search cancel

Server.xml contains keystore password in cleartext

book

Article ID: 160577

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

On the Enforce server we store the "protect" password in clear text in the "server.xml" file.
Can this be encrypted?

Cause

Location of this Tomcat file for DLP 15.1 and later is located here by default:  <drive>:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.x\Protect\tomcat\conf\

Resolution

In order to get access to that file in DLP, one would need to have access to the Enforce server and the DLP product installation.
Given access, a malicious user would have many vectors to disable or damage DLP monitoring.

It is recommended that customer should control authorization and access to the DLP systems very carefully.
Also, we are using out of the box tomcat, therefore a JIRA would not apply. We do set it up within the possibilities of the framework, but will not perform code changes which would affect our ability to support the framework since we would affectively own and support this new code branch.