search cancel

About securing communications between the Enforce Server and Amazon RDS for Oracle

book

Article ID: 173238

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

You can use Transport Layer Security (TLS) to encrypt all data that is transmitted between the Enforce Server and the Oracle database hosted with Amazon RDS in a three-tier environment.  This configuration is supported in both Symantec Data Loss Prevention 15.1 and 15.5.

These steps assume that you have already set up an AWS account that you can use to manage the Oracle database. See the Symantec Data Loss Prevention Deployment Guide for Amazon Web Services.

Complete the following to secure communications between the Enforce Server and the database:

  1. Configure the AWS Oracle RDS Transport Layer Security (TLS) connector.
  2. Configure the AWS Oracle RDS for Secure Sockets Layer (SSL)  connection over JDBC.
  3. Configure the server certificate on the Enforce Server.
  4. Verify the AWS Oracle RDS certificate usage.

Resolution

Configuring Oracle RDS Option Group with SSL

You enable SSL encryption for an Oracle RDS database instance by adding the Oracle SSL option to the option group associated with an Oracle DB instance. You specify the port you want to communicate over using SSL.

Refer to "Oracle Secure Sockets Layer" located in AWS Oracle RDS documentation for steps to complete this process.

Setting up an SSL connection over JDBC

To set up an SSL connection over JDBC you download the Amazon RDS root CA certificate, convert the certificate format, then import the certificate into the keystore.

Refer to "Setting Up an SSL Connection Over JDBC" located in AWS Oracle RDS documentation for steps to complete this process.

Configuring the server certificate on the Enforce Server

After you configure the AWS Oracle RDS Option Group with SSL, you configure the Enforce Server JDBC driver and the server certificate. You configure the JDBC driver to use the Oracle RDS SSL/TLS connection and port, then you configure the server certificate.

Note: The following process assumes that the SSL Option is configured with TCP port 2484.

To configure the server certificate on the Enforce Server:

  1. Locate the Jdbc.properties file located at the following location:
    • C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\protect\config (for Windows)
    • /opt/Symantec/DataLossPrevention/Enforce Server/15.1/protect/config (for Linux)
  2. Modify the following communication port and connection information:
    • Update the jdbc.dbalias.oracle-thin line to use TCPS.
    • Change the port number to 2484.
      The updated communication port and connection information should display as follows:
      [email protected](description=(address=(host=[oracle host name])
      (protocol=tcps)(port=2484))(connect_data=(sid=protect))
      (SSL_SERVER_CERT_DN="CN=oracleserver"))

      The following is an example of what the completed communication port and connection information might look like. The information you use differs based on your system. Using the following information as-is may cause the configuration to fail.
      Note: The example uses "protect" for the database SID and 2484 for the TLS port.
      [email protected](description=(address=(host=oracle-rds-dns-name)
      (protocol=tcps)(port=2484))(connect_data=(sid=protect)
      (SSL_SERVER_CERT_DN="C=US,ST=Washington,L=Seattle,O=Amazon.com,OU=RDS,
      CN=oracle-rds-dns-name")))
  3. Add the certificate to the cacerts file that is located on the Enforce Server by completing the following steps:
    1. Copy the Oracle RDS certificate (rds-ca-2015-root.der) file to one of the following locations:
      • ​​c:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_181\lib\security (for Windows)
      • /opt/Symantec/DataLossPrevention/Server JRE/1.8.0_181/lib/security (for Linux)
    2. Change the directory by running the following command (based on your OS)
      • cd c:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_181\lib\security\ (for Windows)
      • cd /opt/Symantec/DataLossPrevention/Server JRE/1.8.0_181/lib/security/ (for Linux)
    3. Insert the certificate into the cacerts file by running the following command as an administrator (for Windows) or as a root user (for Linux):
      keytool -import -alias oracleservercert -keystore cacerts -file rds-ca-2015-root.der
      Enter the default password when you are prompted: changeit
    4. Confirm that the certificate was added by running the following command (based on your OS):
      • keytool -list -v -keystore c:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\lib\security\cacerts  -storepass changeit (for Windows)
      • keytool -list -v -keystore /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/lib/security/cacerts  -storepass changeit (for Linux)
    5. Restart all SymantecDLP services.

Verifying the Enforce Server-Oracle RDS database certificate usage

To confirm that certificates are configured correctly and the Enforce Server is communicating with the Oracle RDS database, log on to the Enforce Server administration console. If you can log on, the Enforce Server and database are communicating over a secure communication.

If you cannot log on, verify the SSL Java application connection of Jdbc.properties. To confirm the SSL Java application connection, check the listener status on the Oracle RDS deployment. In the listener status,  the TCPS protocol and port 2484 should be in use. If the listener status does not display these connection statuses, re-complete the process to enable Oracle RDS group with SSL.

For full details on how to configure SSL/TLS communication between Oracle RDS, and the Enforce Server, see the documentation for AWS Oracle RDS Option Group, available from the   Amazon Relational Database Service User Guide.