How to update the SCSP Self-signed certificate to enforce SHA256 hashing with RSA 2048

book

Article ID: 178837

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

 

Resolution

By Default Symantec Critical System Protection (SCSP) used SHA1 hashing and 1024 key. Follow the steps below to change the certificate to use SHA256 with a RSA 2048 key. 

 

Required Resources:
"keytool.exe", Keystore and cert tool, found in: C:\Program Files (x86)\Symantec\Data Center Security Server\server\jre\bin
"agent-cert.ssl" and "server-cert.ssl", SCSP Certificate/Keystores found in: C:\Program Files (x86)\Symantec\Data Center Security Server\server
"server.xml", SDCS Certificate Configuration file found in: "C:\Program Files (x86)\Symantec\Data Center Security Server\server\tomcat\conf"
"keystorepass", Keystore password found in: server.xml

Procedure:

  1. Back up old certs to "agent-cert.ssl.ori" and "server-cert.ssl.ori".

  2. Run Keytool to generate a new Keystore and certificate:

    1. Open an admin command prompt and cd to the folder where keytool is located.

    2. command: "keytool.exe -genkey -alias sss -keyalg RSA -keystore server-cert.ssl -validity 5000 -keysize 2048 -storestype pkcs12"

    3. When prompted, enter KeystorePass password from server.xml

    4. First and last name: SDCS_Management_Server.

    5. OU: <server_hostname>.

    6. Other details optional. When you get to the last step it will show you everything you entered, type Yes to continue. When asked for the sss password press enter.

  3. Run Keytool to generate Certificate Signing Request file.

    1. command: "keytool -certreq -alias sss -keystore server-cert.ssl -file fim.csr -storetype pkcs12"

  4. Run Keytool to export new certificate from new keystore

  5. command: "keytool -export -alias sss -keystore server-cert.ssl -file exp.crt -storetype pkcs12"

  6. Run Keytool to create the new agent certificate

    1. Command: “keytool.exe -export -alias sss -rfc -keystore server-cert.ssl -file agent-cert.ssl -storepass [keystorepass] -storetype pkcs12”

  7. You will now have 2 new files in the same folder as the keytool. Copy both agent-cert.ssl and server-cert.ssl files to the C:\Program Files (x86)\Symantec\Data Center Security Server\server folder.

  8. Restart the SDCS Manager services on the manager or reboot.

  9. Goto C:\Program Files (x86)\Symantec\Data Center Security Server\Console\certs folder and delete the "siscert.ssl"

  10. Log in to SDCS Console.

  11. Accept the new certificate.

  12. Copy "agent-cert.ssl" to all SDCS agents.

  13. If IPS is running, restore the null policy (this can be done locally by running "sisipsconfig -r").

  14. On each agent, run "sisipsconfig -c [path to agent-cert. ssl]". It is advisable to test thoroughly on one or more agents before rolling out elsewhere.  Here is a link on how to use the sisipsconfig tool. http://www.symantec.com/connect/articles/how-use-scsp-agent-configuration-tool

  15. Run "sisipsconfig -t" to test the connection.

  16. Once the connection is established and successful the agent will communicate with the manager using the new certificates.  It will take the agent a few minutes to show online on the management console.

Note - For SCSP 5.2.9 MP6 and older versions remove "-storetype pkcs12" from all commands