How to generate and add a new Detection Server certificates using SSLkeytool
search cancel

How to generate and add a new Detection Server certificates using SSLkeytool

book

Article ID: 160736

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

The document explains how to generate and add new Detection Server certificates using SSLkeytool.

Environment

DLP 15.8 and later

Resolution

NOTE: Default paths for DLP 15.8:

Enforce:
C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin\sslkeytool.exe
C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore

Detection Server:
C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\keystore


Generate new Detection Server certificates:

1. Log on to the Enforce Server computer using the "SymantecDLP" user account that you created during Symantec Data Loss Prevention installation. (If you are not able to login as the SymantecDLP user and get the following error, then perform the steps given in the link Remote desktop connection "The local policy of this system does not permit you to logon interactively")

2. From an Administrator command prompt, run the following command:
cd C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin\ 

3. Run the SSLkeytool using the following command
sslkeytool.exe -genkey -dir="C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin"

4. Now at this time there will be 2 new certificates created in the directory, one for the Enforce and the other one for the detection server.
enforce.Thu_Jul_21_18_15_24_GMT+05_30_2017.sslKeyStore
monitor.Thu_Jul_21_18_15_24_GMT+05_30_2017.sslKeyStore

5. Copy the new Enforce Server certificate file to the <C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore> directory on the Enforce Server.

6. Copy the new Detection Server certificate file to the <C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\keystore> directory on the Detection Server.

7. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.

8. Restart the DetectionServer service on each Detection Server to use the new certificate file.

9. Restart the Symantec DLP Services on Enforce to start using the new key.


Generate unique certificates for each detection server:

You can also generate unique certificates for each detection server in your system (rather than using a same certificate on each detection server) using below steps:

1. First create a text file to list the alias names you want to create. Place each alias on a separate line. For example:
net_monitor01
protect01
endpoint01
smtp_prevent01
web_prevent01

Note: The -genkey argument automatically creates certificates for the "enforce" and "monitor" aliases. Do not add these aliases to your custom alias file.

2. Run the sslkeytool utility with the -genkey and -alias argument. We need to specify the optional -alias argument, as in the following example:
sslkeytool -genkey -alias=aliases.txt

Note: You can copy the aliases.txt in the bin folder where sslKeytool resides or you specify the path for it.
You can also use optional -dir argument to specify the output directory.


3. This generates new certificates (keystore files) in the specified directory. Two files are automatically generated with the
-genkey argument:
• enforce.timestamp.sslKeyStore
• monitor.timestamp.sslKeyStore
The sslkeytool also generates individual files for any aliases that are defined in the alias file. For example:

• net_monitor01.timestamp.sslKeyStore
• protect01.timestamp.sslKeyStore
• endpoint01.timestamp.sslKeyStore
• smtp_prevent01.timestamp.sslKeyStore
• web_prevent01.timestamp.sslKeyStore

4. Copy the certificate file whose name begins with enforce to the c:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore directory on the Enforce Server.

5. If you want to use the same certificate file with all detection servers, copy the certificate file whose name begins with monitor to the keystore directory of each detection server in your system.
Copy the file to c:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\protect\keystore
Copy the generated unique certificate file to the keystore directory on each detection server computer.

6. Delete or secure(backup) the existing keystore copies of the certificate files to prevent unauthorized access to the generated keys.

7. Restart the SymantecDLPDetectionServerControllerService service on the Enforce Server and the SymantecDLPDetectionServerService service on the detection servers.