains Base DN information, do not include this in the attribute mapping. For example, if the mapping is as follows:

attr.LDAP\ givenName = DC=enforce,DC=engdlp,DC=symantec,DC=com ,cn=users: (|(givenName=$endpoint-user-name$)(mail=$sender-email$)(streetAddress=$discover-server$)):givenName

Then you should not include the following information in the attribute mapping:

DC=enforce,DC=engdlp,DC=symantec,DC=com

18. Click Save and verify that the system reports a successful save message.

19. Enable and test the plugin. See the Symantec Data Loss Prevention 11.6 Administration Guide for details.

20. Repeat the plugin configuration steps for any other LDAP Lookup Plugin present in the file properties that is not automatically upgraded to the 11.6 Enforce Server administration console.

Script Lookup Plugin Upgrade Steps

1. Open a copy of the Script Lookup Plugin properties file.

The file is located in the directory \SymantecDLP\Protect\config\ScriptLookup.properties. You copy/paste the values from this file to the Enforce Server administration console for each Script Lookup Plugin you want to upgrade.

2. Log on to the Enforce Server using the System Administrator credentials.

3. Navigate to System > Lookup Plugins in the Enforce Server administration console.

4. Select New Plugin > Script from the drop-down menu.

5. Enter a Name and Description for the plugin at the New Script Lookup Plugin page.

6. Enter the Script Command.

Copy the value for the script.1.command property from the file ScriptLookup.properties to the Script Command field. For example, if the property is script.1.command=python then enter the value python in the Script Command field.

6. Enter the Arguments.

Copy the value for the script.1.custom.args property  from the file ScriptLookup.properties Arguments field.

For example, if the property is script.1.custom.args=-u,/opt/Vontu/Protect/plugins/simple.py then enter the following in the Arguments field: -u,/opt/Vontu/Protect/plugins/simple.py

7. Enable standard input (stdin).

Select (check) the stdin option if the property stdin.filtering.enabled in the file ScriptLookup.properties is set to true.

8. Enable standard output (stdout).

Select (check) the stdout option if the property stdout.filtering.enabled in the file ScriptLookup.properties is set to true.

9. Enable protocol filtering.

Select (check) this option if the property protocol.filtering.enabled in the file ScriptLookup.properties is set to true. Then, select each protocol from the available protocols list based on the protocols specified in the protocols.allow property of the same file.

For example, if property protocols.allow=SMTP,FTP,HTTP,NNTP then select each of these protocols in the console.

10. Enable credentials.

Select (check) this option if the property credentials.enabled in the file ScriptLookup.properties is set to true. Then, enter the value for the Credentials File Path field from the value of the credentials.file.path property in the same file.

For example, if  credentials.file.path=../config/ScriptLookupPassword.properties then enter ../config/ScriptLookupPassword.properties in the Credentials File Path field.

11. Click Save to save the upgraded Script Lookup Plugin.

Verify that the system displays a message indicating that the configuration was successfully saved.

12. Enable and test the plugin. See the Symantec Data Loss Prevention 11.6 Administration Guide for details.

13. Repeat these steps for any other Script Lookup Plugin present in the properties file that is not automatically upgraded to the 11.6 Enforce Server.

If the file ScriptLookup.properties has more than one Script Lookup Plugin, create a new plugin and repeat these steps using the property values for that plugin from the properties file. For example, a property such as script.2.command=c:/data/simpleScript.bat means that there is a second Script Lookup Plugin to be upgraded, as indicated by the "script.2" prefix. In this case, create a new plugin and enter c:/data/simpleScript.bat in the Script Command field, script.2.custom.args in the Arguments field, and so forth.

Data Insight Lookup Plugin Upgrade Steps

1. Open a copy of the Data Insight Lookup Plugin properties file.

The file is located in the directory \SymantecDLP\Protect\config\DataInsightLookup.properties. You copy/paste the values from this file to the Enforce Server administration console for the Data Insight Lookup Plugin you are upgrading.

2. Log on to the Enforce Server administration console using the System Administrator credentials.

3. Navigate to System > Data Insight and configure a Data Insight connection.

See the Symantec Data Loss Prevention 11.6 Data Insight Implementation Guide for steps to create this connection.

4. Navigate to the System > Lookup Plugins screen and select New Plugin > Data Insight from the drop-down menu.

5. Enter a name and description for the plugin.

6. Enter the Start Date from the Config_Access_History_From_Date property value in the file DataInsightLookup.properties.

For example: Config_Access_History_From_Date = 2008-06-02

7. Enter the Active User Count value from the property Config_Active_User_Count.

For example: Config_Active_User_Count = 1

8. Enter the Active User Count value from property Config_Active_Reader_Count.

For example: Config_Active_Reader_Count = 1

9. Enter the Active User Count value from the property Config_Active_Writer_Count.

For example: Config_Active_Writer_Count = 1

10. Enter the attribute mapping.

Copy all the values that have the "attr" prefix to the attribute mapping text field.

11. Click Save and verify that the system reports a successful save message.

12. Enable and test the plugin. See the Symantec Data Loss Prevention 11.6 Data Insight Implementation Guide for details.