How to generate and add a new Detection Server certificates using SSLkeytool

book

Article ID: 160736

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

The document explains how to generate and add new Detection Server certificates using SSLkeytool.

Resolution

NOTE: Default paths for DLP 15.8:

Enforce:

    • C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin\sslkeytool.exe
    • C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore

Detection Server:

    • C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\keystore

 

Generate new Detection Server certificates:

  1. Log on to the Enforce Server computer using the "SymantecDLP" user account that you created during Symantec Data Loss Prevention installation.
    • (If you are not able to login as the SymantecDLP user and get the following error, then perform the steps given in the link Remote desktop connection "The local policy of this system does not permit you to logon interactively")
  2. From an Administrator command prompt, run the following command:
    cd C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin\ 
  3. Run the SSLkeytool using the following command
sslkeytool.exe -genkey -dir="C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin"

Now at this time there will be 2 new certificates created in the directory, one for the Enforce and the other one for the detection server.

  •  enforce.Thu_Jul_21_18_15_24_GMT+05_30_2017.sslKeyStore
  •  monitor.Thu_Jul_21_18_15_24_GMT+05_30_2017.sslKeyStore

 

5. Copy the new Enforce Server certificate file to the <C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.8.00000\keystore> directory on the Enforce Server.

6. Copy the new Detection Server certificate file to the <C:\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.8.00000\keystore> directory on the Detection Server.

7. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.

8. Restart the DetectionServer service on each Detection Server to use the new certificate file.

9. Restart the Symantec DLP Services on Enforce to start using the new key